Atomicorp – Mach37 Alumnae Interview with Michael Shinn

atomicorp-michael-shinn-army

Michael Shinn, Atomicorp CEO

What opportunity did you recognize that led to the founding of Atomicorp?

Michael Shinn: The security industry was being challenged by the widespread migration to the cloud and cloud-based technologies. To me, it seemed like a classic second mover opportunity caused by a fairly disruptive change to the market. A lot of the existing cybersecurity solutions either couldn’t be used in these cloud environments — appliances for example — or they didn’t provide the right value to the customer. The products weren’t designed for that world. They were being bolted on and the customers weren’t happy. We saw this as an opportunity to apply some unique technology and solve the cybersecurity problems in a cloud-friendly way.

What specific value does addressing that problem provide for your customers?

securitylarge-282x300Shinn: The value that customers have shared with us is a dramatic reduction in operating cost. We have been told 80% and the number has been shared with us repeatedly. That 80% is based on the fact that there are fewer security incidents they must address after installing Atomicorp. That seems like the obvious place to look for benefits for a security solution. The non-obvious benefit is the reduced dev ops costs because they don’t have to patch their systems so frequently. That has enabled dev ops to do their work without having to go through a lot of security gates.

Why aren’t current solutions addressing this problem effectively?

Shinn: For the traditional players what seems to be happening is this move to the cloud doesn’t work with their current business models. That is a substantial problem. When I talk with my peers at these companies, they are frustrated that their attempts to build cloud-based solutions have not gone well within their organizations in terms of culture, sales model, accounting and product. Cloud platforms are extremely heterogeneous. Solutions are sold by the hour. It’s not a traditional IT environment where you control the network and all of the components. The attack surface is completely different and more dynamic in a cloud environment than an on-prem environment. The problems are different. The solutions need to be different.

atomicorp-logoIt’s a more challenging environment for traditional cybersecurity companies to build products and more challenging to operate their business because they need to reinvent how they operate. Something as simple as how do you account for revenue in this new model when you are accustomed to selling enterprise licenses is an issue.

For the customers, the problem is exasperated by the fact that a lot of the security products are built for security experts which doesn’t help their dev ops teams. That is not what they are looking for. They need products that are easy for non-experts to use.

What makes your approach different and better from existing approaches?

Shinn: Atomicorp products are built for cloud environments from the ground up and they are designed to be easy to use.

What about your team’s background puts you in a unique position to succeed?

Shinn: Scott and I founded Plesk in 1999 which invented a lot of the technologies that cloud providers rely on today. So we have an intimate knowledge of the technologies that make cloud possible. After we sold that company, we put a lot of thought into what we were going to do next. The idea for this company came from what we learned building those products and serving those customers. The Atomicorp product was built from experience and designed specifically for cloud providers.

You just announced a $1 million seed round. What do you plan to do with the proceeds?

Shinn: Customer acquisition and product enhancements. Priority one through five is introducing more customers to Atomicorp. We have a proven product and a lot of customers, but we are looking to introduce Atomicorp to more.

What are some of the milestones you have passed since graduating from Mach37?

Shinn:

  • We have now earned more than we have spent
  • We crossed the 1,000 customer mark.
  • We have made some key executive hires such as VP of Sales.

 

You already had a product and customers when you entered the Mach37 program. What made Mach37 a good choice for you even though you already had some business momentum and customer traction?

michael-shinn-seatedShinn: The robustness of the educational program was tremendous. That education would cost a lot of money. It is unlikely that a startup could afford it. The Mach37 program is like a compressed MBA and it is tailored to you needs. It is not abstract learning. It is deliverable based. You need to develop your messaging. You have to put together a budget, recruit people and build a real business. Doing that while you are in the program is priceless. I’m not sure there is an MBA on earth that does that.

Secondarily, I would point out the relationships. Mach37 has done a wonderful job introducing us to good hires, advisors, investors, and service providers. It’s a very good network. Finally, it’s a very supportive environment. Building a business is hard work. They are good coaches.

Learn more about Atomicorp here.

