The Birth of Savage
This will be a two-part series. The first is about the Savage Security concept and why we started the company. The second is about the principles, beliefs and goals that drive us.
Everyone has a plan until…
I suppose it started in the consulting days. When I started working as an information security consultant, I knew I had picked the right industry. The people I worked with were deeply passionate about security and hacking. What’s more, they appreciated that we worked in a field where anyone could be the first to discover a vulnerability. Anyone of us could be the first to really inspect a device or application. It feels a bit like Manifest Destiny, except there’s no stopping and making camp for the night on the way to the California coast.
For anyone with a curious mind, the security industry can be a nearly infinite source of discovery.
Then there were the ideas and the projects. Put a bunch of penetration testers in one place and the ideas start to fly. Many of them were potentially marketable. Some of them were definitely marketable. A colleague and I even set up an LLC to house some of these side projects. Time was the problem, though. With high billable expectations, there just wasn’t enough time to do these projects justice, even when they’d obviously pay for themselves quickly in returns on efficiency or as a new consulting offering.
I had a career plan that ended with landing a CISO gig and running security my way. I followed that plan — after nearly nine years in the enterprise and another four consulting, I was ready. Instead, I took an industry analyst gig.
Flying Sideways
My career went sideways at that point, but in a good way. It had been a long time since I felt like an absolute beginner in a job. Working as an industry analyst made me realize I knew precious little about the business side of the security industry. Nearly four years working side-by-side with former Wall Street analysts, vendors, investors and financial analysts was an eye-opening experience. Also, the view was fantastic.
I realized early on as an industry analyst that I had landed a special opportunity. I was already a research junkie and am insatiably curious about how everything works. It was suddenly my job to research and understand this industry, and to make sense of it all to our clientele. No bones about it, the security industry is crazy.
To give some context, at last count, we were tracking over 1500 enterprise security vendors. I was personally tracking 86 endpoint security vendors. Considering some of those 86 were the likes of Kaspersky Lab, Trend Micro and Symantec, 86 was a lot to keep up with. Endpoint was far from the only category I was following. We came across nine new security startups every week. Five new security categories would emerge every six months. My colleagues and I struggled to keep up with over 100 acquisitions every year.
An itch to scratch
I was more often troubled than not about what I found.
The rush from trying to follow such a fast moving market was great, but at the end of the day, I was doing more market research than security research. My primary concern in joining an analyst firm was that there wasn’t really an opportunity for any hands-on work. A side effect of trying to keep track of so much activity in the security market was that there were rarely, if ever, opportunities to test out products. To dive deep. To examine the goods I spent my days writing, blogging and talking about.
When I did get a chance to do so, I jumped at it. I was more often troubled than not about what I found. Bit by bit, the industry’s issues became clear to me over my four years analyzing the security market. As in my consulting days, ideas for conference talks and side projects came up constantly. I’d write them down for later, to be used on some vague, undefined rainy day in the future. Sometimes I found time to use them and incorporate them into my work as an analyst.
As I found my feet as an analyst and writer, I didn’t really know what the next step in my career path would be, but I didn’t worry about it at first. From my 30,000 foot analyst view, I could see all the opportunities, and often interacted with people in various roles I didn’t know existed before. It seemed like the world was open to me. I was also told early on that most analysts eventually get lured away by vendors into evangelist and strategy positions. That sounded nice, and comfortable.
Gradually, the opportunities I imagined began to close and disappear. My potential career path shrank to a narrow tunnel in my mind. An itch formed.
Going Savage
As I continued talking with vendors, enterprises and individuals involved in every aspect of the security industry (the InfoSec PR market is HUGE, by the way — I had no idea), a nagging question formed an itch in my brain: is this normal? I suspected I knew the answer, but set out to learn the parts of InfoSec’s history I didn’t already know. I interviewed people that have been in the industry for 30 years or more — from the beginning, basically. I also researched other adjacent markets. Computer science and the developer community. Quality assurance. Manufacturing.
In conclusion — no, our industry is NOT normal.
I read a lot about failure. IT failures like Knight Capital. Maritime accidents like the Oceanos.
I pieced everything together like a movie detective, laying out the evidence and connecting the dots in a case. The conclusions I came to were compelling. Compelling enough that, for the first time in my life, I’ve decided to start a business so that I can take this research further, share what I’ve found and help fix this industry.
In conclusion — no, our industry is not normal. All the details of what I’ve found and how this ties into the new business I’ve started with Kyle Bubp will be in the next installment.
Thanks for reading, and Go Savage.
Right, sorry… I haven’t explained what our tagline means either — that will also be in the next post. I’ll have to leave you wondering for a bit :)
