Friday, December 17, 2021

Starting your own CyberSecurity Company - Part I and II

 Part 1:

Find really talented computer security people, know your ISO 9000 and 27000 auditing techniques well, then start pounding on doors and working hard.  Most large companies have a security team.  They will hire you only if your team is better.  Anyone else you have to have a 30 second pitch on why your services will protect the customer and save money.  Word of mouth spreads fast for a good company in this field.  Just remember that over half of the "security" problems are actually management system problems.  Know how to identify both.

####
Why You Might Not Want That Cybersecurity Job
Update: I receive occasional inquiries for cybersecurity career advice because of this post. I haven't worked in this field in years, so I recommend you read this advice if you're trying to get a cybersecurity job.


Cybersecurity, while offering lucrative job opportunities, might not be an ultimately rewarding career for Maryland technologists. I worked in this sector for about eight years as a military officer, government civilian, and government contractor in a variety of different roles, and here's what I want to say about it.

Maryland's business press, government officials, and various tech organizations have lately been enthusiastically banging the gong for cybersecurity.  I can appreciate why - there's a lot of money at stake, and a lot of it comes from Maryland's foremost benefactor, the federal government.  This is a recession-proof, guaranteed-to-grow industry, and Maryland is already home to many successful cybersecurity companies like Sourcefire.  The government and private companies employ many thousands of people and contribute many millions of dollars to our tax base.

So it makes sense for our government to be pursuing these opportunities, but does it make sense for you, Maryland hacker?  Here are some things to consider; these are obviously generalizations extrapolated from my experience.  Feel free to leave comments if you feel this is a gross distortion.

    Cyber defense is often the opposite of a creative activity; in many of these jobs you're going to find yourself acting as an enforcer, a mere gatekeeper.  You'll be telling the creative people in your organization all the things they can't do or aren't allowed to have.  Often you'll be restricting them not because of policy reasons but because it's too hard to figure out how to allow them to do what they want within the regime you are enforcing (Naturally this does not apply if you work for a company that builds the tools the enforcers use) or because it's just easier to say "no".

    In classified settings, you are severely restricted in the sources and kinds of technologies you use.  You'll be leaving your smartphone and your iPad in your car or in a locker outside the SCIF.  You won't have admin permissions on the machine you're working on.  Forget installing Chrome with the latest extensions, you'll be lucky to get version 2 of Firefox!  Or you might not have access to the Internet at all!  Also, forget about telecommuting or riding your bike to work; your job will be in a well-defended federal facility or an anonymous office park in the suburbs.

    Because cybersecurity is so tied to "the enterprise", you'll almost certainly be living in Microsoft land, which may or may not be a problem for you.

    Many of the government organizations in this field are gigantic, top-down, and super-hierarchical. You will made to turn as a soulless cog in a giant machine.  There are plenty of smaller, more enlightened companies out there, of course, but the highest paying jobs will probably be offered by big contractors.
    The federal government has crazy monopsony power over this sector.  Besides the usual and expected bureaucratic games you'll endure, if you work for a private company that does much business with the government you are going to see some brutally depressing market distortions that arise from this monopsony.  You may find yourself working on a product or a program that nobody in your client agency cares about, or wants to succeed, except that they need to spend up their budget dollars so Congress doesn't take the money away next year.  Or you might find your job in limbo because the sales cycle for getting government contracts is so long, and it can take forever for the company to actually have money in hand.  There's some truth to the myths about the Pentagon spending $10K on toilet seats - it probably does cost about $9950 in sales salaries to sell a $50 toilet seat to the Department of Defense!

I was well-paid as a cybersecurity analyst, and often I did enjoy the work, and parts of it involved amazingly cool, James-Bond-like exploits.  But those are the reasons I ultimately chose to leave. Now I am working on my own startup.  My job is less glamorous (I'm not "saving the world" every day) but because my individual contribution counts thousands of times more in a small company which I own a piece of, and because every second and every dollar counts, it's an infinitely more satisfying way to spend my time.  My labors are simply more meaningful.  So that's what I wanted you to know.

