Atomicorp – Mach37 Alumnae Interview with Michael Shinn

atomicorp-michael-shinn-army

Michael Shinn, Atomicorp CEO

What opportunity did you recognize that led to the founding of Atomicorp?

Michael Shinn: The security industry was being challenged by the widespread migration to the cloud and cloud-based technologies. To me, it seemed like a classic second mover opportunity caused by a fairly disruptive change to the market. A lot of the existing cybersecurity solutions either couldn’t be used in these cloud environments — appliances for example — or they didn’t provide the right value to the customer. The products weren’t designed for that world. They were being bolted on and the customers weren’t happy. We saw this as an opportunity to apply some unique technology and solve the cybersecurity problems in a cloud-friendly way.

What specific value does addressing that problem provide for your customers?

securitylarge-282x300Shinn: The value that customers have shared with us is a dramatic reduction in operating cost. We have been told 80% and the number has been shared with us repeatedly. That 80% is based on the fact that there are fewer security incidents they must address after installing Atomicorp. That seems like the obvious place to look for benefits for a security solution. The non-obvious benefit is the reduced dev ops costs because they don’t have to patch their systems so frequently. That has enabled dev ops to do their work without having to go through a lot of security gates.

Why aren’t current solutions addressing this problem effectively?

Shinn: For the traditional players what seems to be happening is this move to the cloud doesn’t work with their current business models. That is a substantial problem. When I talk with my peers at these companies, they are frustrated that their attempts to build cloud-based solutions have not gone well within their organizations in terms of culture, sales model, accounting and product. Cloud platforms are extremely heterogeneous. Solutions are sold by the hour. It’s not a traditional IT environment where you control the network and all of the components. The attack surface is completely different and more dynamic in a cloud environment than an on-prem environment. The problems are different. The solutions need to be different.

atomicorp-logoIt’s a more challenging environment for traditional cybersecurity companies to build products and more challenging to operate their business because they need to reinvent how they operate. Something as simple as how do you account for revenue in this new model when you are accustomed to selling enterprise licenses is an issue.

For the customers, the problem is exasperated by the fact that a lot of the security products are built for security experts which doesn’t help their dev ops teams. That is not what they are looking for. They need products that are easy for non-experts to use.

What makes your approach different and better from existing approaches?

Shinn: Atomicorp products are built for cloud environments from the ground up and they are designed to be easy to use.

What about your team’s background puts you in a unique position to succeed?

Shinn: Scott and I founded Plesk in 1999 which invented a lot of the technologies that cloud providers rely on today. So we have an intimate knowledge of the technologies that make cloud possible. After we sold that company, we put a lot of thought into what we were going to do next. The idea for this company came from what we learned building those products and serving those customers. The Atomicorp product was built from experience and designed specifically for cloud providers.

You just announced a $1 million seed round. What do you plan to do with the proceeds?

Shinn: Customer acquisition and product enhancements. Priority one through five is introducing more customers to Atomicorp. We have a proven product and a lot of customers, but we are looking to introduce Atomicorp to more.

What are some of the milestones you have passed since graduating from Mach37?

Shinn:

  • We have now earned more than we have spent
  • We crossed the 1,000 customer mark.
  • We have made some key executive hires such as VP of Sales.

 

You already had a product and customers when you entered the Mach37 program. What made Mach37 a good choice for you even though you already had some business momentum and customer traction?

michael-shinn-seatedShinn: The robustness of the educational program was tremendous. That education would cost a lot of money. It is unlikely that a startup could afford it. The Mach37 program is like a compressed MBA and it is tailored to you needs. It is not abstract learning. It is deliverable based. You need to develop your messaging. You have to put together a budget, recruit people and build a real business. Doing that while you are in the program is priceless. I’m not sure there is an MBA on earth that does that.

Secondarily, I would point out the relationships. Mach37 has done a wonderful job introducing us to good hires, advisors, investors, and service providers. It’s a very good network. Finally, it’s a very supportive environment. Building a business is hard work. They are good coaches.

Learn more about Atomicorp here.

Related Posts

Virgil Security Raises a $4 Million Series A

virgil-co-founders-with-rick-gordon

Virgil Security Co-founders Michael Wellman (left) and Dmitri Dain (right) Ring the Mach37 Bell to Celebrate Reaching Escape Velocity; Rick Gordon Joins In the Celebration

 

On October 7th, Virgil Security closed a $4 million Series A investment, led by KEC Ventures. KEC is a venture firm founded by Jeff Citron, who also founded Island ECN, Datek Online and Vonage.  For those of you who are close to Mach37, you know I have been promising for many months that we have several companies ready for Series A investment. Virgil was one of them.