Related Posts

Virgil Security Raises a $4 Million Series A

virgil-co-founders-with-rick-gordon

Virgil Security Co-founders Michael Wellman (left) and Dmitri Dain (right) Ring the Mach37 Bell to Celebrate Reaching Escape Velocity; Rick Gordon Joins In the Celebration

 

On October 7th, Virgil Security closed a $4 million Series A investment, led by KEC Ventures. KEC is a venture firm founded by Jeff Citron, who also founded Island ECN, Datek Online and Vonage.  For those of you who are close to Mach37, you know I have been promising for many months that we have several companies ready for Series A investment. Virgil was one of them.

As I thought about using this blog to crow about our investment strategy (we actually hunted for a company that offers easy-to-implement encryption infrastructure) or in some way hype-up just how smart we are at Mach37, a conversation I had last week caused me to think better of it. Virgil’s CEO Michael Wellman offered the key insight. As I was verbally high-fiving Michael, he took a characteristically humble look at the company’s journey so far and remarked:

“You know Rick, it used to be that if you worked hard, had talent, OR got lucky, you could make it to the NFL (National Football League).  These days, to make it you need to work hard, have talent AND get lucky to even have a chance.”

And, so it is with technology start-ups.  The hidden truth is that entrepreneurs can have talent, make every right decision, and work their butts off, but if serendipity does not smile the company will fail.

In the case of Virgil, I can point to a handful of inflection points that relied heavily on just being in the right place at the right time.  I can say the same for Invincea and Lookingglass, two companies I was intimately involved with during their early struggles that have since achieved similar inflection points.  However, the truth is that all of these companies still have additional milestones to achieve before any of us can declare victory.

So, instead of trying to convince you that the Mach37 team is smarter than we really are, I’ll just say that we feel really fortunate to have had the opportunity to invest early in Virgil. It is a company that has the world class talent and drive required to be successful AND was able to create the necessary luck along the way to close its Series A.

Related Posts

 

Security Spaces Worth Watching

People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.

While “different” is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.

Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I’ll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.

Encapsulated Expertise

This isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.

The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.

A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.

The Internet of Things

A problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is “The Internet of Things.”  Because anything can be a “thing” it’s difficult to even know where this category begins and ends.

If you have been wondering which things are capital-T “Things,” here is a list of some examples that might fit the description:

  • Network-connected home appliances like the Nest Thermostat
  • Network-connected sensor devices such as electric power meters
  • “Smart cars” and “smart highways”
  • Industrial control systems
  • Remotely piloted vehicles
  • Any device that can be attached to a wired or wireless network that isn’t a computer or workstation at which you can sit.

This category creates security challenges because:

1) These things can provide a point of entry for attackers to the rest of your network

2) Some of these things have the ability to affect the physical world in real ways

3) These things may be transmitting information about you or your environment with significant implications for your privacy.

Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.

Software Defined Networks

Another area that is showing up more and more in the enterprise IT conversation is software defined networking or “SDN.” This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn’t improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server’s configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.

Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network “fabric” while systems are in operation without significantly impacting throughput on the network.

Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don’t address security in much depth yet.

Some things to consider about SDN include:

1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;

2) How to prevent unauthorized access to the management/change function on individual routers or switches

3) Emergent network effects after making a change – do side effects “ripple” through the network afterward? How long do they take to dissipate?

Zero-Trust Security Models

Recently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.

The “zero trust” or “untrusted everything” approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various  computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.

These approaches often explicitly reject the idea that there is an “inside network” of trusted resources and an “outside network” full of bad actors waiting to attack things.

In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”

Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.

In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.

Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.

 

You Don’t Scale

The more that information security incidents are in the news, the more often we hear that there aren’t enough people to do all of the work necessary to batten down the hatches against everyone who’d like to compromise our systems and networks. The U.S. Government has been particularly vocal in discussing a shortage of security talent, but it’s not uncommon to hear this refrain in business circles as well.

If these folks are as difficult to find, hire, and retain as we’re told, then we only have a few choices:

  • Train them internally;
  • Automate as many security processes as possible;
  • Do things to make the people you have more effective

Most people choose door #2 as a way to get what’s behind door #3.

