Mark Curphey – SecurityBuddha.com

 As regular readers of this blog know, I am doing a software startup. This has been in the brew for several years and while I have been working behind the scenes holed up in my holiday house for the last five months, next week we officially start in earnest when Alex Smolen starts full-time and we commence building our prototype. We have assembled a team of experienced advisors who are all serial entrepreneurs, have a compelling idea to change the information security world and are passionate about what we are creating.

As a way of capturing the experience I have decided to blog weekly entries about the trials and tribulations, the highs and lows and the general experience of creating a startup. We don’t claim to have all the answers and we know we have a great deal to learn along the way, but we will commit to sharing our experience through this blog. One thing I do know for sure is it will be fascinating reading for any entrepreneurs, software developers, security folks and anyone who has dreamed of creating a technology startup for themselves.

I am under no illusion that this will be smooth sailing, in fact we are prepared for a tornado. While I have been involved in a few successful startups before (ISS and Foundstone) this is the first I have been involved with since the beginning.  As a founder self funding the first year, my life is both “on the line” and through this Diary of a Startup will be online. In a bacon and egg breakfast the chicken was involved and pig was committed. I am committed! My hope of course is that people will want to follow what we are doing with interest, pull for us, cheer for us, help us, advise us and of course see directly into the heart of the company. Through feedback we WILL adapt; that is a promise. Of course the bottom line is we are doing this so people can see who we are, what we are doing, how we are doing it and will want to buy our products. I hope you write about us, link to us and support us. The posts will appear with a title SourceClear Diary of a Startup – (Week 1, 2, 3…52 etc) and I have created several new tags so that readers interested in specific topics can easily find content (StartUpBootstrapping, StartUpFunding, StartUpOperations, StartUpTechnology, StartUpEngineering, StartUpMarketing, StartUpSales).

So what’s the big idea you ask? Let me tell you my information security life story and explain how I have come to the conclusion that the future of information security is about Connecting People, Process and Technology. 

After enjoying life too much in my teens and early twenties I returned to University in England and stumbled across information security as an engineering student who became the go to guy who could figure out how to unprotect protected software. I was fortunate enough to then talk my way into the Information Security Masters degree at Royal Holloway, University of London studying under the likes of Fred Piper and Dieter Gollman and my good friend Andreas Fuchsberger. My passion was truly ignited and to all at Royal Holloway I am truly indebted. I was far from the smartest academically but when mind and opportunity meet something special kicks in. I spent several years in the City of London working at various investment banks including ING, Dresdner and the European Bank for Reconstruction and Development. I got to experience at first hand how some of the worlds biggest companies were embracing technology to advance their business and how security people were grappling to understand the role of security in the big picture. I experienced policy “twinks” who believed that if they wrote a fat set of policy documents, enlightened people would come out of the woodwork or protagonists would be forced to read and comply. I experienced the frustrated technicians play with firewalls and intrusion detection systems with no thought to the business objectives and business value they would afford. I saw the next best thing come into favor and then whimper away like another unfulfilled dream. I have continued to witness that same trend over the last decade. I witnessed an options trader literally pick up his PC on the trading floor and throw it in the trash, frustrated at having to use a complex password. I helped an FX trading team bypass an archaic batch file transfer system and move to a real time secure Internet Relay Chat to trade massive amounts of currency on a daily basis.

I was recruited by Internet Security Systems in 1999 and after a brief stint in London moved to Atlanta with my new wife to run a small professional services team. ISS was a great time. I got to live inside the tornado of a rapidly growing successful company and got to work with some great companies solving challenging problems. I also got my first taste for stock options! When my wife became pregnant we decided the South was not for us and I took a job as the Director for Information Security at Charles Schwab in San Francisco. I found myself responsible for software security in an organization that pioneered online trading and had 3,500 developers all around the world. In my first week on the job we made the front page of the Wall Street Journal for a cross site scripting attack and I knew I had a challenging and exciting role ahead. Schwab is a great company with great people and I learnt a great deal about enterprise technology, security and software development. When you have nearly a trillion dollars of assets under management and its your brain against the worlds online criminals, it tends to focus your attention. While at Schwab I started OWASP, the Open Web Application Security Project, an online community I am very proud of.  Not only did I cut my teeth on application security at Schwab, I also learnt a great deal about how technology startups work. I was always frustrated at the sheer volume of companies who had built solutions and came to us looking for the problem. The majority of companies were building widgets and go faster stripes and neon exhausts. I once attended a conference in which Roger Krone explained “if you want to sell to us you need to first understand my business and how we make money and then convince me how you fit into that picture”. I spent a few short horrible months at a startup that tempted me away from Schwab by the lure of an unrealistic salary and then was fortunate to join Foundstone.

