Information Security as a Revenue Driver for the Enterprise

Cyber Security Practitioner Series brought to you by:

 

We recently interviewed Brian Castagna for our Cyber Security Practitioner Series on the topic of how enterprise organizations should view their information security programs as a revenue driver as opposed to a cost center.

Brian shared his wisdom with us on his approach to revenue driven security programs, and how he uses this while serving as the Director of Information Security at Oracle Bare Metal Cloud.

Tell us a bit about yourself and your current role.

I’d like to start this Q&A with a confession.  I’m trusting you as the reader with my secret.  (in a whisper) “I used to be an auditor”. Sssshhh, don’t tell anyone. Yes, I was one of those smug 22 year olds that cost $200 an hour who asked you “what’s Linux?”.   I started my career as an IT Auditor performing SAS 70, PCI DSS and ISO 27001 audits at various public accounting firms including KPMG, PwC and Shellman.  And while I jest, there is tremendous value in building information security programs in starting with a strong foundation of IT general controls - access, authentication, change management, backup, and monitoring.

After 8 years of evaluating the security and controls of technology service providers, I realized I wanted to do more than just find the security issues,  I wanted to fix them too. For the past 5 years I’ve been building information security programs at venture backed technology companies including Jumptap, Acquia and Dyn.

In my current role, I lead the information security program for Oracle Cloud Infrastructure (OCI) Edge Services. Formerly Dynamic Network Services (DYN),  OCI Edge Services runs DNS, Monitoring and Email services for the edge of Oracle’s V2 Cloud.

Organizational leadership teams often make information security investment decisions to prevent or respond to a security breach. Should this be the primary driver for information security investment?

Information security is a great case study in human behavior.  We are a reactive species.   Why did you get that new home security system?  Because a robber just broke into your house.  Why did you start eating healthy, and stopping drinking cokes, eating Oreos and fried food?  Because you now have type 2 diabetes.  Why do organizations make significant increases in information security investments?  Because they just had a major security breach.

A common attitude among corporate executives is the following:

“Why would I invest money in information security when we haven’t had a security breach?  And if I did invest money in information security, it’s really just an insurance policy to protect against a cyber attack.”

This is the wrong line of thinking in my opinion.  This type of attitude has contributed to the myriad of breaches we see in the news every day.

Here are four areas that I believe should be drivers for information security investment:

  1. Revenue:  It’s the money, stupid.  What if information security was an implicit or explicit revenue center?  What if you used metrics to directly tie information security  to increases in revenue?  People respond to money.  If investments in information security could open up new segments of the market such as healthcare, government or e-commerce, that is a eye opening pitch to executives vs. we need to protect against X scary event in the future.

  2. Shorten Your Sales Cycle:  Are you living quarter to quarter?  Anxious to close that seven figure enterprise deal to secure your next round of VC funding?  If you are able to meet or exceed your customer's security expectations this will shorten your sales cycle with the security and legal hurdles found at larger enterprise customers.

  3. Marketplace Differentiation:  Customers of cloud service providers demand a strong security story.  If you can articulate your security to customers in a confident, but not boasting manner - you will get more customers than your competition.

  4. Nature of the Business & Data:  What you do for a business, and the types of customer data you maintain should have a strong influence on the level and type of information security investments your organization makes.  For example, you are a Fintech startup and take on personally identifiable information and bank account data in the cloud.  Your customers (banks) require security.  Regulators (SEC, privacy laws) require security.  Auditors require security (external, customer auditors).  You require security, because you need to meet the needs of customers, regulators, auditors and most importantly to grow and mature your business.

How do you approaching building information security programs to drive revenue?

I take a customer centric view when I build information security programs.  With that lens, it enables me to get more buy-in within the business driven departments at an organization from executives, customer support, sales, account management and product.  A customer centric security program is a win not only for the business in driving revenue, but for security teams as well - as enterprise customers have expectations much more stringent than compliance standards.  Here are some of my focus areas to drive revenue:

  • Compliance:  As a former auditor, I have a love hate relationship with compliance. Love because foundational IT general controls bring a baseline level of structure and health to an organization.  That makes me happy :). Hate, because compliance is often window dressing, with insufficient focus on mitigating the relevant threat models to a particular business - be that strong vulnerability management or security incident response. Out comes the sad face :(. The reality is, compliance is now table stakes.  If you want to sell to mid-market or enterprise, you need the acronyms: SOC 1, SOC 2, SOC 3, ISO 27001, PCI DSS, HIPAA, FedRAMP, etc.

