Security for Startups in the Age of the Weekly Leak with Tony Gauda (ThinAir)

As leaks & hacks mount, security remains an elusive state for startups. And as Tech moves more of our life online, the startups that facilitate...

As leaks & hacks mount, security remains an elusive state for startups. And as Tech moves more of our life online, the startups that facilitate this transition face increased security scrutiny from customers, journalists & investors. Has it always been this complicated to build secure, consumer or enterprise-ready technology, or are we just more aware of our failings now? We meet with Tony Gauda, a YC alum and CEO of ThinAir, to discuss the state of security in 2016, and what startups should do on their everlasting quest to secure their business.

Tim Anglade, Executive in Residence at Scale Venture Partners: So I’m actually happy here. This is the first one I’m doing in Palo Alto.

Tony Gauda, Founder/CEO at ThinAir: Wow.

Tim: Which is really weird, ‘cause I’ve been doing, like 20 or 30 of those. And, there’s nobody in Palo Alto anymore. Maybe that is just me, just my bias.

Tony: They’re in the city.

Tim: San Francisco’s just like taking over for start-ups, and, I’m kind of really amazed ‘cause it’s not so long ago that like Facebook was here. You don’t have to go all the way to park, or anything like that. But now, it’s kind of like, it’s funny, everybody’s in the city, and there’s not that much. I mean, how do you end up in Palo Alto? Why did you decide to be here?

Tony: I have a family. So it’s like, kids need a place to play. They have good schools, and the commute’s very easy for us.

Tim: That’s crazy. You’re right. Maybe it is just linked to the average age or the average kind of situation. And now you have so many, quote unquote, YC founder, they’re like, 15, or whatever, I always joke about that. And, they don’t have family. They just want to be in the city, and, yeah, they just maybe, kind of, stay up there. It’s kind of cool

Tony: And the night life as well, right? So in the city, you know, there’s a lot of night life. There’s less of it here.

Tim: Yeah, Palo Alto’s kind of, yeah. It’s a bit hard. Yeah, I’m with you. The Bay Area’s very weird that way, yes. There’s not that much to do if you want to have like a young person’s life in the Bay, but, you know, conversely, if you want to have a family the city’s kinda really rough too, so

Tony: It’s hard.

Tim: Feels very segregated, secluded, right? It’s a bit fun. So, I’m kind of thinking back at security. ‘Cause you’re doing the start-up right, ThinAir, and I’ve wanted to talk about this for a long time, which is when I was doing start-ups, like, let’s say 10 years ago, I had to worry about a very small list of things. I had to worry about like CSRF, I had to worry about SQL injections. You know, maybe I had to worry about salting my hashes. There were like a few things if I was doing a web-based start-up, and I could go through it. Or at least in my mind, and I felt safe. I was like, oh, I followed like all four of the best practices. or five, or 10 of the best practices. And, that would get you mostly there. But now, in 2016, it feels like there’s Russian hackers, and there’s leaks all the time, and there’s like entire database that get hacked and released on the Internet. And it feels like if you’re building a start-up today, you have to worry about a lot more. And do you feel like that, first of all, like a valid assumption starting? Or do you feel like security’s always been this hard, and just didn’t know about it?

Tony: I think it’s always been this hard. I think that the amount of things that we need to worry about, depend on the people that we’re doing business with, and data we actually collect. But, CSRF is still a problem. You still need to worry about that, right? The difference is that there’s a lot of tools that kinda help you mitigate these things in a more automated fashion than you have in a kind of, actually code in, and get it done yourself.

Tim: So you feel like most of it is just, we’re more aware of all these things. Plus, we’re adding, kind of, new vectors of attack all the time.

Tony: Yeah. I think, because we’re, just because the industry is just becoming more intelligent around messaging, more intelligent around the things that we need to be paying attention to. It’s just that now the list is just longer. And me as a start-up founder, I just need to be thinking about this even more.

Tim: Right. But so, how much do you feel also, like, responsibility has shifted? Now it kind of feels like as a company, you know, you . . . It seems like there’s much more of an onus of owning security, and protecting your users, and protecting the data in a way that I don’t think that was as well incorporated by kinda stakeholders, by company executives or anything like that, and now it kind of feels like if you get hacked, it’s your responsibility. If you’re, if you’re target, if you’re a big company, your head might fall for this. And so of course, that kinda translate to start-ups as well.

Tony: Yeah, I think that because it’s becoming more prominent, because the adversaries are becoming more sophisticated, because the places where they can attack are just becoming so widespread. I mean, so you’re getting more level pressure that says, hey, we cannot get hacked, and that they do business with a start-up, they get hacked, it’s still their problem. So it’s just more visible now.

