Infosec is more exciting than ever, which is why I knew I had to quit.
Last week I resigned from the best job I’ve ever had. This is a story about how I ended up in information security, and why I’m moving on.
I started my career in infosec by accident. Out of college I found myself working for an IT management consulting firm in DC. With a B.S. in Computer Science, I answered my manager’s question about what kind of billable work I wanted to do quite simply:
I want to build software.
My first assignment was to help “code” the intranet website for Health and Human Services. That wasn’t building software. It was organizing information and lightly styling static webpages. Fortunately, that assignment didn’t last long.
My next post would present the opportunity to build something as long as I didn’t mind jumping head-first into information security. In August 2004, Homeland Security Presidential Directive-12 (HSPD-12) became a thing, and for the next 10 years I found myself building strong authentication and identity & access management software and solutions. Passwords had always struck me the weak link in confirming someone is who they claim to be, only made worse as everything became accessible from anywhere. Combined with the opportunity presented security’s awful usability track record, getting into infosec did not feel like a detour at all.
For the next two years, through the fall of 2006, I helped a number of US government agencies figure out to deploy and use smart cards to secure physical and logical access to their facilities and information systems. This included everything from figuring out how to create biometric templates from optical fingerprint scans, and standing up and cross-certifying a PKI certificate authority, through performance testing a reference implementation of the PIV smart card applet in BasicCard.
There was a lot to learn, which is what attracted me to
the information security field in the first place.
While the infosec work was broad enough to keep me interested, I still found myself spending most of my spare time reading about consumer tech startups. 2004 was an exciting year: Gmail, Flickr, and Vimeo launched. Of course I was intrigued by the impact these services had on every Internet user, but even more so on how these products and companies were created and the journey of founders and early employees.
When presented with the opportunity to help turn a security consulting company into a software product company in 2006, I jumped from DC to Fort Wayne, Indiana without looking back. Dave Corcoran, the founder and CEO of this midwest security startup, and I met by happenstance: We happened to both be consulting for the same government client and we hit it off. Dave and I spoke about products and software quite a bit. We both wanted to “get out” of consulting and put more time and energy into building products, which we thought would create more (scalable) impact than helping one customer at a time.
Our expertise happened to be in security, so that’s what we focused on building at TrustBearer Labs. Over the next four years we focused on building usable, strong-authentication software that happened to revolve around smart cards, a somewhat esoteric security technology that most folks think is a european credit card. This focus area was largely about timing — the federal government was issuing millions of these cards to employees and contractors because of HSPD-12, and we saw an opportunity to be a independent software vendor (mISV, even) that made using these cards dramatically easier than the competition. Our largest selling product was TrustBearer Desktop, a smart card middleware “stack” for Windows. Functionally, it allowed government agencies to use their PIV smart cards as a secure alternative to passwords to remotely access information systems.
Fast forward to 2009: VeriSign (and a few other companies) took notice of TrustBearer and wanted to talk about partnering (aka, acquisition interest). They were particularly interested in leveraging the technology we built to accelerate their time to market with a better Windows and Mac client for their successful Managed PKI service. By April 2010, VeriSign acquired TrustBearer Labs. This was a big win for everyone who helped build this company. And I’m personally proud that we were able to make it happen in the midwest.
2010–2011: The post-acquisition journey
TrustBearer was under 20 employees when we were acquired. We had plans to expand the team both in Fort Wayne, IN and Mountain View, CA. We were the first and only VeriSign office in the state of Indiana, and the VeriSign User Authentication product and engineering teams couldn’t have been happier about it. We had a built a highly efficient and effective engineering team in the midwest. I give a lot of credit to the folks on the VeriSign side that had the foresight to keep the TrustBearer team intact and in Fort Wayne post-acquisition.
I was genuinely excited about the acqusition. While I knew there would be a lot of changes and ultimately less control, I was looking forward to working with larger product and engineering organizations. We made a lot of things happen at TrustBearer, but — as with many first-time startups — we made a number of things harder than they needed to be. I was ready to learn from those who had “done it” many times over.
Within about a month of that acquisition Symantec announced that they would be acquiring VeriSign’s Security Business (and their ubiquitous checkmark logo) for a cool $1.28B in cash. By August 2010, the acquisition was complete, and Symantec debuted their new logo.