  • Customer Visibility:  Customers want visibility into the security of your product or service beyond the audit reports and questionnaires.  Figure out a way to provide them that visibility, and you will break down sales barriers.

  • Answer the Hard Questions:  Gone are the days of easy security questions from enterprise customers.  I completed a 420 question security questionnaire the other day.  If you can answer the hard security architecture and configuration questions well, it will help you get that top 20-30% of revenue that’s been elusive to your business.

  • Charge for it:  Why hello Mr Customer.  We are offering three product models Bronze, Gold and Platinum.  The platinum offering comes with these five additional security features and services.  Which product do you prefer?  The customer likely has to get past his own corporate security team and make his boss happy.  Security should be an easy upsell.

  • Internal SLA’s:  Go hard.  Make your security team service providers.  Respond quickly with internal SLA’s on requests from customer support, account management, and sales.  Not only will you be making friends and kissing babies within peripheral business units, but you will make customers happy.

  • How does an information security program impact a company's enterprise value?

A properly designed and implemented information security program increases enterprise value. There are implicit and explicit benefits to having the right level of security, structure and control.  

Implicit examples include things like new hire, termination processing, and background checks.  Having functional, and ideally automated baseline IT general controls will save your entire company time and money.  There is tremendous value in making security easy and automated. In a recent conversation I had with with the CISO of a Boston tech company, he made the decision to only allow third party technology vendors that integrate with his company's single-sign-on system.  That’s a great example of a security policy that is driving implicit enterprise value where dozens of security administrators are not required to manage access to 90 + third party applications..  

A more explicit example is opening up a new market segment.  For example, as a cloud service provider you cannot do business with the Federal Government unless you have FedRAMP compliance. Get FedRAMP, and open up a market segment where the revenue, and resulting increase in enterprise value can be explicitly tied to your efforts as a security professional.

How do you approach building security teams?

Building high performing security teams is both challenging and exciting.   There is an huge talent gap for the required information security skill sets, particular in security architecture, security engineering, and security incident response.  Couple that talent gap with the need for a blended skill set of technical and people skills, and you find yourself on a unicorn hunt.

I build security teams with skill sets that complement each other.  For example, some team members have a technical focus, or a people focus, or a queue based focus, or a project based focus.  I approach team building by recognizing strengths & weaknesses, orchestrating the use of those strengths, and equipping my team with the right message and tooling to effectively execute.

When is the right time for a company to build out an information security function?  Why?

To answer this question, we first need to evaluate the applicability of the information security investment drivers discussed above. What’s the target market for customers? Nature of the product and data?  Risks to the business?  Based on the answers to those questions, it’s easier to build out a roadmap or staffing plan for security.

However, herein lies the challenge for building the security team.  Often this question is driven by customer compliance requests - such as a SOC 2 audit, and not driven by a meaningful business strategy.  If I had a nickel every time a recruiter messaged me on linkedin stating a company needs an information security director to get them SOC 2 compliance, I would be a rich man.

So, how do we answer this question?  Let’s start with some simple yes and no questions:

  1. Are you a SaaS, PaaS, or IaaS provider?

  2. Do you operate in the Cloud (e.g. AWS, Google, Azure, Oracle)?

  3. Do you want to sell to mid-market and enterprise customers?

  4. Do you want to sell to regulated industries or geographies - healthcare, financial services, government, e-commerce, European Union.

  5. Do you take on sensitive customer or consumer data - intellectual property, source code, PII, credit card data, bank records, and/or strategy documents?

If you answered yes to #1 above - you should likely hire an information security resource(s) by the time you are 200 people.

If you answered yes to #1 and #2-5, you should hire an information security resource(s) between 50-150 people.   The more questions you answered yes to, the closer you should be to hiring for information security after 50 people.

