Many years ago, I appeared amongst the pages of the erstwhile British music publication, the NME. I had attended a gig by The Rollins Band, as fronted by the ex-lead singer of the American punk band Black Flag, Henry Rollins, who at the time loathed stage divers. Because I was friends with idiots, I was flung on stage, and was described in print as exhibiting “equal parts of bravado and stupidity”. In this spirit (which resulted in my broken nose), this post has been written.
A few years ago, I set up Xiphos Research. At the time I envisioned it being an antidote to the very broken model of IT security. It is a sad fact that for all the new policies, dictates, and practices (GDPR anyone?), IT security is broken. Ask anyone at the sharp end and they will tell you as much. Attack vectors have not really changed that much. Customer engagement hasn’t changed that much. The same attacks or variants thereof, continue to cause damage, financial loss, and heart ache. Xiphos was going to put a stop to this and the sharp sales tactics indulged in by many of our peers, and we failed. I failed. That’s what this post is about.
Xiphos is a small company, and as such is often treated with either scepticism or derision by many of those in the same industry as us. That has never overly concerned me. What does concern me is that because of its size, Xiphos offers something that none of our competitors do; we all like each other, and the company is ours. It is a shared, unified, beautiful thing. Staffed by renegades, who all have a shared desire for positive change. I have let them down too.
How have I accomplished this litany of failure? Purely and simply; exhaustion. I gave up. What started as a genuine attempt to reshape this industry got quickly purged by scrambling around attempting to keep the boat afloat. And I have even failed to do that with any real degree of success. As of the time of writing, we owe taxes, largely because I have always possessed the old fashioned idea that it was better to pay people on payroll, and worry about our bills later. A lot of businesses are in the same position, but you’ll never hear it from them. Why? Because, in large part, IT security is an industry that is based upon obfuscation. To fail is to be weak. To show anything other than success opens you up to the derision of your competitors, and the distrust of your potential customers. Frankly, this is asinine in the extreme.
So, what have been the results of this failure? Well, for a start, the scrambling for cash. This has been caused in no small part by the fact that many of you reading this will have never heard of us, or if you have will have discounted us as being too small, or too weird, and thus choosing not to use us, to interact with us in any meaningful way, or even, perish the thought, give us a chance to demonstrate what we can do on a project. In the last several years, we have successfully completed numerous engagements, and found critical vulnerabilities other companies have missed numerous times. We have published a trove of zero day exploits, and conducted a heap of research only some of which has seen the light of day. And it is this silence that has led to you never hearing of us, and me having to worry about how we keep the lights on.
Some of our competitors are excellent at PR. We are not. Press management is in essence a full time job, and neither I nor anyone else has done it. I have been too busy stressing month to month, sales have been too busy batting against my indolence, and technical delivery have been too busy uncovering critical flaws in our clients estates. As a result, we have not appeared on the BBC, we have not been talking heads, we have not even really put ourselves out there on the conference circuit for the most part. Talking of not putting ourselves out there; we are based in Birmingham. In all our time based in the city, I have not engaged in any meaningful way with local business. I have never attended any business networking event, I have never shared the expertise that we possess. This again is a failure, pure and simple.
Take a look at our website. It is currently outdated and has not been refreshed in terms of content in months (edit: it has now). This again is squarely down to me. We have done research that I am entirely confident would make some of our peers green with envy. We have exploits and tool sets that are powerful and unique. Some of us have spoken at places about things. A visitor to our site would not know that. A potential customer would not know that. You did not know that. And the responsibility for that rests squarely with my failing.
I said earlier that I was exhausted, and this I think is the best word. The passion that drove me, the desire for positive change, and my genuine and heartfelt rage I felt at most of the rest of the industry was destroyed by focusing on getting enough cash in the bank to ensure that we could continue to exist. This absence of rage I think has been my largest failure. The IT security industry is a farce. Worse still, it is in many cases little more than an organised shakedown. Consultants often promise to deliver what they cannot; namely, security. Rather than admit that simple truth, many talk in terms of risk reduction, or management and mitigation. Large organisations have largely got used to the fact that they will have smoke blown up their orifices by eager account managers in pursuit of sales targets. So let’s, just once be honest, shall we? No penetration test, no matter how much you spend on it, will make you secure. All a good penetration test can do is help you identify the technical weaknesses and deviations from policy you have at the time of test. That’s it. It’s that simple. Unfortunately many supposed tests do not even manage to achieve that much. Over the last year we have engaged with customers that have been thoroughly previously tested supposedly. Although we have chortled at finding the Nessus scan agents and remains of other automated tools in the client logs, we have also found critical vulnerabilities that have allowed access to sensitive client data. Why? Because we are actually very bloody good at what we do from a testing perspective. My failure which has in turn negatively impacted upon Xiphos, is that we have not made enough of that fact. This ends now.
Unfortunately for many in this industry, my rage is now back. I am angry that people keep getting ripped off. I am furious that customers are not getting value. I am livid that I have failed to make as big a show of Xiphos as some of our industry competitors. This changes. And this post should be taken as a warning and a promise. If you are more concerned with your three ring circus, than providing actual security services; we are coming for you. If you would rather deride or criticise, than collaborate in the hopes of assisting your customers; we are coming for you. If you have underestimated, dismissed, or degraded your clients’ needs for your own profits; we are on coming for you. Although I may have been a failure, and Xiphos may not be have been on your lips or your radar; it will be. I may be being brave or I may be being stupid, but one thing I refuse to be is anymore is indolent, or dishonest about that indolence bought on by exhaustion. We are going to do everything in our power as a company, and I shall do everything in my power as part of it, to change this industry for the better, and to make our customers as secure as we can make them. And that effort alone hopefully marks us not as failures, but as an organisation you might want to talk to about your needs, and how we can assist with them. Or maybe we actually *are* too weird for having integrity, passion, desire, and expertise after all.