Friday, March 31, 2017

The Haiku of Finance for 03/31/17

Start some cyber tech
Find cyber channel partner
Cyber-lock it up

Mobile Monday's Cybersecurity for RSAC 2017

I have been poring over my notes from several recent business events I have attended, and I would be remiss if I did not share some key lessons from a Mobile Monday event that coincided with last month's RSA Conference 2017. I take my time to get this stuff right. The MoMo Silicon Valley team convened a cybersecurity panel on February 13, and I had to be there after being too busy too attend their sessions in 2016.

Alfidi Capital always notices Mobile Monday's cybersecurity events.

Cybersecurity startups are going to be a hot new investing trend for Silicon Valley venture capital. I now come away from these cybersecurity events convinced that startups with the strongest tech often have people with US military or intelligence community backgrounds. Those career fields are inundated with cyber practices that have life-or-death outcomes, so the challenge of running a cyber startup should be a piece of cake for those veterans.

It's great that the federal government sees the leverage it can apply in Silicon Valley's growing cybersecurity. Your tax dollars are hard at work in the DHS Silicon Valley Innovation Program, a companion of the Homeland Security Innovation Programs (HSIP). The assessed TAM for cybersecurity is over half a trillion dollars according to DHS, so expect a flood of VC investment into the types of portfolio companies that get some US government seed capital. Some VCs are of course stage agnostic investors, but they recognize that different stage companies have different needs. I despair to think that heavy late-stage funding still convinces some startups that they "need" gourmet catered lunches and expansive campuses.

The VCs on the MoMo panel liked retail and financial service verticals as target markets for cybersecurity startups, but I wonder which end of the enterprise is the best focus. I have long believed that apps are much more vulnerable to security breaches than enterprise infrastructure. Millions of people can download an app and ignore its security protocols, but an enterprise's internal geometry may have only a few thousand entry points to monitor (depending on employee headcount, server connections, etc.).

Rest assured that the US government is hard at work creating cybersecurity standards. The NSA's Simon (for hardware) and Speck (for software) ciphers level the playing field for new cyber entrants. I expect to see them mentioned in GitHub documentation for new IoT security apps. I also expect the smartest startups to identify leading managed security service providers (MSSPs) as targets to become their CustDev cases and early channel partners. A few Google searches reveal widely available lists of MSSPs.

There must be a market opportunity for a knowledge management (KM) cybersecurity dashboard that integrates different security tools and prioritizes a CISO's monitoring efforts. The difference between this type of enterprise solution and your PC's anti-virus solution is its integration of the cyber dashboards in use at all levels of the enterprise. The CISO should be able to monitor every business unit's IT tools and use gamification to encourage compliance. I look forward to finding a startup that can solve a CISO's monitoring pain points.

If anyone can figure out how to make cyber ideas work, it's the US government veterans I mentioned above who depart public service for the wilds of tech startup life. They should know what right looks like even if they got frustrated from working with things that obviously went wrong in the government. I hinted in my article on RSAC 2017 that I did not want to tip my hand about leveraging openly available public resources to launch tech startups. I know what I'm doing here, and I know how to get the right people involved. Keep watching the genius of Alfidi Capital for next-generation cybersecurity amazement.

Tuesday, February 28, 2017

The Haiku of Finance for 02/28/17

Verify user
Secure info from hackers
Protect your data

Saturday, February 25, 2017

Alfidi Capital at RSA Conference 2017

I made my first-ever visit to the RSA Conference in 2017  because I really needed to catch up on the tech sector this year. The visual displays on the Moscone Center expo floor were phenomenal, as you can see in my standard badge selfie below. I was all set for some awesome cybersecurity action. I scored a free Expo Pass from a generous sponsor because I am still way too cheap to pay for anything. I still score massive wins after all these years tracking business.

Alfidi Capital witnesses the mighty RSA expo in 2017.

I sat in the front row for the first panel session and a local venture capitalist recognized me right away. I had not seen him for at least a year, so I obviously made some impression on him back then with my commentary. Anyway, the VCs held forth on the economics of countering hacking and the kinds of expertise they want to see in a cybersecurity startup before investing. It should come as no surprise that CISOs own a corporation's cybersecurity budget, so a security startup should focus their customer development on CISOs and nowhere else. The panelists with CISO backgrounds noted that they have longstanding trust relationships with sales reps who have hopped around different companies. Relationships matter even in tech, so startups should hire experienced sales people with huge contact lists if they want to win revenue. Startups will be disappointed to know that security solutions don't always scale well, so presumably large corporate customers have internal barriers that inhibit integration with other enterprise systems. Maybe automation can solve scalability, or maybe automation is another buzzword that VCs can chase for a year.

Executives addressed foundational controls.

The RSAC Innovation Sandbox was a hoot. RSAC users threw a bunch of words into a word cloud and the biggest ones were "data, cloud, risk, threat" in bold letters. If I had my own personal word cloud following me around, it would show words like "genius, brilliant, awesome" in big letters. One investor noted that total dollar-volume funding for cybersecurity startups was down in 2016 but later-stage funding was still keeping valuations high. The situation totally reminded me of the VCs' push for a cloud / mobile / Big Data confluence a couple of years ago because their portfolio companies in each specific sector were failing. Startups chasing those dollars now should know that innovation must address speed, because hackers' OODA loops operate faster than security professionals can respond. Get used to hearing phrases like "cognitive load" in startup pitch decks, because VCs want to fund solutions that add value through automation that reduces an IT team's cognitive load in managing cybersecurity functions. I think a startup that can demonstrate how the OWASP Benchmark Project validates its automated security solutions will have a big advantage in attracting venture funding. Any solution that can address processing encrypted data, particularly with cutting edge tech like homomorphic encryption, will garner a similar advantage.