A common misconception is that security is one person job, and you just need one manager, director or CISO.  Information security is not a person, it is going to be a team where the scope, scale and timing of building that team depends on the nature of your business.

Hack Secure Dinner: How Secure are Blockchains for Supporting Financial Transactions, Software Services, ICOs and Beyond

The goal of Hack Secure is to help educate the cybersecurity community on as many issues and ideas as we possibly can. In that vein, we like to host intimate dinners with cybersecurity practitioners and executives to discuss current topics.

Our next dinner will be highlighted with a talk given by Professor Brian Levine of The College of Information and Computer Sciences at UMass Amherst. (If you're interested in attending a future dinner, please reach out to us below.)

brian ps 2.png

Brian's talk will focus on blockhains, and how blockchain-based cryptocurrencies are quickly advancing from simply supporting financial transactions to hosting advanced software services and initial public/coin offerings. He’ll discuss the security of using blockchains for those purposes. He will also explain the basic operation and assumptions of blockchains, such as Bitcoin and Ethereum, then describe the successes of these platform, as well as the attacks that these systems have suffered.

We will be taking a look at a few specific cases. For example, in May 2016, an Ethereum-based service called "The DAO" was created as a type of decentralized hedge fund. It raised over US$150M worth of ether during a crowd sale. By June 2016 an attacker began stealing ether from The DAO, but not due to a flaw or vulnerability in Ethereum; rather it was a flaw in the DAO's programming. Also to be discussed is how in July 2017, a flaw in a software "wallet" for Ethereum allowed an attacker to steal US$30M from some users.

If you would like to attend this event, or any future events being held by Hack Secure, please reach out to us below: 

Name *
Name

OPENSEC: VISUAL THREAT HUNTING WITH GRAPHVIZ - RYAN NOLETTE

Ryan Nolette is a security technologist and threat Hunter at Sqrrl Data, which markets software for big data analytics and cyber security. In this lightning talk, Ryan gives an overview of the threat hunting process, and recommends visualization methods that expedite the process.

Ryan begins the discussion by showing what the process is currently like without visualization; it is monotonous, tedious and inefficient. By recognizing that humans are visual beings and naturally attuned to finding patterns, Ryan demonstrates how utilizing a visualization tool can save both money and time for security professionals.

It is clear that humans are visual learners, and Ryan puts together a very cohesive lightning talk that puts this into persecutive in a security context. By eliminating the tedious and repetitive actions, security professionals can find threats in a fraction of the time compared to conventional log crawling methods.

OPENSEC: SLEUTH KIT LIGHTENING TALK - BRIAN CARRIER

Brian Carrier (@carrier4n6) is the Vice President of Digital Forensics at Basis Technology, a software company specializing in applying artificial intelligence techniques to understanding documents and unstructured data written in different languages. In this lightning talk, Brian gives an overview of his experiences in using and designing open source security tools.

Brian begins his talk with a little about his experience in security, and how security tools were very limited early on. When Brian was still a student, Dan Farmer and Wieste Venema released The Coroner’s Toolkit (TCT), and from there, Brian built on top of that to deliver a more friendly user experience, resulting in Autopsy. He then discusses the evolution of digital forensics, moving from individual tools to platform-based tools.

This talk zeroes in on the importance of the user experience in digital security and how the security space is constantly evolving. Brian focuses on the importance of extensibility in the security space, and gives real-world examples of how improving the design of security tools leads to more users.

OPENSEC: THE STATE OF OPEN SOURCE CYBER SECURITY - LIAM RANDALL

Liam Randall (@Hectaman) is the Senior Director of Software Engineering at Capital One and the Founder and CEO of Critical Stack, a sensor delivery network. Liam’s keynote presentation gives a detailed overview of the state of open source cyber security.

Being a security professional himself, Liam’s presentation is incredibly insightful in terms of approaching the problems currently facing the cybersecurity space as a security professional, and what open source projects can do to not only help companies, but also help themselves stay one step ahead of attackers. Perhaps the most significant takeaway from Liam’s talk is the importance of application delivery within organizations, and how the use of containers, which provide modular and isolated application delivery along with backwards compatibility.