As I thought about using this blog to crow about our investment strategy (we actually hunted for a company that offers easy-to-implement encryption infrastructure) or in some way hype-up just how smart we are at Mach37, a conversation I had last week caused me to think better of it. Virgil’s CEO Michael Wellman offered the key insight. As I was verbally high-fiving Michael, he took a characteristically humble look at the company’s journey so far and remarked:

“You know Rick, it used to be that if you worked hard, had talent, OR got lucky, you could make it to the NFL (National Football League).  These days, to make it you need to work hard, have talent AND get lucky to even have a chance.”

And, so it is with technology start-ups.  The hidden truth is that entrepreneurs can have talent, make every right decision, and work their butts off, but if serendipity does not smile the company will fail.

In the case of Virgil, I can point to a handful of inflection points that relied heavily on just being in the right place at the right time.  I can say the same for Invincea and Lookingglass, two companies I was intimately involved with during their early struggles that have since achieved similar inflection points.  However, the truth is that all of these companies still have additional milestones to achieve before any of us can declare victory.

So, instead of trying to convince you that the Mach37 team is smarter than we really are, I’ll just say that we feel really fortunate to have had the opportunity to invest early in Virgil. It is a company that has the world class talent and drive required to be successful AND was able to create the necessary luck along the way to close its Series A.

Related Posts

 

Mach37 Spring Class 2016 Interview: Hilltop Security

 

2016-06-14 - M37 Demo Day - 08 - HTSI - DSC_3364

Tom Gilmore, Hill Top Security CEO

 

What opportunity did you recognize that led to the founding of Hill Top Security?


HTSITom Gilmore:
 We saw that most organizations were faced with a shortage of skilled security personnel and that any strategy built around creating more security analysts was not going to be effective. In addition, security personnel are overwhelmed with security alerts and spend too much time processing false-positive alerts. We also believed that the time to detect a breach which is on average 206 days is a direct result of these problems and that time could be dramatically decreased with automation and better tools.

What specific value does addressing that problem provide for your customers?

Gilmore: We provide customers with a security incident response platform that ingests data and performs complex event processing to save analysts time allowing them to move to detection and response activities faster.

Why aren’t current solutions addressing this problem effectively?

Gilmore: Most solutions on the market today are focused on prevention, or detection, or response. Our product is designed to do all three and also provides analysts with the ability to work in a single environment instead of having to login and operate every security tool independently.

What makes your approach different and better from existing approaches?

Gilmore: Solutions on the market now are very narrowly focused and fragmented creating more work and reducing efficiency. Our product is designed to enhance and improve the utility of our customer’s current resources. By interconnecting all the devices and systems that make up the security architecture, we are able to increase the value of the data being generated by enriching the data with such things as business impact analysis, business rules, and risk assessments.

What about your team’s background puts you in a unique position to succeed?

Gilmore: We have a team that has experience in national and military intelligence, cyber security, and industrial engineering. I personally have one start-up under my belt that made the Inc. 500 and exited. Neil Wright spent 7 years designing UPS’s global package handling system and Steve Baker has over 30 years of national security and intelligence experience working in such places as the White House National Security Council.

What one aspect of the Mach37 programs did you personally find most beneficial?

Gilmore: Learning the intricacies of being a successful product company. Having come from a government services background, making that transition can be very difficult and Mach37 helps you define what that will look like and develop a plan to get there.

Learn more about Hill Top Security here.

Mach37 Spring Class 2016 Interview: NormShield

 

2016-06-14 - M37 Demo Day - 05 - Norm Shield - DSC_3389

Mohamoud Jibrell, NormShield CEO

 

What opportunity did you recognize that led to the founding of NormShield?

ns-logo-transMohamoud Jibrell: Through our many years of experience in the cyber security industry we recognized that organizations rely on mostly manual methods to validate their security posture and they do not have visibility to existing vulnerabilities that hackers can exploit. We also recognized that most security tools are not designed for the mid-market. They assumed a greater sophistication of user and more manpower than is typically available to mid-market CIOs. So, we founded NormShield to fill those gaps: automate cyber security processes, provide visibility and services that are currently not available and align the solution with the needs of the mid-market.

What specific value does addressing that problem provide for your customers?

Jibrell: Visibility. That, in one word, is the specific value that we provide more of than any our competitors. NormShield provides better visibility to existing vulnerabilities and significantly reduces the risk of hacker exploitation. We do this by continuously gathering cyber threat data from multiple sources and by monitoring our customers’ assets. We then analyze and present the data and actionable information to our customers using our cloud platform. That visibility helps companies take action to reduce risk.

