Spotlight on the CyRise teams: The SecureStack Story

Sharpening the skill set and writing white papers

Paul spent the 90s and 00s consulting and contracting in the large distributed Unix space as a Unix admin. This was an era where there was very little focus on security. Working for Blue Cross Blue Shield, he volunteered to write a white paper on how they were going to secure their systems. It was 2002. 120 pages later, Paul was invited to work in the SOC and build out their security automation.

Devs vs Ops

For those not familiar with the intricacies, a crash course in the terminology might be helpful at this stage. ‘Devs’ are the developers who write the applications. ‘Ops’ handle the operational side, historically called System Admins (SysAdmin). ‘Security Teams’ are a more recent addition to the mix, tasked with defining the security policies that are applied to the applications and operational environments. Each group had its own requirements and goals, which were often at odds with the other groups’ needs and requirements. Given that landscape, it’s easy to understand how the confusion around responsibilities and roles had led to security compliance falling through the cracks.

‘Security teams often didn’t understand how a policy applies to the greater whole. So, how do I take the policy framework and make it into something that means a thing in operations on a server? That was my challenge.’

At that time, Devs and Ops were sitting on opposite sides of the fence, blindly launching things at each other. ‘DevOps’ was born about ten years ago to bring both Devs and Ops more towards the centre. The idea was if they understood each others requirements and needs they would work more collaboratively. Over time, this strategy worked and DevOps flourished. But the security groups were left out. ‘DevSecOps’ soon became a buzzword, yet many security teams never actively moved towards the centre as the Dev and Ops team had. So, organisationally and collaboratively they were still separate and often seen as being an obstacle. Moreover, security policy was often considered as unnecessarily abstracted from the actual day-to-day operational requirements of IT.

Paul McCarty, Cofounder and CTO of SecureStack

The Operations Guy

Paul is an operations guy. But he writes a shit tonne of code. He’s a SysAdmin with code that looks like it’s from a Dev. ‘It’s infrastructure as code; security as code. It looks like it’s from a developer’. He’s a hybrid that understands the challenges of the often opposing technical groups. A CISO is usually conceptually aware of the gulf between Sec and the rest of the tech teams, but not as aware that the reality of the divide means a weakened infrastructure and increased inefficiencies.

What is SecureStack?

SecureStack is ‘build once, deploy everywhere’ technology. It provides a framework for securing your infrastructure in the cloud, no matter the provider, ensuring your cloud deployments are always hardened for security, have centralised logging, monitoring and alerting, continually monitored and updated. There’s magic in the flexible cloud environment, where both business and IT teams can spin up whatever they want. But with this flexibility comes security risk. This is where SecureStack comes in. It works in a repeatable way, meaning teams can better focus on new developments rather than securing custom instances.

Chasing something pure

Paul’s first entrepreneurial move was in 1996 when he set up his own computer store. In ’97 he built an ISP, and by 2001 he’d sold his business. He then developed a consultancy, doing large scale automation and Unix. ‘My focus from that point on was automating at scale, introducing security into infrastructure.’ But he soon tired of the constructed world of code, seeking something natural and pure. He moved to the mountains and focused his energy on being a professional snowboarder. It took him to Australia, New Zealand, Canada, all over the States. There he was, in his mid 30s, hitting rails. ‘At the time I felt IT wasn’t pure. It’s made up. Man built it. With snowboarding, there’s a constant battle between you and physics. It’s real. It constantly reminds you of your human fragility.‘ Gashes, dislocations, concussions — all part of Paul’s dedication. ‘I felt it was pure and I absolutely loved it. It’s just hard to make a living doing that.’

Paul McCarty, DC MTNLAB, 2008

Go hard or go home

When Paul discovers something he likes, he can go hard, constantly. ‘Dedicate yourself to something and you get good really quickly’ — this is his superpower. He can work longer and harder, and is more dedicated than most. And he can do all that under shittier conditions. This philosophy extends from snowboarding to entrepreneurship.

Refining and focusing

His obsession soon flipped back to IT. ‘I’ll always have an active obsession, but my attention span and focus is longer these days’. Computers, snowboarding and IT are still in the list of passions. Through the CyRise program Paul has developed a good filter for focusing the advice when it comes to his passions. ‘There is no one answer to anything. You can get good advice and then similarly good advice, but they’re 180 degrees from each other. You just have to know what options to take away and appreciate, and get rid of the rest’.

‘It’s really tough running a business as a sole founder. You’ve got the weight and anxiety of 1,000 tasks you’re not going to get done. I understand why so many fail; you get weighed the fuck down’. How does Paul combat this? ‘I just concentrate on the goals. I get up and write a sticky note with three things to work on and that’s what I do. You have to pick one direction in the forest and start chopping.’

Adding to the team

As of May 2019, there’s a cofounder to be joining him on the mission. Paul connected with CyRise mentor Guy Givoni through the initial cohort mentor meet-and-greet. It’s a complementary match of skill sets. Guy’s background is in strategic management, business development and sales, having spent 16 years building global tech businesses. Together with Paul’s deep tech expertise, they’re the perfect partnership to take SecureStack to the next level.

SecureStack Cofounder, Guy Givoni and Paul McCarty

Countering the Quick Fix Culture

For Paul, it all comes back to doing things the right way. ‘Why does speed and feeling the immediate need always trump the long term goal? Just taking 10 more seconds to do it the right way. We make bad decisions based on what we feel our needs are and bypass the way we know we need to do it. We need mechanisms to fall into place. Ultimately this is what SecureStack is trying to do.’

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
CyRise

CyRise

Accelerating, supporting and investing in world-class cyber security solutions.