Liam delves into great detail about certain open source projects, especially the Mitre attack framework, making this talk relevant for anyone interested in cybersecurity. He also understands that agility is critical, as it drives organizations towards responding rapidly in an advanced environment, providing valuable business insight as well.

OPENSEC: AN OSQUERY OVERVIEW - JASON MELLER

Jason Meller (@jmeller) is the CEO of Kolide, a startup that builds osquery fleet management software. In his presentation, Jason discusses the core principles and advantages of osquery, an open platform for host analysis.

There are three properties that differentiate osquery from other technologies; osquery is “platform agnostic”, meaning it can run on a wide array of machines. Osquery is also extremely scalable, as it has been used over at Facebook, demonstrating that it can run on one machine or hundreds of thousands of machines. Finally, osquery is an open source project, meaning that the community is doing much of the development and pushing the technology forward.

This lighting talk demonstrates the value of osquery as an open project, especially in security settings. While only scratching the surface of osquery, Jason does a great job explaining the factors that are making osquery one of the most important open source projects available today while painting a broad picture of the platform’s capabilities and uses.

3 THINGS YOU WILL LEARN AT OPENSEC 2017

Make sure you get your ticket for OpenSec 2017!

Attendees at OpenSec 2017 will have the opportunity to hear from top cyber security experts in the Boston area. In addition to keynotes addressing the current state of open source cyber security, how companies choose between open source, proprietary, or existing cyber security solutions, and more, there will also be a series of lightning talks. This fast-paced series will focus on specific open source projects and how they are being leveraged for cyber security uses.

We will first hear from Jason Meller, CEO at Kolide, about osquery. Among the most popular open source projects on GitHub, osquery allows users to ask questions to their Linux, Windows, and MacOS infrastructure and get accurate answers quickly. Osquery is often used for security purposes such as intrusion detection and pulling data from endpoints, but it can also be used to collect basic information about configuration and more. This talk will give you a solid foundation in what osquery is, how to install it, how to use it, what to avoid, and how to use open source solutions to protect endpoints on a broader level.

We will then hear from Brian Carrier, VP of Digital Forensics at Basis Technology, about Sleuth Kit. Sleuth Kit is an open source collection of command line tools and C library, largely developed by Brian, built to enhance digital investigations and incident response. At the conference, Brian will go over the basic functions of Sleuth Kit, and how it can be leveraged to create a strong incident response program through data analysis, giving companies the resources they need to respond to threats at thoroughly as possible.

Finally, we will hear from Ryan Nolette, Primary Security Technologist at Sqrrl. Ryan will speak about the benefits of visual threat hunting using open source solutions, specifically visualizing bro data with grapvizz. Visualizing your threat hunting exercises helps lower the bar of entry for threat hunting and provides answers to the common questions of - How do I get started? How can I explain what I found to my management? How do I justify my time?

To learn more about how these specific open source solutions are affecting cyber security, join us at OpenSec 2017 on May 15th!

OPENSOURCE SPOTLIGHT: CRAIG CHAMBERLAIN OF COGITO

With OpenSec 2017 ten days away, we are catching up with a few of this year’s panelists to hear the breadth of opinions surrounding the current state of open source cybersecurity, and where it is heading.

This week we spoke with Craig Chamberlain, Director of Security at Cogito. Craig is well known in the security space, working as a security consultant for various financial, defense, and government entities, as well as publishing security research.

To hear more from Craig and other leaders in the open source community, sign up for OpenSec 2017 on May 15th.

Craig Chamberlain @randomuserid

What aspects of cyber security got you interested in the space? How did you get your start?

I remember being on a tour of MIT once and hearing them describe how they had to disconnect the student grade tracking system because it was impossible to keep the students out of it. I remember thinking, they have one of the world's best collections of computer science knowledge and talent and they can't keep the students from hacking the grade system? I was sort of fascinated. Later I had more under-fire experience running Internet facing servers through the 2000 - 2005 period when the world experienced a series of historic security fire drills. The changing and adversarial nature of the problem set pulled me in. I went on to help build some security products and had amazing experiences along the way.

