The year that saw the first major UK GDPR-era enforcement output, the Maze leak-pattern formalisation, the targeted-ransomware shift settling into operational tempo, and the Citrix ADC year-end disclosure has been, on the operational measure, the most demanding of any year I have run the company through. It has also been the most strategically clarifying year. Several things that were uncertain in January are settled in December.
The settled questions. GDPR enforcement is real, the BA and Marriott Notices of Intent set the precedent, and the customer-organisation programme work has been validated as a sound investment. The targeted-ransomware threat is now structurally different from the 2017-era mass-spread threat and requires correspondingly different defensive posture. The Maze leak-pattern formalisation in November adds a data-exfiltration coercion mechanism that requires architectural defence rather than backup-and-recovery defence. The cloud-side security discipline (Capital One specifically as the worked example) is structurally distinct from on-premises security and requires customer-organisation investment in cloud-native expertise. The DDoS-successor book — "What changed between WannaCry and Emily" eventually published as "Detection at the Speed of Adversaries" — landed in October, four years after I started outlining it, and the reception has been satisfactory.
The opened questions. The Citrix ADC December disclosure is going to produce mass-exploitation in early 2020 against unmitigated estates and will reshape the appliance-side vendor-risk conversation. The Maze leak-pattern is going to be copied by other ransomware operators, and the data-exfiltration-coercion model is going to be the dominant ransomware shape through 2020 at least. The Capital One case will produce regulatory and class-action precedent that will affect how cloud-native architectural decisions are evaluated for some years. The political environment around encryption (the EARN-IT Act discussions in the US, the various encryption-policy conversations in the UK and EU) is producing legislative output that the customer-organisation programmes will need to absorb.
The year's operational tempo. The customer portfolio carried six vCISO clients through to year-end. The pen-testing engagement queue grew approximately 30% on volume. The SOC customer count is at thirteen, indexing approximately 1.4 terabytes per day in Splunk. The EmilyAI commercial customer count is at eleven, with the multi-SIEM support landing in Q1 having enabled the addition of customers on Elasticsearch and QRadar. The team is at thirty-one across the London and Bath offices. The hire plan for 2020 envisages a further six to eight roles, primarily on the EmilyAI engineering and customer-success functions.
The breach-and-incident year. The Citrix internal compromise (March), the Norsk Hydro ransomware case (March), the WhatsApp / Pegasus disclosure (May), the BlueKeep advisory (May), the Capital One disclosure (July), the BA / Marriott NoIs (July), the Maze pattern formalisation (November), the Citrix ADC advisory (December). The breaches affecting customer organisations directly were limited — three minor incidents at customer organisations, all handled within standard incident-response procedures, none requiring ICO notification or substantive customer-organisation external communication. The defensive posture of the portfolio is, on the operational evidence, working.
The book. "Detection at the Speed of Adversaries" published in October by a small UK technical-publishing house I have worked with on smaller projects before. The reception has been about what I expected — UK security-community readership has engaged with the substantive content, the academic-leaning readership has been receptive, the wider trade-press coverage has been limited. The book is, in income terms, marginal at best — these things never make money — but in reputation terms it has been valuable. Two of the customer-engagement opportunities that landed in Q4 traced back to the book's reception. The DDoS-successor essay was the right project to spend four years on. The next book is in the early outline stage; the working theme is the GDPR-era operational discipline of data-protection programmes from the inside.
The team. The lead engineer who joined as an intern in February 2016 is now four years in, the engineering lead on EmilyAI, and (since October) a director of the company. The team's growth has been consistent with what I would have hoped for from the ML-engineering function and is exceeding what I would have predicted from the customer-success function (which is operating at a level I attribute almost entirely to the right hire being made in May). The Bath office is operational and is hosting the engineering team primarily; the London office continues to host the services and the senior leadership functions.
The personal note. I wrote 35 posts on the blog this year, fewer than I would have liked, mostly because the book editing in Q1 and the customer-engagement load through the autumn cut into the writing time. The blog discipline continues to be, on my own assessment, the most useful single intellectual practice I have. I will be aiming for 40+ posts in 2020. The conferences this year were Infosec Europe in June (with the EmilyAI booth that produced more customer conversation than 2018's), USENIX Security in August (the lead engineer's paper presentation was strong), and BSides Manchester in August. The pattern of declining the major commercial conferences in favour of practitioner-oriented venues continues to produce useful results.
Onward into 2020. The Citrix CVE-2019-19781 cleanup. The Maze-pattern defensive-architecture work. The continuing GDPR enforcement landings. The product roadmap execution. The next book. And whatever the year produces that I have not yet imagined.