Why aren’t current solutions addressing this problem effectively?

Jibrell: Current products are designed for large enterprises and are narrowly focused. Mid-market businesses don’t have the financial or human resources to run dozens or even a handful of information security products to protect their assets. Current solutions assume large enterprise users with large staffs that can specialize in specific infosec tools. NormShield’s single, integrated solution provides the necessary security coverage while minimizing the human labor and skill requirements. I was a mid-market CIO and I understand the security needs, but also recognize the constraints. We built a tool to fit that user profile.

What makes your approach different and better from existing approaches?

Jibrell: We provide a unified single solution that addresses multiple needs. Competitors offer multiple products to address the same set of problems. But using multiple products is a lot more difficult to administer and it also brings a lot of management overhead. We commonly see security teams, IT teams and risk teams work independently with different agendas and metrics. Acquisition of multiple products is also more expensive and it is not something that most mid-market companies can afford. All of these factors combined lead to inefficient and ineffective processes that slow down the threat response and vulnerability management and expose companies to preventable cyber attacks.

What about your team’s background puts you in a unique position to succeed?

Jibrell: We have a diverse team with deep expertise in ethical hacking, enterprise software development and IT management. I myself have 16 years of CIO experience under my belt. Our combined experience in the industry gives us the network and knowledge we need to succeed.

What one aspect of the Mach37 programs did you personally find most beneficial?

Jibrell: The support we got with sales, marketing and product strategy was extremely beneficial. We were also introduced to many different potential customers through Mach37, which allowed us to expand our network and get a jumpstart on reaching our goals.

Learn more about Normshield here.

Mach37 Spring Class 2016 Interview: Unblinkr

 

Demo

Mancy Sanghavi, Unblinkr Founder

 

UnblinkrLogoTransparent

 

What opportunity did you recognize that led to the founding of Unblinkr?

Mancy Sanghavi: 250 million cars will join the Internet of Things by 2020. Cars are running millions of lines of code and are just as susceptible to hacking as any computer network. Advanced driver assistance and connectivity features increase threat vectors on the connected vehicle. We identified an opportunity to make cars secure.

What specific value does addressing that opportunity/problem provide for your customers?

Sanghavi: Automotive Industry insiders acknowledge connected cars need to be secure from outside hackers. Through the publicity car hacking has received recently, consumers want to know their vehicles are safe. There are plenty of discussions on how to secure the connected car. Our product provides an answer to that question. By using our solution, car manufacturers can stay competitive and offer more advanced connectivity features for consumers.

Why aren’t current solutions addressing this opportunity/problem effectively?

Sanghavi: Cars today are infinitely more complex than the Model T designed by Henry Ford in 1908. Automotive companies have never had to think like technology companies in the past, and they are having to play catch up. Their design times have to be more responsive. We don’t have to play catch up because our team has been dedicated to this problem for over 5 years.

What makes your approach different and better from existing approaches?

Sanghavi: The connected vehicle space is new and there is no clear leader in aftermarket automotive cybersecurity. Cybersecurity is crucial in order for the market to adopt driverless cars. There are a few startups offering point solutions whereas we are taking a holistic approach. We believe in intelligent data by bringing context to increase awareness of the situation, thereby enabling us to make better decisions.

What about your (team’s) background puts you in a unique position to succeed?

Sanghavi: Our team has done research on the security and privacy concerns of these types of advanced technologies. We have bid on and received research grants to examine connectivity and have spent time in labs researching internal car networks. We conduct black box testing and pen testing on cars.

What one aspect of the Mach37 programs did you personally find most beneficial?

Sanghavi: The Mach37 program is incredibly beneficial and I highly recommend it. The 14-week program gives startups a unique chance to interact with experts and learn how to run a business from start to exit. Startups hone their message and learn the building blocks to take a litmus test of whether their idea can succeed in the marketplace. Mach37 helps you build your boat before they launch you into the waters.

Are there any adjacent industries transformed by your solution?

Sanghavi: Imagine summoning a driverless car via smartphone, revolutionizing taxi and parking industries. Targeted in-car advertising creates revenue opportunities for telecom and marketing industries. Insurance is getting ready for the day of driverless cars and when people aren’t paying car insurance anymore. Our solution helps track history and prove whether a car has been hacked. This is valuable information for insurers.  However, these disruptions come with challenges. The FBI is concerned that driverless cars are a terrorist target. Centralization means more vulnerability and creates user privacy concerns.

What are the key market/economic forces in your industry?

Sanghavi: Over 35,000 people in the US die in road crashes each year. Driverless technology is the hope that the number will become zero. But we are replacing human error with a machine. If that machine becomes hacked, that is dangerous for the families riding in the car. One day anti-hacking software installed on a car will be mandatory, the way seatbelts and airbags are mandatory safety elements today.

