Spotlight on the CyRise teams: The SecureStack Story
When you think short term, you cut corners. There’s greater reward in raising your standards and playing the long game. Recognising that our quick-fix culture can breed subpar performance, Paul McCarty created SecureStack. It’s a platform that gives you the flexibility of working on the cloud, but the security of knowing your infrastructure is safe.
Gregarious. Focused. Paul is Detroit-born and raised but is now settled on the Gold Coast. Paul’s dedication saw him flying down weekly for the Melbourne based CyRise program.
Sharpening the skill set and writing white papers
Paul spent the 90s and 00s consulting and contracting in the large distributed Unix space as a Unix admin. This was an era where there was very little focus on security. Working for Blue Cross Blue Shield, he volunteered to write a white paper on how they were going to secure their systems. It was 2002. 120 pages later, Paul was invited to work in the SOC and build out their security automation.
This experience helped set up his understanding of automation and fostered a desire to bridge the gap. ‘It got me thinking about the idea of SecureStack. We’re forever getting obtuse security advice. Our security industry, especially here in Australia, has over-emphasised policy creation, but no one is fucking implementing it!’
Devs vs Ops
For those not familiar with the intricacies, a crash course in the terminology might be helpful at this stage. ‘Devs’ are the developers who write the applications. ‘Ops’ handle the operational side, historically called System Admins (SysAdmin). ‘Security Teams’ are a more recent addition to the mix, tasked with defining the security policies that are applied to the applications and operational environments. Each group had its own requirements and goals, which were often at odds with the other groups’ needs and requirements. Given that landscape, it’s easy to understand how the confusion around responsibilities and roles had led to security compliance falling through the cracks.
‘Security teams often didn’t understand how a policy applies to the greater whole. So, how do I take the policy framework and make it into something that means a thing in operations on a server? That was my challenge.’
At that time, Devs and Ops were sitting on opposite sides of the fence, blindly launching things at each other. ‘DevOps’ was born about ten years ago to bring both Devs and Ops more towards the centre. The idea was if they understood each others requirements and needs they would work more collaboratively. Over time, this strategy worked and DevOps flourished. But the security groups were left out. ‘DevSecOps’ soon became a buzzword, yet many security teams never actively moved towards the centre as the Dev and Ops team had. So, organisationally and collaboratively they were still separate and often seen as being an obstacle. Moreover, security policy was often considered as unnecessarily abstracted from the actual day-to-day operational requirements of IT.
The Operations Guy
Paul is an operations guy. But he writes a shit tonne of code. He’s a SysAdmin with code that looks like it’s from a Dev. ‘It’s infrastructure as code; security as code. It looks like it’s from a developer’. He’s a hybrid that understands the challenges of the often opposing technical groups. A CISO is usually conceptually aware of the gulf between Sec and the rest of the tech teams, but not as aware that the reality of the divide means a weakened infrastructure and increased inefficiencies.
What is SecureStack?
SecureStack is ‘build once, deploy everywhere’ technology. It provides a framework for securing your infrastructure in the cloud, no matter the provider, ensuring your cloud deployments are always hardened for security, have centralised logging, monitoring and alerting, continually monitored and updated. There’s magic in the flexible cloud environment, where both business and IT teams can spin up whatever they want. But with this flexibility comes security risk. This is where SecureStack comes in. It works in a repeatable way, meaning teams can better focus on new developments rather than securing custom instances.
Chasing something pure
Paul’s first entrepreneurial move was in 1996 when he set up his own computer store. In ’97 he built an ISP, and by 2001 he’d sold his business. He then developed a consultancy, doing large scale automation and Unix. ‘My focus from that point on was automating at scale, introducing security into infrastructure.’ But he soon tired of the constructed world of code, seeking something natural and pure. He moved to the mountains and focused his energy on being a professional snowboarder. It took him to Australia, New Zealand, Canada, all over the States. There he was, in his mid 30s, hitting rails. ‘At the time I felt IT wasn’t pure. It’s made up. Man built it. With snowboarding, there’s a constant battle between you and physics. It’s real. It constantly reminds you of your human fragility.‘ Gashes, dislocations, concussions — all part of Paul’s dedication. ‘I felt it was pure and I absolutely loved it. It’s just hard to make a living doing that.’
Go hard or go home
When Paul discovers something he likes, he can go hard, constantly. ‘Dedicate yourself to something and you get good really quickly’ — this is his superpower. He can work longer and harder, and is more dedicated than most. And he can do all that under shittier conditions. This philosophy extends from snowboarding to entrepreneurship.
‘My iterative process is very similar. When coding up a new function I approach it in the same way I do a new trick. I build out the framework and then iron out the little bits.’ In Park City, Utah, they called him Pick ’n’ Shovel Paul. He’d isolate the feature and instead of taking the lift back up the slope, he’d hike back up to that one feature and do it again. Isolate, perfect, move on. ‘I’m a machine’.
Refining and focusing
His obsession soon flipped back to IT. ‘I’ll always have an active obsession, but my attention span and focus is longer these days’. Computers, snowboarding and IT are still in the list of passions. Through the CyRise program Paul has developed a good filter for focusing the advice when it comes to his passions. ‘There is no one answer to anything. You can get good advice and then similarly good advice, but they’re 180 degrees from each other. You just have to know what options to take away and appreciate, and get rid of the rest’.
‘It’s really tough running a business as a sole founder. You’ve got the weight and anxiety of 1,000 tasks you’re not going to get done. I understand why so many fail; you get weighed the fuck down’. How does Paul combat this? ‘I just concentrate on the goals. I get up and write a sticky note with three things to work on and that’s what I do. You have to pick one direction in the forest and start chopping.’
Adding to the team
As of May 2019, there’s a cofounder to be joining him on the mission. Paul connected with CyRise mentor Guy Givoni through the initial cohort mentor meet-and-greet. It’s a complementary match of skill sets. Guy’s background is in strategic management, business development and sales, having spent 16 years building global tech businesses. Together with Paul’s deep tech expertise, they’re the perfect partnership to take SecureStack to the next level.
Countering the Quick Fix Culture
For Paul, it all comes back to doing things the right way. ‘Why does speed and feeling the immediate need always trump the long term goal? Just taking 10 more seconds to do it the right way. We make bad decisions based on what we feel our needs are and bypass the way we know we need to do it. We need mechanisms to fall into place. Ultimately this is what SecureStack is trying to do.’
Tech people know what best practice is but they’re just not adhering to it. Multiply that by the 100s of IT employees in a large enterprise and you see why this is such a big problem. Brains are programmed to press the button that’ll spin up the solution the quickest. That’s the ease that cloud providers give us, and it’s also the quick fix that undermines our security infrastructure.
‘When people build in the cloud I want them to just assume they use SecureStack to do it the right way. I want to be the ubiquitous layer. Cloud providers aren’t doing it. There’s a huge benefit to the self-service model. It fits the immediate needs, but because of that, we’re not adhering to best practice. It’s still sitting there, costing us money and has an implicit risk.’
Focus. Do it right. It’s Paul’s personal philosophy, and it’s the underpinning value of SecureStack. Do it right. Play the long game.