Christmas eve eve, office quiet, and the customer-portfolio operational tempo has settled into the holiday slow-down that the rest of the security community is also experiencing. A short note in front of the Christmas break.
Hedgehog turns ten in April 2020. The company started in April 2009 as a one-person consultancy out of the spare room at home, on the basis of the Gala Coral CISO experience and the Evolution of DDoS book and a handful of personal contacts in the UK security community who were prepared to retain me on initial-service-engagement terms. The first year was thin — call it £85,000 of revenue, almost all of which paid for itself plus something to keep the household going. The second year was better. The third year was better than the second. By the fifth year (2014) the company was at six people including me and was operationally self-sustaining. By the eighth year (2017) we had the Emily research underway and were on the path that produced the EmilyAI commercial business.
The ten-year arc has been a series of decisions that, individually, looked smaller than they turned out to be. The decision in 2010 to take on the Towry vCISO engagement when the engagement was offered, even though I was not certain I had capacity — that engagement led to the SOC build-out in 2012-13 because Towry needed it. The decision in 2015 to hire the postgraduate intern who had been recommended by an academic contact — that hire led to the Emily research and now to the company's product business. The decision in 2018 to take the EmilyAI commercial path rather than keeping the capability internal — that decision is shaping the next several years. The decision in October 2019 to remain bootstrapped rather than raise institutional capital — the alternative path, taken, would have produced a different company, and I am content with the path I chose.
The ten-year arc has also been a sequence of larger industry shifts that the company has worked alongside. The DDoS-attack-volume growth of the late 2000s and early 2010s. The rise of the targeted-state-actor threat that the Mandiant APT1 report formalised in 2013. The Snowden disclosures and the post-2013 regulatory environment they shaped. The Mirai-IoT-DDoS escalation of 2016. The WannaCry-NotPetya worm-grade era of 2017. The GDPR-implementation period of 2016-2018. The targeted-ransomware shift of 2018-2019. The cloud-native-architecture shift that has been continuous since approximately 2014 and that 2019 has made operationally central. The company's posture against each of these has been adaptive rather than predictive — I have not been better at predicting the next industry shift than the median practitioner — but the customer-organisation programme work has, in the aggregate, produced a track record of customer outcomes that I am proud of.
The next decade looks more uncertain than the previous one in some ways and more clear in others. The operational disciplines — detection engineering, incident response, vulnerability management, identity and access management, data protection — are mature enough that the customer-organisation conversations are about execution rather than about strategy. The threat landscape continues to evolve in ways that require continuous defensive adaptation, and the speed of that evolution is, if anything, accelerating. The regulatory environment is in a multi-year period of building out enforcement practice on top of GDPR and its various international analogues, and the cost of being on the wrong side of that practice is now quantifiable. The technology environment is shifting toward cloud-native, machine-learning-enabled, and supply-chain-aware defensive architectures that the next decade will, I think, see become the operational baseline.
The personal-direction question is one I have been thinking about more this autumn. The company is at a size where my own role is shifting from operational leadership toward strategic and external-facing work, and that shift has implications for how I spend my time. The book project, the customer-engagement portfolio, the conference work, the writing — these are the parts of the work that will continue to grow over the next several years. The day-to-day operational management is increasingly the lead engineer's and the senior leadership team's, which is the right transition for the company's continued growth.
The Christmas tree is up. The lights are on. Office is quiet. The pubs await.