What advice would you have for people moving into or up in the Cybersecurity space?

Look for employers willing to invest in training and continuous education that is important to building skills and being successful. Share research; give talks at conferences and participate in the community. To quote Yoda, "Mind what you have learned. Save you it can. Pass on what you have learned.."

Once you get established, and feel comfortable mentoring, start looking for team members who show interest in, or aptitude for, security. Nurture this. Take them to conferences and meetups with you and hep them get started in security. The cost / benefit curve of building talent, rather then buying, is astronomical. Growing talent will become more and more strategic as talent inflation worsens.

What are some products or solution spaces you're watching and excited to see grow?

At the moment everything revolves around data science and machine learning. One practical application for these technologies I'd like to see is the application of graph analysis and entity-relationship based anomaly detection for threat hunting and intrusion detection; I'm working on a blog post to elaborate on how I would use this.

Where do you see cybersecurity going in the next 5-10 years?

Probably a shift towards automation and algorithmic security management and incident response tooling. The problem of talent inflation has become acute as threats evolve and proliferate. Throwing people at the problems isn't working due to scarcity and what I call "inflation fatigue" among business leaders.

Why do you think open source can make a huge impact on security?

Many security product companies are too focused on simple sales cycles in order to quickly build valuations. Product road maps are too often dominated by marketing managers who are either unwilling or unable to build really compelling and useful features and capabilities. Open source products allow well-resourced security teams to groom and customize tooling to meet sophisticated workflows and increase velocity in the process.

Interested in hearing Craig expand on his thoughts? Hear him and other Opensource security experts talk at OpenSec 2017!

OPEN SOURCE SPOTLIGHT: JEN ANDRE OF KOMAND

For today’s OpenSec 2017 preview, we heard from Jen Andre, founder and CEO of Komand.

 

At Komand, Jen empowers security teams to focus on efficient incident response and decision making by offering the automation of manual tasks, and a space to share this automation and knowhow with the wider security community. Prior to founding Komand, Jen co-founded Threat Stack, and worked at Mandiant and Symantec. She is very involved in the cybersecurity space, authoring multiple articles and speaking at conferences around the country.

To hear more about the current state of open source cyber security from Jen and other leaders in the open source community, sign up for OpenSec 2017 on May 15th.

Jen Andre@fun_cuddles

What got you interested in the cybersecurity space?

Hanging out with computer hackers in the 90s - early 2000.

What advice do you have for people moving up or into the cybersecurity space?

Find some great, friendly mentors, stay curious, and question the status quo.

What are some product or solutions spaces you are watching or excited to see grow?

Machine learning effectively applied to cybersecurity (promised, but yet to be delivered), productivity improvements for SecOps teams (in workflows, deployment of security stack), and better policy and technical deterrents to cyber-related crime.

Want to hear more from Jen? Hear her and other Opensource security experts talk at OpenSec2017!

OPEN SOURCE SPOTLIGHT: JASON MELLER OF KOLIDE

With OpenSec 2017 less than a three weeks away, we are catching up with a few of this year’s panelists to hear the breadth of opinions surrounding the current state of open source cybersecurity, and where it is heading.

This week we spoke to Jason Meller, Co-founder and CEO at Kolide. At Kolide, Jason and his team are harnessing the power of Osquery to solve cyber security issues using accurate, timely, and queryable data. Prior to founding Kolide, Jason started as a member of GE’s elite computer incident response team, before moving to the Mandiant corporation and FireEye following Mandiant’s acquisition.

To hear more from Jason and other leaders in the open source community, sign up for OpenSec2017! on May 15th.

How are you related to Osquery and what do you think is so powerful about it?

