A Right Hand Turn For Curphey
About 10 months ago I left a well paid job running Foundstone in the States, headed to my holiday house in France and decided to bootstrap a security software company. I wanted to create a company that I would be proud of and the sort of company I have always wanted to work for. I have learnt a great deal about a great deal of things and after a lot of hard work, a pile of cash, a lot of wine and recently much soul searching I have decided to take a right hand turn in life. I have been lucky enough to have been involved with some successful startups before and closely followed a few folks I know startup on their own. I have the hindsight of some good experience behind me and it became clear that if I was to build the sort of company I wanted it was going to be a real uphill struggle with the current set of circumstances. I just didn’t want to be another average company with moderate success. As they say “timing is everything”.
I certainly made some mistakes over the last few months but having spent six months validating the idea and with a few decent sized pre-order sales to prove the demand I take comfort in knowing the idea was sound. In fact I am more bullish about the concept that at any time in the last few years but a good idea alone of course is far from enough to launch a company. Funding models in Europe are very different from the States, as are investors motivations and approaches. In the end I had a decent term sheet brewing across the pond but contingent on me moving back to the States. This is not an option for me. I promised my wife I would spend no more than a year and it became clear I was unable to find the “right” funding in Europe.
So what’s next? Well there are a few companies interested in the concept. This may result in me selling the concept and knowledge to build it or finding a new home where I can birth it with adequate resources. If a good offer doesn’t materialize I may just build it as an open source project. I know the demand is there and everything I have learnt and all market trends tell me it would be a big success.
I have personally have made some major life decisions. Back in 2002 I got bit by the software bug when I created the software development lifecycle at Schwab. Of course it wasn’t called that at the time, in fact no one was really doing much formal software security in the corporate world in those days. There were no books, threat modeling was not recognized and code review tools consisted of grep, SLINT and Perl. It was at this time I also started OWASP. Looking back I really enjoyed the challenges and that time of my career. Much of that experience was used when we created the software security services at Foundstone. They have been a great success story and we continued to learn a lot about software security in general, software security services and software security education . One of my personal frustrations for the last five years has been my software development skills. Having to rely on others to bring ideas to code is frustrating. At every point in my career the soft-skills side of work seems to get the priority (some say I am naturally good at it) and the technical side (that I naturally enjoy) gets cast aside.
Call it a mid-life crisis if you will but I have decided to move from a role managing consultants to becoming one again. I plan to re-invent myself and find a career building software security programs, reading and writing code and building software. Of course it won’t happen overnight and I am pretty sure I will find myself managing teams again very soon but I think the experience I have when combined with deep technical development skills will be potent and will be the nourishment I need to keep me whole.
So in summary, Sourceclear as a startup is no more, SourceClear as a concept (Oxygen Security Platform and the Security Life applications) is still alive and will hopefully be reborn soon in a place where it will succeed. We plan to move back to the UK later this year, I am actively looking for a job and hope to have more news by the end of September.
If anyone has any interesting opportunities of course do get in touch!
August 13, 2007 at 12:45 pm
[...] A Right Hand Turn For Curphey [...]
August 13, 2007 at 10:53 pm
Seems like I heard some rumblings that Nish Bhalla over at Security Compass is looking. Don’t know how true it is, but worth a look.
August 14, 2007 at 7:09 am
Hi Michael and thanks for the comment. I know Nish and hes a great guy but if I return to consulting I think it will be at a different sort of company. I think the type of strategic work I am interested really happens with the established companies; the big 4, MSFT, IBM etc. There are a few specialist software security firms like Citigal I have followed with interest as well. Foundstone was the smallest company I ever worked at and it was 50 people. I have thought about setting up a small app sec practice a few times over the years but always decided it was not for me for various reasons.
August 23, 2007 at 11:11 am
> I have thought about setting up a small app sec practice a few times over the years but
> always decided it was not for me for various reasons.
What reasons make you decide that ?
So what are you going to do in the future ?
August 24, 2007 at 11:08 am
Well despite the marketing / public face of many of these small companies I know how many of them struggle to make ends meet. People talk
I also know what fees many of them have to charge to win work from the boutiques (Foundstone, Aspect, Citigal) or big players and it doesnt always stack up for a good living. Consulting on as small scale is a lifestyle choice IMHO.
What am I doing? Well I am in the States again next week and should be making an announcement in the next few weeks! I am axcited by the opportunities with great companies out there.