August 13, 2016
8 minute read
Years ago, our company set out with a mission to solve a problem of trust between software developers and admins. We knew the problem existed firsthand—at our old jobs in a large Australian bank, one of us had been developing software and the other managing operations. We had a disagreement about how to proceed with a deployment. Dev insisted everything was ready but Ops pushed back, saying there was not enough information to trust the changes about to take place. We each saw merit in the other's argument and knew this had to be happening everywhere, so we left our 9-to-5's to build a solution.
Needless to say, helping Dev and Ops trust each other resonated well as a concept. In fact, many of our first customers were interested in the growing DevOps movement. They were making changes to their infrastructure very rapidly (or preparing to), but had been hitting a bottleneck many hadn't anticipated—trust. The new pace required continuous change information, which is more than an automation tool's simple "Success/Failure" report could provide. Teams needed actionable visibility into all of their systems and applications before making changes.
(It sounds almost contradictory to think that an additional step in the development process could make anything faster, but as it turns out, putting a guardrail next to the freeway gives drivers the confidence to drive faster rather than slower.)
As time went on and we met more customers with more stories and problems, we came to understand the massive expanse of trust issues present in technical organizations. It affects practically everyone and everything—applications must trust each other to provide reliable data, servers and networks must trust each other in order to communicate, team members must trust each other to build and maintain devices and applications properly, and so on.
But the real issue is that this trust chain doesn't confine itself to IT—it begins there, but extends upward to the C-suite and board level. From there it reaches outward to vendors, partners and customers. And when you draw that line of trust all the way back from the customer, it flows back down through leadership, through IT management, through individuals, and all the way down into their servers, devices and apps and the millions of variables and settings that dictate how they work.
When the goal of winning customer trust is dependent on all those millions of individual parts, it's amazing anyone trusts any company at all. Or do they?
The fact is, real technological trust hasn't existed before. Data breaches and unplanned outages happen more frequently every year, and average people are sadly becoming numb to the idea of having their identities stolen and exploited. If a customer really does claim to trust a company, that trust will be based more on blind faith than hard data, because the data required to create real trust just was not there.
That is what we want to change, and here's how we're changing it.
Over 80% of all data breaches and outages are ultimately the result of bad configurations. The mysterious hacker character you've heard about—the one who wears a ski mask while sitting at a laptop in all of his stock photos—is a little bit overrated. Sure, there are bad actors all over the place, but when news reports tend to focus on the intruders and script kiddies doing this week's breach, few people are asking how a breach was possible in the first place. Time and again, someone found their way in because something, somewhere was misconfigured—a port left open, an endpoint not secured, or a vulnerability unpatched. Simply put, bad guys get in because they're able to, and they're able to when the good guys slip up.
The cybersecurity industry at large addresses this by producing ever-newer and ever-shinier gadgets such as more capable intrusion detection systems and smarter firewalls, but this is ultimately flawed because they are treating the symptom rather than the cause. The most expensive security gadget in the world is powerless when it and the infrastructure it protects are misconfigured and misunderstood.
Unfortunately, the barrage of "miracle drug" security promises has created a generation of executives unprepared to deal with the reality of the risks inherent in the information age.
The hacker story is an easy one to center your marketing around because it puts a face on the widespread fear of data breaches, but it also comes with a more subtle perk: absolution of blame. An executive who invests in a product where a boogieman is the core issue is also investing in the narrative that when a breach does eventually occur, that intruder must have been special in how they got around the system, and the breach could've happened to anybody.
We find that conclusion a bit naïve. Bad actors get in because they're able to, not through magic or sheer force of will.
The harsh reality is that a true resilience to threats is not solely contained in an application that you buy and deploy, nor is it a firewall or a new OS. It's a practice. It is diligence and awareness and visibility into the things you rely on. It is an understanding of how things work and why. Distilled all the way down, again we find ourselves using the word "trust."
That's what we do. Our product enables trust all the way down into the millions of previously unseen, discrete configuration settings that every modern business runs on.
Understanding the nature of IT risk is the idea behind the newest layer we've added to UpGuard. With the wealth of information our platform is able to observe about servers, devices and applications, we designed an interface to collate risk indicators into one view and serve as an overall IT risk dashboard. UpGuard translates risk into a language any executive can understand—a single value acting as a "credit score" for IT risk. We call this score CSTAR and it's not a separate product—it's free with UpGuard.
CSTAR is the only truly comprehensive risk measurement on the market, period. Where other solutions focus only on external prodding and contextual industry data, ours is a living score that continuously monitors every server and device that powers your business. The difference between ours and the others is staggering and the deep visibility and granularity CSTAR and UpGuard provide is unmatched. It's not even close.
About external scanning—we do that as well, but instead of charging for it, we give that away to everyone for free. External scanning alone is certainly not the alpha and omega of a company's risk profile, but we believe it serves as an indicator of how IT and security could be run company-wide. (Think of it like this—your web server and other externally visible data points are like the exterior of your house. If everything looks unkempt and unmanaged from the outside, chances are good the interior isn't doing so well, either.)
Other companies charge thousands of dollars for such an evaluation, but we believe such a service should always be free and available for everyone to use. This enables end users, for better or worse, to get a sense of the inner workings of a company. It also urges stakeholders within those companies to have the necessary conversations to improve their security posture. And interestingly, gives you a peek at how seriously (or not) your competitors take web security—if you're into that sort of thing.
All of the things we do and have done to get to this point are about enabling trust in technology. Our goals have obviously raised a bit beyond just helping admins and developers—we also want their managers to have fewer frightening 3AM phone calls. We want their shareholders to not worry about their company making the evening news for the wrong reasons. And most importantly, we want their customers to know that their information is secure. To a layman it may sound like a simple proposition—after all, "trust" is just one word and an easy concept to understand—but successfully building trust into technology is a problem that had been left unsolved for far too long.
With that in mind, we are very proud to announce our series B round of funding, led by Insurance Group Australia, Square Peg Capital, and Pelion Ventures. This investment will allow us to accelerate our operations and bring UpGuard to more businesses around the world. It is also a validation of what we call "cyber resilience"—the understanding that there will never be a single silver bullet to "solve" security. Instead, organizations must learn to detect and understand their IT risks so they can treat it as what it really is—business risk.
Upon understanding and embracing the practice of cyber resilience, executives are able to allocate necessary resources to mitigate risk, plan around it, and navigate their business through an increasingly connected world where new threats emerge and change every day.
Our mission statement, like all the best ones, is both a simple idea and a tough job: We want people to be able to trust technology. We, our team, our investors and our customers understand how the foundation of that trust is built. We also know that this will have positive effects not just for our businesses, but for technology users as a whole, and we're excited to help this massive sea change unfold over the coming months and years.
Alan and Mike