Foundstone was started by a bunch of guys from the big four and US Air Force who built a very successful services company, initially on the back of writing Hacking Exposed. They went on to understand and exploit a significant gap in the technology market created by my former employer ISS not continuing to innovate with their flagship product Internet Scanner.  Using consulting to understand clients needs we built Foundscan, an enterprise level vulnerability scanner that won many awards and much accolation. Foundstone was a great company and very much a true startup. I was lucky enough to work with a passionate and talented team doing great work with great clients. We used guerilla marketing to its fullest including building free tools, writing books and speaking at conferences. If blogs had been popular we would have been fanatical bloggers. In Oct 2004 we were acquired by McAfee for $86 million in cash and after 6 months my old boss and founder Chris Prosise left. I stepped into his big shoes and ran the consulting team as a Division of McAfee until Nov 2006. We were privileged to work for some of the US’s biggest companies and in many cases held true trusted advisor roles.

What I continued to see time and time again was a lack of alignment between information security management and the business in question. Technology trends come and go, security trends come and go, but a common vein runs deep. Unless People are connected to Process which is connected to Technology, we will continue to see the same inefficiencies that frustrate business managers today. An intrusion detection system is almost useless unless someone acts on it’s findings. A vulnerability scanner or source code analyzer is useless unless someone acts on the results. I believe the future of information security is about the right People, using the right Process and the right Technology that is aligned to the needs of the business.

In 2000 Nicholas Carr, a member of the Harvard Business School wrote a seminal essay entitled IT Doesn’t Matter. His work compared modern information technology with the adoption of industrial age advances such as the rail roads and drew a conclusion that as such technological advances become commodities they become insignificant. Carr’s advice to CIO’s was to stop investing in IT. The debate polarized business leaders drawing reactions such as “….hogwash” from Microsoft’s CEO Steve Ballmer. Carr clearly got things wrong. While looking back and drawing on lessons learned (or lessons that should have been learned) can be inspirational, you can not implicitly map any advances in human race to those events in history. If banks had taken Carr’s advice in 2000 they would have failed to invest in technology and as a result would be hemorrhaging customers today. The debate that Carr instilled into the IT industry did however fundamentally change the way information technology strategists (CEO’s, CIO’s and CFO’s) thought about IT. People began to question the balance between the needs of the business and its relationship with IT. People began to realize that business was being driven by IT rather than IT requirements were being driven by business needs. Pete Finnegar and Howard Smith wrote a rebuttal to Carr’s essay called IT Doesn’t Matter, Business Processes Do. They critically analyzed Carr’s arguments and drew their conclusion based on a deeper understanding of the relationship between IT and the business. As they so rightly stated “its not about the last 100 years, it’s about the next 50”.

SourceClear is setting out to Connect People, Process and Technology and will be building an extensible platform and truly useful business management applications for corporate information security departments. It’s the platform and applications CISO’s have been asking me for for years. It’s the platform and applications people you can ask us for today. Email me; tell me what you want and well build it. Tell us what’s wrong with other products today and we won’t make the same mistakes. Tell us how you want to license and buy security technology and well respond. We are committed to building applications that people want. Of course the full details, plans etc will all come out as the story unfolds.

I hope you will follow our unfolding story, SourceClear Diary of a Startup. Pull for us, cheer for us, help us, advise us and of course see directly into the heart of the company. 

Next week we will be deciding wether we build our prototype with Ruby on Rails or ASP.NET and finalizing our initial engineering and product management plans. We also need to decide where and when we will hunt for seed funding and I will also share the tips so far on bootstrapping including having no office overheads, buying cheap IT equipment and finding great graphic design at very low cost. Look out for next weeks episode!

Note: for some reason I have a genuine adrenaline rush when posting this!

Explore posts in the same categories: Cool Business, Diary of a Startup, Royal Holloway ISG, Security Industry, StartUpBootstrapping, StartUpEngineering, StartUpFunding, StartUpMarketing, StartUpOperations, StartUpSales, StartUpTechnology, Startup

This entry was posted on March 29, 2007 at 10:18 am and is filed under Cool Business, Diary of a Startup, Royal Holloway ISG, Security Industry, StartUpBootstrapping, StartUpEngineering, StartUpFunding, StartUpMarketing, StartUpOperations, StartUpSales, StartUpTechnology, Startup. You can subscribe via RSS 2.0 feed to this post's comments. You can comment below, or link to this permanent URL from your own site.