UPDATE 8/16/10: Please check out @NetSecGuy's post where he further elaborates on these issues.

POSTSCRIPT FOR MARYLAND GOVERNMENT AND BUSINESS LEADERS

I applaud you for positioning the state to take advantage of the "cyber doom boom".  I'm sure it will help many of my fellow citizens in the short term.  But I wonder how much wealth you think cybersecurity is ultimately going to create in Maryland, especially if it accrues to big consulting companies like Booz-Allen that aren't even based here.  Also, what's going to happen when this sector matures, when Internet security gets better, and spending declines?  Who's going to fill up those office parks and abandoned SCIFs?

I implore you not to neglect other parts of Maryland's Internet tech economy, because it's product companies like Advertising.com, BillMeLater, Millenial Media, Localist, Ipiqi, Common Curriculum, Figure53, Replyz, Deconstruct Media, and a bunch of others I can't think of right now that are building a new, sustainable post-industrial base in our state.

####

I don't think I have as much government contractor experience as you do, Mike, but in my limited experience, these facts are all too true. And the worse news is that many of our region's big IT employers are more similar to government contracting than they are to product companies!

I've worked at places where these things are the norm: lack of admin rights to your own equipment, not being able to telecommute (for political as well as technical reasons), and working on long, slow, boring, wasteful release cycles. How can we convince the smart folks who feel "stuck" in these positions to get a taste for and contribute to the "new economy" companies?

I'd like to think the first steps for these people could be as follows:

1. get involved with after-hours local user groups and start networking. Join meetup.com. Follow local leaders on twitter. Twitter is not a toy. It's an amazing platform that brings you closer to others.

2. occasionally cowork remotely with others - even if you have to take a vacation day to do it. I know this is a hard sell, but it might be hard to see the value of coworking until you've done it a few times. Even if you're just poking around with new tech.

3. start a side project. There's no better why to flex your skills, and it might just grow into something bigger.

I've never been happier since I left that corporate IT world and started working on smaller, more vibrant projects. Thanks Mike for sharing your thoughts!
###

If you're a security and startup junkie, go do a security startup! I'm always happy to help folks looking to start security companies (msg @dugsong), and for more general startup mojo, be sure to check out @davetroy and Beehive Baltimore (which, incidentally, has some security startups right next door :-)

####
@Furball - it's hard to say. Are you a uniformed member of the Air Force or a civilian? Certainly I have found the leadership ethos and the work ethic of the military extremely useful in a startup. There's a certain self-starting "roll up your sleeves and get the job done no matter what, don't whine and ask me a bunch of questions" dedication to mission that you get from military service that is optimal for a startup environment.

Always during my military and civilian time working for DOD, I was finding way to write code. I wrote a 6K Perl script at one job (it started out as a 100 line helper then grew out of control, without me ever sitting down to design something good). I definitely got to play with some awesome and interesting technology. So I gained some generically useful programming experience, but it didn't really give me much preparation for building products on the web, except that I'm a bit more wary of getting hacked than maybe the average programmer is, since I know firsthand what a motivated attacker can accomplish.

What really shocked me out of the rut I was in was learning about Ruby and Rails and various open source projects by reading blogs. I stumbled onto Paul Graham's blog and that's where I learned about startup culture. The rest was history.

Not knowing you personally my general advice would be "why not get started now"? Are you going to be more risk-tolerant three years from now? Likely you will be even more used to the steady salary and benefits than you are now.

The last few posts on @Furball - it's hard to say. Are you a uniformed member of the Air Force or a civilian? Certainly I have found the leadership ethos and the work ethic of the military extremely useful in a startup. There's a certain self-starting "roll up your sleeves and get the job done no matter what, don't whine and ask me a bunch of questions" dedication to mission that you get from military service that is optimal for a startup environment.