Tim: Right, it is more visible, and I guess the other thing that makes it more visible is that more and more of our life is online, or is connected. So maybe, 10 years ago, you have to worry about your Facebook likes. That wasn’t like the biggest problem. But now, of course all your banking is online, like a lot of your relationship if you’re dating, your Ashley Madison information, anything like that, is online, is accessible, is hackable, and so it kinda feels like the visibility has really increased from that. So, what are some of the new things that you feel like have kind of change recently, if anything. We saw that CSRF, we saw that SQL injection, installablethat you need to worry about, but what are some of the biggest changes you’ve seen maybe in the last five, 10 years in terms of security for start-ups.

Tony: Yeah, so I think the fundamental problem has always been the same. It’s always the people, right? The problem with security is that it is easier to do the wrong thing than it is to do the right thing. And since you think about every organization that exist, it is faster to get it done as quickly, free to get things done quickly, that’s what you get bonus for. You don’t get bonus for security, but you get bonus for how quickly you get a problem done. Until we learn, until technology kind of advances to the point where it works the way that people do, versus having to train them to work differently, we’re going to continue to have this type of problem.

Tim: So do you feel that this is technology problem? ‘Cause Yahoo was in the news, like this week, about the big hack, and there’s all these write-ups about the culture was wrong, they didn’t really worry about protecting themselves, the security team was kind of shoved aside. Saying like, you guys are paranoid, you don’t need to kind of force us to do all these stuff, and it kind of feels like, at least to some people, that it’s kind of a human problem. Like you need to enforce this, you need to do it.

Tony: So, if you think about it, Yahoo is an organically grown company, they started up very small, they got very big. When they first started, they had all the security holes that every small start-up has. When they became a big company, and yet they probably still had a culture that was similar to a smaller company, right? Where you fix the things as you need to, and you work fast, you need to break things. So if you think about it, they’re a typical organization that had the same amount of security problems as everybody else. The problem is that they’re the focus this week. Next week gonna be someone else. This is not a Yahoo problem, this is an industry wide systemic issue.

Tim: It is right, and it seems like the mentality in the average start-up, average company, like you can add security later, we’ll do a review, we’ll fix that, we’ll do an audit, we’ll pay consultant. And that’s just as delusional, in my experiences, like adding performance. We’ll make it speedy later, we’ll optimize this later, or make the UX better later. You kind of have to bake that in from the start. Is that correct?

Tony: I think it’s just hard. I think it’s just complex. Even if you design for the right things in the beginning, it’s still gonna be hard to get it right over time. Any point in time, you maybe okay but over time, you’ll continuously be vulnerable. So the only way to really do it is number one, educate the end users, make sure you’ll continuously re-evaluate your guide in your security practices, and change it as the landscape changes.

Tim: Right, so how do you feel like, what are some of the way that you can quickly recommend people look at doing this, right? Is it just as simple as making like a security-minded person when you first hire on a technical team? Are there like guidelines, standards, like anything that you recommend in kind of setting up the right security thing from the start but also, as you said, in continuity right?

Tony: Yes so it has to be embedded in the culture of the company. So any time, you’re starting a new initiative, you’re deploying new code, you’re even doing hiring, certain new divisions, security needs to be thought about. ‘Cause if it’s not, it’s pull through on later, there’s a seam there, and that’s all an attacker needs, is a seam, because we have to be, on the defensive side, you have to be right 100% of the time. On the offensive side, you only need to be right once. So it’s a much harder problem to solve.

Tim: All right. That can be really, really hard, so what do you kind of do with the mentality that’s in a lot of people, which is, it’s only a matter of time, we’re gonna get hacked, and so we’ll have to deal with that when that happens. And there’s only so much we can do, like we can’t prevent it from happening, so we should only spend that much energy, and this much effort, protecting ourselves.

Tony: So I think the right approach is that, the default is that you’re already hacked, right. It’s not when it’s gonna happen, it’s already happened. The question is when do you notice it? What’s the time to noticing that you actually been compromised? And that’s what a lot of the new investigative tools give you, is visibility to when you actually are hacked, so you can remediate it very quickly. So if you take the approach and say, we’re never gonna get hacked, we’re never gonna have any issue, you’re doomed to fail, right. Don’t take that approach. Figure out how to mitigate it when it does happen. Have a rapid response team in place.

Tim: Right, and so it does seem like, okay you have to acknowledge the fact that it’s gonna happen but you can’t be defeatist about it either. It’s just kind of like, you have to be ready when it happen, and to be ready, you need to kind of be prepared in advance.

Tony: That’s right.