My co-founder Mark Arpaia created Osquery while he was at Facebook. I started Kolide because I am a fan of Osquery. It just so happened that we were able to recruit him on the team. From my perspective, Osquery is just really exciting. It’s the first open source solution that really resonates with people who want to pull accurate and timely data from their endpoints. I think the fact that it is open source, and that there is so much community support behind it is exciting for many reasons. The first is that the existing proprietary software vendors have their own agents, which are these closed source, black box things. The future of host instrumentation is going to become a commodity. There are finite things you can pull from a host that are going to be interesting. Eventually, someone will produce and agent that will pull all of those things as performantly as possible. I think that solution will be an open source one. I think Osquery is in the best position to do that. As far as building a business, we believe that this thing is going to be a commodity, so the value is in what we do with that data, what insight and value are we driving from the data that Osquery collects. That’s what Kolide is all about – making a big bet on Osquery. We really want to grow that community. We think it is an awesome piece of technology, and that the future of the business isn’t necessarily the collection of the data, but what value can you get from it, which provides insight and lets you make competent security decision, DevOps decisions – or any decision where you need accurate and timely data from the host.

Why do you think Osquery is so popular on GitHub?

We kind of talk about the number of stars it has in relation to other security projects, but I think at the end of the day it’s because it’s so useful that it actually transcends the very narrow use case of cybersecurity. It basically allows you to ask any question you can conceive of the to endpoint and get an accurate answer as quickly as possible. The raw utility of that goes far beyond security. Getting good, accurate information as quickly as possible is an amazing capability to have to solve security problems, but it also solves a lot of other problems. One thing that I was really surprised about when we started Kolide was the number of people that cared about the security aspect, but they also use Kolide to get basic data from what’s going on on the Macs that their employees use: the configuration, is the firewall enabled, is it running these rules etc. These are very basic things that are hard to collect, because no one is really focusing on Mac and Linux from an agent perspective. Osquery treats those as first class citizens.

What will people learn by attending your talk at OpenSec?

I’m going to be talking a lot about Osquery itself. We’re not going to make this a commercial pitch for the product. We want people to get excited about Osquery. If you have never used Osquery before, and want to figure out what it is all about, how to install it, and ways that it can solve some problems out of the box you should attend the talk. We are going to walk you through every important facet of Osquery, and give you the materials you need to consider it seriously for your own use cases at your organization. If you are looking for a nice primer for dealing with Osquery this is the talk to you want to attend. You will get a lot of perspective. We know a lot of the sharp edges, and things to avoid that the documentation doesn’t necessarily state explicitly. It should be a fun talk for people who are psyched about Osquery, but also using open source solutions to deal with security issues surrounding endpoints at small or large organizations.

Want to hear more about OSQuery? Hear Jason and other Opensource security experts talk at OpenSec2017!

OPEN SOURCE SPOTLIGHT: BRIAN CARRIER OF BASIS TECHNOLOGY

With OpenSec 2017 less than a month away, we are catching up with a few of this year’s panelists to hear the breadth of opinions surrounding the current state of open source cybersecurity and where it is heading.

This week we spoke to Brian Carrier, VP of Digital Forensics at Basis Technology in Cambridge, MA. In this role, Brian builds incident response software, open source software, and custom software to enhance digital investigations, having largely developed open source projects The Sleuth Kit, Autopsy 1 and 2, mac-robber, and TCTUTILs. Additionally, Brian chairs the annual Open Source Digital Forensics Conference (OSDFCon), which examines the latest open source tools and techniques.

To hear more from Brian and other leaders in the open source community, sign up for OpenSec 2017 on May 15th.

How did you start in Cybersecurity? What initially pulled you in?

I was an intern in the mid-90's when the company got their first internet connection. I got involved with setting up their Linux-based firewall. I then got interested in forensics when the first open source tools started to be released in 2000ish (The Coroner's Toolkit) and started to expand on them because I wanted to learn more. I was working at @stake at the time and we needed incident response tools for our work, so we built them and released them out as open source. I've been maintaining and involved with The Sleuth Kit and Autopsy ever since.

What are some products or solution spaces you're watching and exciting to see grow?

I focus a lot of my time on easy to use products that help companies do their own basic incident response and forensics. The basic idea being that as companies get more security maturity, they need to be able to respond to incidents, but most won't have forensics experts on staff.

Many companies will respond to a SIEM alert by looking at antivirus logs. If the antivirus is happy, then they are happy and that is all they can do. We want to enable companies to go a bit deeper and help them analyze additional data, which is why we've been building our Cyber Triage product.