There is a common criticism of information security practitioners: that we depend too much on technology, even when the core problems may not be technical ones. Those critics have a point: effective security isn’t something one can buy in a box and then proclaim victory afterward. However, in the face of limited talent, deploying a new technology may be the most straightforward way to attempt to address some risks.The reason is simple: many of the best security products tend to embody some very specific, reproducible, automation-friendly aspect of security expertise and perform it tirelessly, over and over.  You may have the best internal security people in the world, or the best  world-renowned consultants, but the bottom line is that humans don’t scale particularly well.

This is true whether you’re the security manager with the responsibility to keep your network safe 24 hours a day, or the consultant who parachutes in to save the day when things look bleak. The former can only hire so many staff members, and the latter can only be billed for a finite number of hours in a day/week/year.

If experts are in short supply, then one of the most scalable options is to encapsulate the expertise of rare, highly paid people and build it into a mechanism that can attempt to apply that expertise to real environments, be they network traffic flows, host configurations, or software updates.

There has yet to exist a security product that solved all of the world’s (or even one enterprise’s) problems, but if we look at some things that made a difference in the state of the art when they arrived, they tend to fall into a few categories:

  • They allow less-senior people to do some work that used to be the province of a few
  • They help people to make better sense of information they (usually) already had somewhere
  • They help less-technical users to avoid inadvertently hurting themselves
  • They fundamentally changed some aspect of how we work or build systems to make them inherently more secure*

*This is where the most value is created, but it’s also the most difficult.

If you’ve gone to the trouble of building something to solve a problem for yourself, and believe that other people have the same problem, that’s called a market opportunity.

What Type of Entrepreneur Are You?

480786_Horse-Trader copy

MACH37 typically invests in companies at their inception.  With a lack of meaningful company history, our decisions are always based heavily on our assessment of the entrepreneurs behind ideas that we like.  Consequently, we are often asked what we look for in MACH37 entrepreneurs.

While they come in all shapes and sizes, it has been my experience that there are principally two types of entrepreneurs:  “horse traders” and “horse breeders”.

Horse traders are driven to create wealth for themselves by exploiting market inefficiencies.   Their businesses are transaction oriented and rely on simple buy low and sell high principles.  In technology, they often find success in understanding an application of an existing capability, negotiating attractive rights to that technology, then rapidly commercializing (or flipping) it.  Horse traders are not typically technical and often lack a vision beyond the first implementation of their technologies.

“Horse breeders” are wholly different.  They innovate to develop new breeds of capability – disrupting the status quo with better alternatives.  Their innovations often eliminate market inefficiencies rather than exploit them.  During this process, they create wealth for themselves and others by ultimately making the economic pie bigger.  Horse breeders are often technophiles, but they also include musicians, artists, athletes, and anyone is who is driven by a passion for creating something that can make a significant positive impact.

MACH37 looks for horse breeders.  Not only because they are far more fun to work with, but also because horse breeders create value where it never existed before – an underpinning of disruptive innovation.  MACH37’s sole focus is to empower this type of entrepreneurship with the knowledge, exposure, access and validation (by the security buyer and venture communities) necessary to successfully take disruptive cyber security innovations to market.

If you think you are a horse breeder, send us an email or submit an application for the next cohort session.


Creating a Market-Focused and Product-Oriented Company is Not a Part-Time Job

While there are many factors impeding the successful insertion of disruptive cybersecurity concepts into the current market, I want to explore the underestimation of the focus required to build an enterprise that is market-driven and product-oriented.

The business ecosystem inside the DMV’s Cyber Beltway is heavily prejudiced toward the development of bespoke solutions targeted toward single customers.  This ecosystem is dominated by large systems integrators and government contractors who employ low-risk business models based on time and materials billing and very limited internally-funded research and development investment. There is nothing wrong with this business model, as evidenced by the hundreds of wealthy government contracting business owners that our region has created throughout the past decade.  However, this model thrives on labor-intensive integration and operational support and, by its very nature, is antithetical to disruptive innovation.