An industry driver is that revenues from connectivity are expected to increase sixfold from approximately $30 billion in 2014 to approximately $170 billion in 2020. Possible legislative mandates like SPY Car Act may fuel demand for Unblinkr product. An Executive Order mandates all government vehicles to address threat vectors by 2017. The EU eCall law will drive demand for the product overseas.

Learn more about Unblinkr here.

Mach37 Spring ’16 Class Interview: PCPursuit

2016-04-20 - DC CSCS Mt Up - 06 - DSC_0282

Robert Walker

CEO and founder

PCPursuit

 

What opportunity did you recognize that led to the founding of PCPursuit?

Robert Walker: There are a couple of things going on in information security that are really important. Too many information security products only tell you there is a problem after your data has already been stolen. I have seen a few things in my career that are technologies that can prevent problems from happening in the first place, but they are not easy to use and are typically expensive. We recognized that we could make physical systems and digital systems more secure if they could just talk to each other. It’s really never been done before and that’s what we are changing by providing a proactive security solution that is inexpensive and easy to deploy.

 

What makes your approach different and better from existing approaches?

Walker: Simplicity. You don’t have to roll this out to every asset in your enterprise. You can deploy one tiny piece of software on your Active Directory domain controller and it can protect your entire enterprise. This uses the exact same framework that Microsoft uses themselves. Most solutions don’t do it this way because it’s extremely hard to do.

One specific thing our technology doesn’t do is require you to deploy agents to each PC in your enterprise. We have a server that sits between your physical control systems and your Windows Active Directory domain controllers. That PCPursuit software asks if a user badges in and if so, when and where. We report that back and based on what the enterprise administrator wants, we can log it, we can send an email to their manager or restrict access.

 

 

What specific value does addressing that opportunity/problem provide for your customers?

Walker: PCPursuit enables enterprises to get considerably better security out of the assets they already own. We make the stuff they have better and we do it very inexpensively. It’s a massive improvement for a very low cost.

 

Why aren’t current solutions addressing this problem effectively?

Walker: Because they are not thinking outside their own boxes. Physical security solutions only think about the physical side. Digital security only considers their own boxes. We took it up a level to look at both pieces.  However, there is another dimension to consider. The technology is really hard to build. The concept is simple, but the execution isn’t easy.

 

What about your (team’s) background puts you in a unique position to succeed?

Walker: Both my co-founder and I worked at Microsoft. I was there as a full-time employee for 13 years. My co-founder has worked at Microsoft for many years as a consultant. So we both have very deep exposure to Microsoft technology and we know how to implement it in a way that very few people understand. It’s not that no one else can do this. It’s that few people understand as well as we do how Windows was designed.

 

What makes this an exciting opportunity for you?

Walker: The thing that I think is most exciting about what we are doing is that we are one of those really rare solutions that can help make your enterprise tremendously more secure than it presently is and at a very low cost. By putting these two pieces of technology together, PCPursuit delivers two key benefits that address two intractable problems:

  • It discourages employees from tailgating into buildings. If you can’t get any work done because your login won’t authenticate, you won’t tailgate to get in. If we change the psychology in an office to “always badge in” instead of “avoid it,” it changes behavior. Then not badging in becomes the anomaly.
  • We also make physical presence another factor for authentication. Passwords aren’t secure. Even if you have to change them every several weeks. People forget them. They write them down so they don’t forget them making them easier to steal. With PCPursuit, if you didn’t badge in, you can’t get access. If your password got phished, that hacker in Russia won’t be physically in your building and can’t get access from inside your enterprise network. If someone found your password, they can’t use it. And we can do it for one-tenth of the cost of other tools in the market. You don’t have to buy tokens or other tools, just install our software on a single server and connect it to Active Directory and your enterprise is immediately more secure.

PCPursuit represents the first example of a simple approach to pairing physical security with digital security. It will have the biggest impact on securing the enterprise since automatic Windows updates. This is the kind of stuff that actually works. Stuff that’s really simple. You just make a little tweak and people don’t have to change the way they work, but it still makes a big difference. It turns out that the technology is hard, but the implementation is simple and effective.

 

What one aspect of the Mach37 programs did you personally find most beneficial?

Mach37 is really well-connected and is the only accelerator focused solely on information security. Their specialization in information security means everything they do is geared to this field and that is very valuable. In addition, they understand selling to the enterprise. There is a big emphasis in the program on selling and that is not a natural skill for engineers which is the background of most of the founders.

