The year that contained Spectre and Meltdown, GDPR enforcement, the EmilyAI commercial launch, the British Airways and Marriott disclosures, and the continuing supply-chain pattern from 2017 has been the most operationally consequential single year in my career so far. Several strategic questions that had been latent for two or three years have settled in 2018; several others have opened.
The settled questions. The Hedgehog company shape: the product business is real, the engineering team is real, the institutional-capital decision (taken in October — we are not raising) is made, and the company is operating as a hybrid services-and-product business in the way the early-2018 planning envisaged. The GDPR-readiness programme: complete across the customer portfolio, transitioned into operational support, the breach-response posture has been exercised in three actual incidents this year (none requiring ICO notification) and the discipline is proving adequate. The Emily research-versus-product question: the product is real, the customer adoption is on the curve, the research paper has been accepted for USENIX Security 2019 (notification on the 18th of October), and the dual research-and-product strategy is producing both outputs the team intended.
The opened questions. The supply-chain disclosure pattern continues to escalate. The Marriott case — half a billion records, four-year undetected window, acquisition-integration root cause — is structurally the most consequential single disclosure of the year and has implications for M&A practice across many sectors that have not yet been fully absorbed. The post-Spectre / post-Meltdown conversation about hardware-software trust boundaries is going to drive substantial architectural work in confidential computing, formal verification, and processor-side mitigation through 2019 and beyond. The post-Cambridge Analytica platform-regulation conversation is producing legislative output in multiple jurisdictions on a timeline I did not predict — the California Consumer Privacy Act is signed and operational from January 2020, the e-Privacy Regulation in the EU is in the trilogue process, the US federal-privacy-legislation conversation is more substantive than at any point I have followed it. The post-NotPetya / post-Marriott / post-various supply-chain conversation is producing customer programme work that will continue for at least 24 months.
The patching marathon. Spectre and Meltdown in January, with the deployment work running through Q2. The Cisco Smart Install advisory in April, with the Smart Install Client mass-exploitation campaign on the back of it. The Drupalgeddon 2 advisory in March (CVE-2018-7600). The various Microsoft Patch Tuesday cycles with the usual mix of remote-code-execution and privilege-escalation. The Apache Struts continuing tail. The patching cadence work that came out of WannaCry has held up — the customer estates' patch-deployment latencies are at acceptable levels and the 7-day SLA for critical patches is now standard rather than exceptional. The post-Spectre microcode-update propagation has been the most difficult patching cycle of the year, primarily because of the performance-impact assessment work the customer estates have had to do alongside the deployment.
The breach disclosures. British Airways in September, the first major UK GDPR-era disclosure with a Magecart-style supply-chain root cause. Facebook 50M in September, the first major platform GDPR-era disclosure under Article 32 supervisory attention. Marriott in November-December, the largest single disclosure of the year and structurally the most consequential. Quora in December, a useful contrast in disclosure quality. The aggregate effect: the GDPR enforcement environment is now operational, the Article 32 expectations are being articulated through the supervisory authorities' enforcement decisions, and the customer-organisation conversations about disclosure mechanics are sharper than they have been at any point in my career.
The information-operation pattern from 2016 has not produced a 2018 equivalent of comparable visibility — the autumn US midterm elections and the various European political events did not produce a DNC-shaped disclosure-as-weapon event. Whether the lack is because the relevant actors did not run such operations, or because they did and the operations did not produce the intended effect, or because the defenders' posture has improved, is the question for 2019. I am cautious about reading the absence as evidence of resolution.
The Emily commercial deployment. Three pilot customers from April, two additional production customers from October, two more in late-stage onboarding for Q1 2019. The product roadmap for 2019 is more ambitious than 2018's was — multi-SIEM support (Elasticsearch, QRadar) lands in Q1, the playbook-drift report becomes a first-class feature in Q2, the threat-intelligence-integration capability is the principal differentiating feature for 2019. The team is at nine engineers full-time including the customer-success function. The pricing per-analyst-per-month model has held up against the customer commercial conversations and the per-customer revenue is in the range that supports the team's continued growth.
The book project — the DDoS-book successor — is, finally, in draft. Roughly eighty thousand words across twelve chapters, working title is "What changed between WannaCry and Emily" although that will not survive editorial review. The plan is final draft by May, publication in Q4. The export-control-cryptographic-debt essay is in proof. The early-Emily research paper (now the USENIX Security 2019 paper) is camera-ready for the August conference.
The portfolio. Six sustained vCISO clients carrying through the year. Two of the Emily commercial customers are also vCISO clients, which is producing a useful joint-engagement pattern that is shaping the 2019 product roadmap. The pen-testing engagement queue grew through the year; the SOC customer count is at 11 (added two in 2018). The team is at 26 including the EmilyAI engineering function. The Bath office is operational since June and is hosting the engineering team primarily.
The personal note. I wrote 38 posts on the blog this year, about the same as 2017. The discipline of writing notes contemporaneously continues to be the most useful single intellectual practice I have. The book progress is satisfying. The team's performance has, again, exceeded what I would have expected from a function this size. The conferences were Infosec Europe (with the EmilyAI booth, which produced more substantive customer conversations than I had been expecting), two BSides (one of them in Manchester, useful), and the USENIX Security paper presentation will be in August 2019.
Onward into 2019. The GDPR enforcement decisions land. The product roadmap executes. The customer portfolio continues. And whatever the year produces that I have not yet imagined.