When budding cybersecurity entrepreneurs who have grown up in this ecosystem decide to start their own businesses, the siren’s song of SBIR grants, federally-funded research projects and government consulting contracts becomes extremely alluring.  In contrast to the twenty-something social networking and iPhone app entrepreneurs populating other techno-regions, entrepreneurs in the Cyber Beltway typically have families, mortgages and car payments.   The majority of them are lured toward services models out of financial necessity.

Yet they continue to dream about making a disruptive impact.

Last week alone, I met with five different entrepreneurs, all aspiring to take to market innovative cybersecurity product ideas.  Several of them outlined plans to invest cash flow generated from their consulting operations to build a product and deliver it to market.  In most cases, the product team consists of one or two developers working on a product concept part-time.  Consistently, these entrepreneurs believe they can bootstrap their way to a generally available product release within 12 months, avoid the dilution of a sizeable venture round and retire on the sale of their product business at a 10x multiple of projected revenues.

Here’s my advice:  Pick one or the other.  You can’t do both effectively.

Building a product business will take 100% of your focus.  Validating the concept, building the team, and raising the capital necessary to build an organization to support your market entry will take more than all of your time.  Getting your concept to market will require significant outside investment made over a number of years. Even if bootstrapping initial development enables you to reach the market first, without the capital to seize market share and create competitive barriers to entry, better capitalized competitors are going to own the market you have created.

Yes, it takes guts to make the leap, especially if your services business is already showing promise.  But if you want to make a disruptive impact, 100% commitment to the endeavor is simply table stakes.  You won’t be able to find the necessary financial backing otherwise.

At MACH37™, we are working hard to make taking this leap easier for our entrepreneurs. We have built a 90-day program to enable our entrepreneurs to fully validate and hone their concepts by working with our network of cybersecurity customers, serial entrepreneurs and industry experts.  We provide them with capital, allowing them to focus over a tailored 90-day program and build the effective business case that will support additional seed investment from us and third-party investors. We teach them how to be market-focused and how to build products that address what their customers need, instead of what the entrepreneur wants them to have.

The Cyber Beltway’s Innovation Dislocation

Last week, I had the opportunity to participate in the AGC Partners “Disruption: Innovation at the Edge of Cybersecurity” event in Las Vegas.  My panel explored how cybersecurity entrepreneurs become inspired to innovate and what dislocations are preventing them from disrupting the cybersecurity marketspace.  As I thought about what ingredients are required to insert disruptive concepts into the current market, it occurred to me that within the Northern Virginia, Fort Meade and DC Metropolitan “Cyber Beltway,” the problem is something beyond a lack of creative inspiration.

On the contrary, at MACH37 I see at least three new product ideas a week coming from young entrepreneurs, members of the intelligence community, small cybersecurity services companies, university researchers and FFRDCs located within the Cyber Beltway.  To be sure, cybersecurity companies operating in the Cyber Beltway enjoy privileged insights into the cyber threat landscape.    These companies often support the offensive side of cyber operations, have an intelligence analysis DNA, have been doing big data since before it was called big data and enjoy unique access to the intellectual property derived from thousands of classified and unclassified incident response and remediation activities.  Individuals working within these companies know better than most how the cyber threat operates and how to rapidly collect and analyze artifacts to discover a cybersecurity breach within an enterprise network.

However, in spite of this treasure trove of intellectual property, we aren’t seeing the conveyor belt of disruptive cybersecurity products entering the market from this region that we should expect.  Why is that?

While our region’s cybersecurity technologists are filled with creative ideas, the ecosystem forces downstream from their creative genius are undermining their ability to disrupt the market.  In general, their innovations:

·      Are driven out of academic curiosity rather than emerging market need

·      Lack the entrepreneurial sponsorship required to build a viable business case for the innovative concept

·      Lack the financial backing necessary to deliver, support and take to market an enterprise-worthy solution

Over the next several blog posts, I intend to explore the dislocations in our local ecosystem.  My hypothesis is that none of these are terminal and that we at MACH37, with the help of others in the industry, can positively address the current gaps and create an environment that not only fosters the creation of potentially disruptive cybersecurity concepts, but also supports the many other, perhaps more practical, ingredients required to bring positive disruption to the cybersecurity market.