Always during my military and civilian time working for DOD, I was finding way to write code. I wrote a 6K Perl script at one job (it started out as a 100 line helper then grew out of control, without me ever sitting down to design something good). I definitely got to play with some awesome and interesting technology. So I gained some generically useful programming experience, but it didn't really give me much preparation for building products on the web, except that I'm a bit more wary of getting hacked than maybe the average programmer is, since I know firsthand what a motivated attacker can accomplish.

What really shocked me out of the rut I was in was learning about Ruby and Rails and various open source projects by reading blogs. I stumbled onto Paul Graham's blog and that's where I learned about startup culture. The rest was history.

Not knowing you personally my general advice would be "why not get started now"? Are you going to be more risk-tolerant three years from now? Likely you will be even more used to the steady salary and benefits than you are now.

The last few posts on http://davetroy.com are all about this getting started issue...good luck!

#####
The 10 Steps of Cyber Security Startups

1.Business Cyber Risk Analysis
2.Embrace Security in Your Culture
3.Select the Right Platforms
4.Email is the Master Key
5.Your Web Site is the Front Door
6.Secure Coding
7.Control the Internal Network
8.Physical Security
9.Plan for Failure
10.Be Open with the Public

####

Security Consultant

To assist Nettitude in delivering security engagements of various types, e.g. penetration tests, PCI, etc.

A Security Consultant is expected to keep up to date with the latest security developments, news and techniques.

Security Consultants will receive special focus from more senior staff in order to assist their progress, but emphasis is also placed on self-study and a desire to learn.

Security Consultants are expected to own and run their own security engagements.  This includes the full lifecycle of an engagement from kick off call, testing, report creation, report delivery to debrief. There may be a requirement to lead small to medium projects and to help mentor Junior Security Consultants.

A Security Consultant must work towards attaining mid to upper level industry certification such as the OSCP, for which Nettitude will provide support.

Security Consultant

To assist Nettitude in delivering security engagements of various types, e.g. penetration tests, PCI, etc.

A Security Consultant is expected to keep up to date with the latest security developments, news and techniques.

Security Consultants will receive special focus from more senior staff in order to assist their progress, but emphasis is also placed on self-study and a desire to learn.

Security Consultants are expected to own and run their own security engagements.  This includes the full lifecycle of an engagement from kick off call, testing, report creation, report delivery to debrief. There may be a requirement to lead small to medium projects and to help mentor Junior Security Consultants.

A Security Consultant must work towards attaining mid to upper level industry certification such as the OSCP, for which Nettitude will provide support.



The following list is indicative of the overall expectations of the role (not exhaustive):

    Deliver penetration testing and other related security activities, for example PCI DSS-ASV scans, etc.
    To perform kick off calls, wash up calls, email responses and debrief for each assigned engagement.
    To help develop client relationships and to provide professional consultative style engagements.
    Write full and thorough reports for each engagement that show rapid and constant improvement, based on comments from QA and peers.
    Through self-study and mentorship the individual must demonstrate an ability to rapidly verse themselves in a wide variety of IT Security related skills.
    Willingness to mentor Junior Security Consultants where appropriate and/or requested.
    To lead small to medium sized projects as deemed appropriate by Nettitude.
    Where appropriate and/or requested, provide labs for the Nettitude CTF, deliver effective and useful clinic days and to take part in any other activity which promotes the team’s cohesion and ability to progress.
    When requested, to provide technical analysis of current IT Security related events, especially for the purpose of media coverage.
    When requested, to prepare and run the weekly penetration testing team meeting in an effective manner and using the provided standard template and report any concerns raised to management.
    To assist in Security Testing related presales activities, providing technical assessment of scope, principal security concerns and testing methodology to Account Manager.
    When requested, to formally review reports submitted to Quality Assurance to the standard expected by Nettitude.
    To assist Management in performing other tasks as requested and required for effective business function.