 

Cyber Insurance

When most people think of cybersecurity, they think of IT departments protecting corporate networks, or individuals at home on their personal computers. But cybersecurity is differentiating rapidly as more people realize its actual goal is to improve the reliability of some other business process or product, and not an end in itself. Since these business processes vary widely from one industry to another it makes sense to talk about the unique issues and approaches faced by individual market verticals. One such vertical: Cyber Insurance.AOL Fishbowl

The October 1 edition of the excellent Security Leaders dinner series conducted by @mach37cyber, cohosted by Mach37, AOL, and Marsh & Mclennan at the AOL Fishbowl, was a highly interactive, highly informative panel discussion with insurance industry and related legal professionals on the topic of Cyber Insurance. Cyber Insurance is designed to cover some of the costs in the aftermath of a cybersecurity incident, including items such as forensics to determine what happened and the extent of the damage, public relations to communicate with customers and other stakeholders, costs such as credit monitoring involved in the remediation, and legal costs for defending lawsuits that arise as a result of a breach or loss of data. These costs for businesses that experience a cyber incident continue to increase rapidly.

It is clear that cyber insurance is still a very nascent but rapidly growing industry that faces some difficult challenges. Unlike more familiar life insurance, car insurance or hazard insurance, there is no long claims history to determine actuarial risk. There is no agreed set of standards or guidelines, analogous to “stop smoking”, that are guaranteed to reduce risk for most customers. Every insurance need is essentially custom to the situation (the panelists all agreed businesses should pay attention to coverages and exclusions such as “acts of war”), with businesses handling health information or PII facing very different imperatives than those handling primarily credit card or other financial transactions. And the way that business is conducted, with online brokers promising several competitive quotes within a few hours, means that the due diligence to determine a business cyber posture or even whether they are already breached when the policy is written, is not practical. The remedy for the latter is an increasing reliance on third-party audits or certifications regarding the business practices of businesses seeking insurance.

Cyber Ins panelInsurance claims start when an insured business has knowledge that something has happened, so for data breaches this means the company must be at least sophisticated enough to know that something is wrong. But as one panelist indicated, the most commonly reported incident is “hack” (not a very sophisticated description) counting for about 1/3, while lost laptops and even lost paper still account for significant portions of claims. The insurance company can help bring in forensics and other experts to determine the extent of losses and help stop further losses, and then supports later steps in the remediation and recovery process.

In discussions after the panel, a couple interesting questions came up. First, is cyber insurance more like car insurance (where different skill levels are reflected in different accident rates, allowing lower premiums for good drivers) or more like life insurance (where every insured person experiences exactly one death and premiums are essentially financing the cost of activities around dying, requiring higher premiums for those with a shorter expected time period to do the financing)? Ideally this would look more like car insurance, with a set of specific steps to reduce chances of an accident, but most people seemed to believe it is currently more like life insurance, financing for that first event after which businesses take more extensive steps on their own to prevent a recurrence.

A second interesting question was whether people in the crowd would want to be in this insurance business (an admittedly skewed sample, since the audience was mostly techies). The large majority of people I spoke with said “no”, since it seems almost the luck of the draw which companies will survive in the market; if your business base doesn’t experience many costly claims then you’re probably ok, but the market dynamics make that extremely difficult to determine.

The third interesting post-panel question revolved around the asymmetry in risk and damage in this ecosystem as a whole. The best example here is the loss of PII from a business with cyber insurance. While a business with poor cybersecurity practices certainly incurs costs related to a breach, the harm also falls extensively on the individuals whose PII has been compromised. But the harm to the business is mitigated by the insurance, while the harm to individuals is less well covered (hence, lawsuits). Credit monitoring is sort of like jail time…once you reach three or four life sentences, adding additional coverage doesn’t really help very much. One could hope the cyber insurance industry is taking steps to help mitigate risks for businesses seeking good practices, while not protecting businesses who seek only to profit at individual expense.

Finally, there are a variety of interesting conclusions for early stage companies looking to sell cybersecurity products to businesses in the age of cyber insurance. For entrepreneurs involved with forensics or risk management, it may be that the insurers are your primary market rather than companies directly. In the era of risk management, businesses are no longer seeking to drive their risk to zero. Instead this becomes a cost tradeoff; at what point does additional technology cost more than the insurance to protect the same level of risk. For a cybersecurity vendor not only are you competing with other equivalent vendors for a share of the fixed security pie, now you are competing with a range of alternatives some of which are not even technology-based.

Cybersecurity insurance will continue to grow as a dynamic force in this market. It is unclear exactly how those dynamics will evolve however, so prudent companies should continue to watch this industry vertical carefully.