I think this is a growing space because more companies need to do basic investigations, but don't have the skills or resources to do it.

What do you think makes open source different?

I like open source because it allows for a community to be built around the software. We organize an annual Open Source Digital Forensics (OSDFCon) conference each year (http://www.osdfcon.org) that attracts over 400 people and it’s great to see the developers and users all get together. They are both passionate about the software and what it can do.

From a digital forensics perspective, there is also the benefit of the software being reviewable when entering digital evidence into a court trial. Anyone can verify how it works and you do not need to rely on a software vendor to testify.

Interested in hearing more from Brian? See him talk at OpenSec 2017!

WELLS FARGO CYBERSECURITY EVENT RECAP

Last Wednesday, 2/1, HackSecure hosted a CyberSecurity panel at Wells Fargo (Thanks to WF for sponsoring!) in Boston. The panel included Tim Byrd, SVP at Wells Fargo, Clement Cazalot, VP of Tech at Intralinks and John McAleer, Senior Manager of IT Security at AthenaHealth. The conversation bounced between how their respective companies look at working with young security startups, what they see as the biggest risk threats for their teams moving forward and what they have on their security roadmaps for 2017. Certainly a fruitful conversation for those able to attend and plenty of advice for young companies targeting enterprise customers. Again thanks to Wells Fargo for hosting and a thank you to every who showed up + stayed for drinks after.

ONWARD AND UPWARD

I was advised by many in venture that I wouldn’t last 5 months in venture; I was too impatient, too controlling, too much. Well 5 years later they get to be right, well kind of….

I am stepping down as a General Partner of Accomplice and will not be a GP in Accomplice’s next fund.

Hack Reduce and Hack Secure have proven to be incredibly valuable vehicles to achieve my goal of developing the next generation of great data science and cybersecurity entrepreneurs. Over the past 5 years we’ve built a community of over 7,000 members, having hosted hundreds of events, which led to the funding of over a dozen companies. I’m excited to continue cultivating both ecosystems with the goal of starting many more cybersecurity and data science companies (If you're one of them, get in touch). This requires a tremendous amount of my time and focus.

I also plan on continuing to lead The St. Baldrick’s Foundation’s $100M Tech Fundraising Campaign to end childhood cancer. In the U.S., more children die of childhood cancer than any other disease and I am committed to working with the amazing team at The St. Baldrick’s Foundation to do something about that.

I will continue to represent Accomplice on my portfolio company boards and remain involved with Accomplice as a Senior Advisor. I will continue to work with my seed investments independently and will spend time identifying, investing in and developing entrepreneurs.

Accomplice has become the brand for early stage venture capital in Boston. We've made a ton of progress in our short time, and I'm honored and proud to be a co-founder during this spectacular climb to the top. Our successes give me the opportunity to dig into my personal mission to continue to make Boston great, by focusing on my entrepreneurs, both those I’ve invested in and others I will in the future.

I am very proud of my Atlas and Accomplice partners and my investments over the past five years. I have every expectation to contribute to the delivery of three excellent funds and will always support, enjoy and have an active interest in where Jeff and Ryan take Accomplice from the strong base we’ve built.

My five years in venture has given me the opportunity to spend more time with my family, and collaborate with some incredible entrepreneurs. For this I am incredibly grateful. I want to thank Jeff and Ryan for their friendship, partnership, and for giving me the opportunity to reinvent myself over the last five years as the anti-VC and now to re-invent myself yet again… Stay tuned!

Chris @LynchBigData

TECH TACKLES CANCER RAISES OVER $500K TO SUPPORT ST. BALDRICK’S AND CHILDHOOD CANCER RESEARCH [PHOTOS AND VIDEO]

The Boston Tech community has stepped up big and is providing the leadership necessary to kick off our $100M campaign for Tech Tackles Cancer. Your generosity in support of finding a cure for kids cancer through support of St. Baldrick’s, we raised more than $500k, is legend. I want to tell you all how proud I am to know you and say thanks to each and every individual who helped make our 5th annual St. Baldrick’s event at The Landsdowne Pub, such great success and a rocking good time!

