Mark Curphey - SecurityBuddha.com

I am extremely pleased to being able to announce that the SourceClear software (Oxygen Security Platform and the Security Life applications) will now be built at Microsoft and that I will be joining  as a full-time employee heading up the ACE Services group in Europe and product managing the software. Many people often start these type of announcements with “…it was a really hard decision”. For me it was really easy, much like Scott Hanselmans post and great graphic below.

Here’s why. As regular readers of this blog know I quit my job running Foundstone last October, moved to Europe and started working on an idea that had been developing in my head for a few years. If you have ever read my Security Next.0 posts, Long Tail Security posts (Part1, Part 2 & follow-up)  or Trends in Information Security you will already know that I believe that its high time that information security management embraces modern business management techniques and evolving Internet technology to creates a platform on which we can make informed business decisions. I put together some ideas on what this would look like and started hawking it around people in the  business.  I leaked a few snippets here and there. Within a few months the vast majority of people whose opinions I respect were saying “build it and we’ll buy it” or “build that and you will change the world”. I set about getting the company funded but hit a wall. The European VC market was not the same as the US VC market and my experience from previous startups told me that enterprise software needs enterprise backing. I did have some decent terms agreed in the US but which were contingent on me moving back to the States, something the family weren’t prepared to do. One night after a few glasses of wine and a flick over the  pages of the Art of the Start I decided to look at alternatives; I needed to take a right hand turn. The ideal scenario for me was to find a big company that was interested in building the technology and become an internal “intrepreneur”. I drew up a list of companies where I would be able to create a whole security solution, essentially companies with strong product and services arm. I started an informal search and several were instantly interested. It was important for me to work with a company that was in direct touch with its customers via services. One of the core concepts of the SourceClear idea is to build a platform and flexible business applications that solve real world problems that exactly match the needs of every ones unique businesses and not try and provide a “security department in a box”.  I heard time after time about failings of current so called security management / compliance management solutions falling into this trap.

My good friend JD Meier told me to get in touch with Microsoft’s ACE Team. The ACE Team do Microsoft’s own IT security, performance  and privacy consulting and then take that experience and expertise out to customers. In short they “dog food” things at Microsoft with deep access to the very teams that create cool technology like .NET, Windows, Office, CardSpace, SQL Server, Dynamics etc and then help customers by leveraging that unparalleled experience and knowledge. They have built Security Development Lifecycles that are used for Microsoft’s own line of business applications such as Microsoft.com and MSDN. They do code reviews and threat modeling on the line of business applications and products and get involved in security design and architecture work.  They put together programs and train the internal developers how to write secure line of business applications like our customers build. In short they are the long tail of security services focused on the Microsoft technology stack! The ACE Team has even invested in an engineering team to build products that are used to support the work internally and then eventually commercialized for customers such as the Enterprise Threat Modeling tool, upcoming security code review technology and some system compliance technology.

So to cut a long story short (and avoiding stories of a few thousand air-miles) sometimes things are just meant to be and it turned out that they were looking for someone to spearhead their services in Europe and were very interested in the product I was designing. I had always planned to build the product on the Microsoft stack (even when I toyed with the idea of open sourcing it) as many of the core components such as .NET, Windows Workflow Foundation, BizTalk and the PerformancePoint Server were scaleable building blocks and with the Windows Communication Foundation in .NET 3.5, integration into common business infrastructure has gotten a whole lot easier.

And so it came to be; a near perfect fit in an un-perfect world.  I get to build another great security consulting team (this time in Europe) and shape the product idea that I am so passionate about (and that has been so well received) become a reality. I think the ACE team value proposition of taking the internal security, performance (think reliability) and privacy knowledge and expertise learned within the Microsoft IT environment out to customers really compelling.

My friends have often joked that I would be dangerous at a company like Microsoft. I agree. I just mailed the psychologist featured in the Wired article about Halo 3, told him I am about to become an FTE and asked if we can meet to discuss my security genome theory. We are already talking about a book on security development lifecycles for line of business applications (my specialist subject having spend much of the last few years running teams designing and implementing them for big corporate environments) and loads of other cool stuff. I have ideas for some security scorecards, free application security tools and………..I am going to have a ball! I am hoping to be able to do a lot more public speaking now as well so feel free to drop me a mail if you have an event in Europe or just want to chat about what well be doing.

I start on Monday October 1st.  The family will be moving back to the UK (Brighton) some time before the end of the year, I will likely be based between the Reading and London offices (although expect to be all over Europe most of the time) and in Seattle about one week a month. We will be working on a product roadmap in October so I’ll probably start blogging about the product on the ACE Team blog or a dedicated Oxygen Security Platform blog at some time in the future. I will be at TechEd in Barcelona in November and we will of course be hiring security consultants across Europe (the US team are also hiring) so if you want me to let you know when those openings are official drop me an email offline. 

This blog will remain largely the same although I will probably post the prescriptive type blogs (Scoping Application security type posts) on the ACE Team blog in the future and I will be posting a borg image for my readers in the next day or so to save them the trouble of having to create one for themselves!

It really is exciting times and I can’t wait to get cracking. Now do I get a smaller lighter tablet or a more powerful bigger laptop?