People also implement foundational controls.

The Governor of Virginia came to tell us all about how cybersecure things are over in his state. He kept telling variations of a funny story about dolphins in his state's waters and how much Virginians loved them. I hope those dolphins are qualified cybersecurity professionals. I agree with the Governor's sentiment that state-sponsored education should offer more tech and less baloney, although he didn't use the word "baloney." That's one of my favorite words. Anyone who thinks there's no baloney in tech has never sat through a startup pitch fest. I did a Google search for the US's national STEM education standards and found the US Department of Education's K-12 standards page, so the STEM stuff may be in there somewhere. The NSF's STEM Education Data has gotten a lot more user-friendly since the last time I checked out its Science and Engineering Indicators report. The NEA surprised me with some useful STEM links; it's nice to see a union do something useful. Remember, folks, that arts education puts the STEAM into STEM.

Intelligence on threats must drive security decisions.

I was thrilled to listen to a security panel featuring cybersecurity legend Bruce Schneier. I have read his regular Crypto-Gram newsletter for years and he always has a fresh take on the biggest security trends. The panel addressed the emerging challenge of monitoring, maintaining, and certifying IoT products. It sounds to me like there are plenty of niches for security startups to make their cases. Industry will always sacrifice security for performance, so expect government regulation to drive security standards. Mr. Schneier mentioned how regulation has both fixed costs and marginal costs for solutions, and he somehow connected it to European Union regulations that will raise the marginal costs of producing IoT devices. It sounded like justification for US device manufacturers to on-shore more IoT device production here at home. I can see the walled gardens going up already in IoT thanks to security concerns. Here comes my awesome Alfidi Capital genius, folks. Secure models must connect trusted "walled gardens" (i.e., families of products from Google, Apple, and other big providers) to home IoT hubs (i.e., the coming smart home systems) that are certified under federated standards (i.e., cloud stack, network connectivity, and hardware all certified under some family of government-approved standards bodies). You heard it here first. Oh yeah, one more thing . . educating consumers on security never works! People ignore privacy settings and safety procedures, so regulation will have to build fail-safe protocols that make it difficult for non-expert users to leave themselves exposed.

Get used to hearing about securing ICS.

The RSA people livened up their conference by having actors and poets come out to introduce major themes. Hollywood actor John Lithgow gave an opening-day monologue with audience members raising their glowing wristbands. It worked as a performance art piece but I did not get a wristband. That's what happens when you only get an Expo Pass. A poet named Rives introduced a couple of cute musings on how ideas can represent data connections. I won't spoil his performance for you, so just go look up his TED talks.

Scripting in software is not like the movies.

I never miss a chance to hear Dr. Eric Schmidt from Google (aka Alphabet, its new corporate name) hold forth on tech stuff. His talk at RSAC mentioned Google's TensorFlow open-source AI library. Those Google folks are just non-stop innovators; it must be all the coffee they drink. Dr. Schmidt said he uses game theory to make strategic business decisions, especially when deciding to deploy tech that keeps Google at the center of a new ecosystem. It's no wonder why Google is so dominant if that's really how they think. Every company should be lucky enough to have geniuses running the show.

FireEye came out to the expo.

I acquired some good background information from the NIST Cybersecurity Framework presentation. It is destined to be the beta version of the federated standards system I mentioned above. Cybersecurity professionals need to know about the Center for Internet Security's critical security controls, the Center for Responsible Enterprise and Trade compliance standards, the CForum's development of the NIST framework, and the National Cybersecurity Center of Excellence's implementation of the framework. The framework's sponsors were fond of the Checklist Manifesto methodology, so there's a cue for startups that want to execute solutions in this space. Note that the Industrial Internet Consortium has its own security framework.

The final speaker that mattered to me was the phenomenal, incomparable, mind-blowing Dr. Neil deGrasse Tyson. Okay, I'll admit I attended other speakers but this guy was the real deal when it comes to pure, unadulterated genius. His genius probably ranks right up there with my own. I can't do justice to his blend of science wisdom, performance art, and comedic monologue with my meager words. Check out YouTube for tons of examples of his knowledge. It's all in the delivery. Dr. Tyson connected Albert Einstein's theories to lasers and gravitational waves during his RSAC talk. Previous eras had Dr. Einstein, and we are lucky to have Dr. Tyson among us today. His explanations of complex ideas make him a living national treasure. He should run NASA.

Read my blog article closely enough and you'll see how I spotlight hints for startups. I picked up a ton of printed information from expo floor presenters on technology implementation that I am not going to share in public. My intent is to attract entrepreneurs to some cool ideas and advise them on execution. I am not about to tip my hand in public lest potential competitors get a clue. Suffice it to say that anyone can track publicly available information on tech development, but only a genius such as yours truly can fit it all into a coherent business plan. Every conference I attend is by definition a massive winner, simply because I am there. Thank you RSA for enabling me to score in 2017.

Monday, January 30, 2017