Embedded content: http://www.appetitefordisruption.com/wp-content/uploads/2016/12/161107FL-1323-Winslow-Martins-conflicted-copy-2016-11-30-1024x683.jpg

Once again, our event had over 500 people: shavees, volunteers, sponsors, Patriots, Celtics, start-up folks, raffle items galore, the great Savtones featuring Chris Cote (who crushed Yellowcard playing down the street). When all is said and done the total to St. Baldricks is over $505k with donations still coming in — we met and exceeded our ambitious goal!

Embedded content: https://www.youtube.com/watch?v=QLk-nOLBsuw

Nationally, St. Baldrick’s is the single largest investor in pediatric cancer research next to the U.S. Government. Unfortunately, every 2 minutes a child is diagnosed with this terrible disease, and it kills more children in the U.S. than all other major diseases combined. Kids cancer is very different from adult cancers and hence requires specific research. Eighty percent of children with cancer have had it spread before being diagnosed and for those who survive 70% have shorter life spans marred with chronic health issues. In spite of these facts, only 4% of US Federal funding is solely focused on children’s cancer research. Further, 60% of adult cancer research funding comes from big pharmaceutical companies, with almost none for childhood cancer research because these drugs are not profitable. This is why we need St. Baldrick’s; 100% of their grant’s go to children’s cancer research, and not to one institution, but to the best and brightest researchers around the world-this is a different and winning strategy.

An event of this magnitude takes a lot of work behind the scenes, so I would like to give a special thanks to the committee responsible for organizing our St. Baldrick’s event. My first thanks is to Ben Hux, Volunteer Event Organizer, and Cort Johnson, Mayor of Tech Boston and hack/secure fame, who have stuck by me to make this happen. My goal is for this event is for it to be a Boston legacy we leave the next generation of entrepreneurs, serving to give us perspective, inspiration, strength, and unity.

Thanks also to Accomplice, Matt Burke, Cynthia Ferranzzani, Will Brierly, Lauren Wedell, Josh Terry, Josh Darling, Brittany Vogel, Boston Celtics Dancers, Patriots Cheerleaders, JLL, DLT, City National Bank, The Savtones, Galen Moore and Kyle Gross of BostInno, and Keith Cline of Venture Fizz for support of the event. Without these people and their assistance, this event would not have succeeded. Thanks to Em Vision films for producing the video to promote the event; and to photographer Winslow Martin and videographer Rosemary Jeneth for documenting the event. I also want to thank the Lyon’s Group, for hosting the event and all of the shavees, stylists, volunteers, and raffle items donors.

The generosity of Boston and the surrounding areas is incredible. I am very fortunate to have people like Mike Egan, Jit Saxena, Art Coviello and Jeff Fagnan in my corner. The sacrifice of the shavees alone is unbelievable. I thank them for their commitment to such a deserving cause.

The St. Baldrick’s Foundation is a volunteer-driven charity committed to funding the most promising research to find cures for childhood cancers and give survivors long and healthy lives. The St. Baldrick’s Foundation does this with the guiding principles of integrity, efficiency, transparency, a pioneering spirit and a sense of fun. It’s never too late to donate, I’ll keep the link live.

RED TEAM CHALLENGE RECAP

On Saturday April 23rd, hack/secure and SimSpace with sponsorship from Square 1 Bank and Rapid7, hosted the first in a series of attack and defend challenges.

Embedded content: https://static1.squarespace.com/static/5552e203e4b05a323bd23602/t/5727aefdd51cd48057ea0018/1462218521016/IMG_1153.JPG?format=1500w

We had a great turnout with over 40 cybersecurity practitioners joining. The challenge, created by SimSpace, offered each team their own network consisting of full operating systems and configured with subtle, yet real world vulnerabilities and/or misconfigurations. Teams were required to use real world scanners, exploitation tools, and post exploitation tactics to capture 10 flags.

After 6 hours of attacking the SimSpace network, the team from Booz Allen Hamilton came out on top, capturing 7 of the 10 flags. Veracode came in a close 2nd followed by Rapid7 and Sqrrl in 3rd.

A big thank you to all those who participated. We look forward to seeing everyone at the next challenge!