Credit Card Thieves Sparked My Startup Idea: How to Know When an Idea is Right
About five years ago, I was searching for an idea for a new startup. Anyone who has, or has tried to, start a company knows how hard this can be. Even when you are in the middle of a market, you can’t always come up with a winning idea.
And then my credit card was stolen. An annoying fact of modern-day life. But this time, I smiled when I got the text from my bank. The thieves had just given me an idea.
Credit card fraud alerts are triggered by unusual behavior — an unusually large purchase, buying shoes in another state, or shopping for jewelry in the middle of the night. The card issuers know your normal buying patterns, and when something abnormal pops up, they flag it.
I got to wondering why monitoring for unusual behavior wasn’t being used in the field of cyber security? It seemed logical to me that knowing the daily routine of an employee could be used to spot when unusual behavior occurred — likely the sign of a criminal hacker taking over that employee’s machine or account.
Be Open to New Ideas
This was my first lesson in starting a new company. I had been thinking for months about what my new company could be. I had spent more than five years in the cyber security market, even getting lucky enough to be part of a team that took Imperva through a public offering. Yet I wasn’t happy with some of the ideas I’d come up with.
Now, you may think that the fraud alert was a stroke of luck. And maybe it was. But I also think having an open mind can be key. Looking at other disciplines or markets can be really helpful, so you don’t get stuck in a rut. You need to look everywhere. You should talk to people in other markets. You just never know when or where you will find the spark.
Don’t Let Past Failures Stop You
As it turns out, I wasn’t the first person to have this idea. And you will need to own up to that. For every successful product, there are precursors that didn’t quite get it right. Steve Jobs didn’t let the failure of the Newton at Apple stop him. Nor did he let the string of so-so MP3 players keep him from hatching the iPod. He just knew he could do it better.
A few security startups over the years have tried to use credit card fraud detection techniques for cyber security purposes. And this could have dissuaded me. But I started looking into why they failed. If you are following others who have not quite made it, make sure you understand why, because things may have changed.
In my case, there were two key shifts that had taken place in the market. The first was the advancing field of artificial intelligence, particularly machine learning. Past companies had instead relied on so-called expert systems that relied on rules written by experts. These were limited to what the experts knew and were prone to gaps as cybercriminals changed their tactics. With machine learning, on the other hand, the machines were always watching, always learning. You didn’t need to have experts because the machines were even better at understanding what normal was.
The second change was the rise of big data technologies combined with the fast-falling cost of storage. In the past attempts, data storage was expensive and limited the amount of behavioral signals the application could store. By the time I got the alert on my phone, you could store almost everything for a pretty small amount of money.
Build a Team to Bulletproof the Idea
The last thing I did to make sure the idea could work was team up. First with my former colleague Sylvain Gil. He brought a knowledge of the market and a healthy French skepticism. Just as many good scientists are skeptics, Sylvain essentially tested my idea to make sure it could work. By the way, skepticism isn’t the same as cynicism. Being a skeptic means being critical not fatalistic.
We then teamed up with our other co-founder, Domingo Mihovilovic. He had been developing a large-scale cloud security management system. As proud as he was of what he’d built, he knew some of the issues. His product wasn’t using fraud techniques and looking for anomalies the old way — using known signatures from malware and the like — his product was not going to keep up. Domingo kept Sylvain and I honest from a technical, can-we-build-it standpoint.
Finally, a key part of our “team” was a set of early design partners. These were prospective customers. We went to them before we wrote one line of code. Though our concept was good and could be built, these handful of security professionals were critical in turning what we could build into something they could buy.
The UEBA Market Emerges
You know you’ve made it when the thing you built becomes a market, complete with its own acronym. Gartner coined what we were up to as User and Entity Behavior Analytics (UEBA). Twelve months after we’d launched, we had 50 paying customers. The fast start was due to all of the prep work we had done. We’ve got over 200 customers today and growing fast, but that’s not the end of our story.
We had another important move to make to grow even faster. UEBA was just the springboard into the next-gen SIEM market, which was our intended target market from the very beginning. I’ll cover that in my next post.