Tim: So, what are some of the tooling. It seems like that a lot people probably like, if you’re building a start-up today, you enable two-factor auth on your accounts, you do kind of a lot of basic checklist stuff. What are some of the approaches and tools that you recommend in term like setting up your policy, for an average start-up. Were there such a thing at this point? So, there’s different areas where you kind of focus on, you should always start with the people. And by starting with the people, you could password hygiene, two-factor authenticate everything you possibly can, make sure you educate folks in not clicking on links, everything link that comes in through the email because links are literally made to be clicked, so it’s very hard to resist. Right, it’s setting up that culture within the company to be more security-aware in general.

Tony: Right, and do you feel like for the average company that’s doing kind of maybe online SaaS type of stuff, is good kind of, vendors that you’d use or you’d recommend in term of helping detect when there’s been intrusion and help kind of remedy that. Do you kinda feel like that’s there yet or are we kinda still in the early ages where there aren’t good go-to solution for like helping your security, if you’re a SaaS start-up?

Tim: So being a start-up… So most utilities are kinda built for larger organizations because those are the ones that have the most sensitive information, those are the ones that want to kinda spend the money to solve it. So, if you think about it, there’s not a lot of solutions that exist for start-ups, and the question is does it really need to happen just now. The technology that we’re working on is actually something that kinda does some of these stuff but at the end of the day, if you start with just good security hygiene on the people side, that all eventually turn into great security practices long term for the company.

Tony: But that seem interesting, start-ups is almost like you’re recommending that a start-up focus on start-ups’ customers, ‘cause you know winners kind of really bad.

Tim: Terrible, it’s a terrible market.

Tony: It can work sometime but most of the time it doesn’t. But there’s also kind of connected SME segment, and there’s now more and more smaller companies, mid-sized companies, that are online, that have app, that have website, that have SaaS services, and it does seem like there is an opportunity there, for nudges the top-end enterprise security segment, which does have a lot of vendors competing for it. Maybe kind of, solution for the remaining 50, 80% of the market out there. ‘Cause it does seem like, they’re about to get hacked, on a very, very massive scale, ‘cause they’re all really massively going online, on a massive scale.

Tim: I think in general, you’re gonna start, so start-ups use a lot of just SaaS services in general. And I think what’s happening is that those SaaS services are getting pressure from the enterprise companies to get more security conscious and security aware, and those benefits actually trickle down to the start-ups. Over time, we’ll start to see more sophisticated utilities but it has, again, it goes back to the people, it goes back to the practices. People need to understand, there’s things that you just can’t do especially in a start-up environment but until that happens, you’re gonna continue to see the breaches that you see everyday.

Tony: I know, that makes complete sense and you’re right, I think there’s gonna be a human transition that people need to do but maybe a lot of the tooling, and software, and platform you use, that technology advances already been made, right?

Tim: That’s gonna happen, so our tenet, even within ThinAir is that we develop tools that work the way that people do, versus trying to train people to work the way the tools should be used right? And I think long term, that’s the way you solve the problem. It’s just that it’s a more advance technology that just takes time.

Tony: Right, make sense, make sense. So we’re still in the early stages, it seems of understanding what online security, online privacy, security in a larger sense kinda means. And so it’s kinda funny, you’re right. I don’t think the UX and the human component has caught up ‘cause it’s just technology.

Tim: Well, that’s where AI is gonna really help advance this, ‘cause you’ll start to see what’s normal behaviour versus authenticating a particular user. That’s the difference.

Tony: I’ve seen a lot of that, now we just Captchas but also kind of detecting patterns like who’s connecting from where, and all that, and it could become much more human friendly for lack of a better word. So you’re right, I think there’s gonna be a new wave of kind of security company. I already know of a couple are going through YC right now and everything else that are kind of understanding the fact that security shouldn’t be in your face, putting you to type code, it should be able to detect a lot of stuff for you.

Tim: It should be completely transparent and automatic. You shouldn’t have to think about it.

Tony: That’s a good thing to aspire on, to aspire for. Yeah, thank you so much. Really appreciate your time.

Tim: Oh, thanks for having me.

Tony: Oh, I think there are some myths that maybe I can debunk a little bit, but also some give you some tips. When you think about working with the VC, first of all, where you are in the fund, are you the first company in like 20 or are you the last one? Actually don’t think matters very much, it shouldn’t. If I’m a good VC, and I’ve been doing this over a long period of time, I reserve enough for my first deal and my very last deal. So that shouldn’t be an issue. What would matter, is if it’s the fifth or sixth year, and we’re starting to figure out who deserves the last amount of capital in the fund, have I reserve enough for you? That’s what you care about. So I think that’s more important to ask over time. When you think about who, this is the other thing, everybody understandably wants to have the named partner in the firm.