My role at both VeriSign and Symantec (and TrustBearer) was largely in product management. Dave and I were responsible for turning TrustBearer Desktop into VeriSign^w Symantec PKI Client, the one digital certificate middleware to rule them all. This was a big time (and headache) saver from using the built in OS capabilities for digital certificates.
I also spent a fair amount of time working with the DC-based, federal sales teams to help them sell more Managed PKI and related authentication products. During my last few months with Symantec in 2011, I also wore a business development hat and worked with Mobile Device Management, e-Signature, and Smart Grid vendors to embed support for VeriSign/Symantec Managed PKI into their products.
Sounds like a great career (on paper)
From the outside — from my résumé — this was the beginning of a great career in the rapidly growing field of information security, and it was! The problem was that I wasn’t really enjoying it. I was working remotely for a Mountain View, CA company from Washington, DC. I worked out of a terrific coworking space, Affinity Lab, traveled out west only about every six weeks, and got to live in our nation’s capitol. But, all you had to do is ask my wife how I was doing and she would say, “well, this isn’t Brian’s favorite job, but I’m not sure what that would be.” Neither did I.
By the end of the summer in 2011, I decided to leave Symantec for oneID, another startup that wanted to rid the world of passwords. I worked alongside the company’s founder, Steve Kirsch, for six months to turn a novel, technical concept into a working product that anyone could understand. Turns out, that was the easy part. Competing with the price of passwords and growing a sustainable business would be much, much harder. Enough so that I decided the fight wasn’t for me.
In January 2012, I dropped a cold email to Dug Song and Jon Oberheide, co-founders of a relatively unknown at the time, two-factor authentication startup, Duo Security. I came across Duo while doing some competitive research in 2011. I was impressed with the technology and go-to-market. Duo created a truly usable cloud-based authentication solution: Not just from a technical standpoint, but for the entire customer experience. I started a trial, downloaded the Duo Unix source code, and had two-factor authentication protecting SSH access on a linux box in minutes. Oh — and I didn’t need to type any six digit codes. I just had to tap a big, green button on my iPhone.
Dug, Jon, and I hit it off. They shared with me the list of impressive, early customers that were evaluating Duo, their vision to democratize security, and news that an A round led by Google Ventures was almost complete.
Duo Security was less than 10 employees when my wife (pregnant with our first child, btw) and I moved from DC to Ann Arbor, Michigan in early 2012. Today, Duo is over 10x that size and has raised $49M in venture funding. More importantly, customers love the product and company.
Did I mention that Duo Security is a B2B software vendor?
IT infrastructure and security vendors are considered lucky if most people don’t hate them. It’s a big accomplishment to find customers using the word love when describing communication or productivity software, but security software? Whoa. Duo is most definitely on to something.
Why I left
Brian, what were you thinking?
It’s a completely fair question. I asked it of myself for quite some time before making the decision to leave Duo Security after being there for over three years. Infosec is bigger and more important than it has ever been before, but it all boils down to this:
I love working in Product,
but not in security.
My engineering background, combined with an affinity for effective communication, collaboration, and bringing something into the world that didn’t previously exist has always motivated me. What I eventually realized is that in order for me to be highly satisfied in a Product leadership role I need to be passionate about the problem, customers, and market.
Making security more usable is a mission that I still deeply believe in, but to be leading Product at a disruptive company like Duo Security believing in that mission not enough. I realized that I’d rather help companies grow their businesses through software I’m helping build rather than help protect organizations from shrinking (losing money, information, etc.) through security software.
I have tremendous respect for the information security community. They’re some of the smartest and friendliest technologists that I’ve met. They can be a tad cynical at times, yes, but I’ll take that over ignorance any day. I’m lucky enough to call some of these experts my personal friends.
But there’s a difference from being invited into a community and truly being part of it. I was invited with open arms, but I never felt like my heart was completely in it.
Here I was, at one of the most interesting and successful security startups in the industry, that was winning for the right reasons, and had earned respect from all types customers and critics, yet I still wasn’t feeling it. I listened to myself, received some terrific advice from mentors, peers, and friends, and moved on.
What’s next
Over the past few years Ann Arbor has blossomed into a tech startup town. There are now over 30 legit companies that call this midwest town their home. I love living and working here, and I’m not going anywhere.
I’m also staying in B2B SaaS — no doubt about that.
I’m joining a company that has already won over thousands of small businesses by making it dramatically easier for them to build relationships with their customers. Yep, I’m heading into the wide-world of CRM. I’m joining Nutshell to lead Product, and I can’t wait to tell you more about it.
