Emerging from Stealth Mode: My 4 Basic Tenets

By Chris Elbring
Emerging from Stealth Mode: My 4 Basic Tenets

Many of you know that at some point or another I have sworn off ever again being the person in charge and being fully responsible; been there and done that. And I made mistakes. We all do. But with those lessons learned and a number of years and experiences between me and my last startup, I am announcing it publicly today: I am starting another company. This decision really has been spurred on by a relatively large number of friends and former colleagues encouraging me to do it. For the last ten months, I have been resting and trying to prepare to make a change in the information security industry. I spent a great deal of my downtime thinking about information security consulting and trying to understand trends and current shortcomings in the industry. In my personal circle Iโ€™ve been rather vocal about many of the things which I see are wrong. Now Iโ€™m taking up the challenge to put my solutions to the test in the real world.

Below are my four basic tenets for my new venture:

ONE: WORK WITH PEOPLE I RESPECT AND TRUST

In the past, I have worked with, and worked for people I neither respect nor trust. Life is too short to work with people who fall into either of those categories. And, in information security, data is too valuable and customers and partners are relying on us to do the right thing; subsequently mutual trust is paramount. I have seen egregious trust violations, lying, and other morally and ethically challenged behavior and I will have no part of that with my new venture. I like being able to look in the mirror and know that the work I do helps make the world a better and safer place. Money is great but not at the cost of betraying oneโ€™s principles. This is something that either people will agree with and live by or they will not work with me.

TWO: HAVE A PLAN AND BE TRANSPARENT

Whether itโ€™s about raising money or the financial situation of the company. This is pretty simple stuff and people deserve real information and data to make decisions about their lives. This is a business model that is somewhat different but probably not earth shattering. It is based on an inclusive model rather than what are seen as the traditional information security corporate structures. I have talked to some of you about it at length. Now I am putting it into action. I will talk a lot more about this as it really is the core of our differentiation and is the driver to maintain quality, consistency, etc.

The idea is to build a company which is modeled to inspire and include. And no, I am not currently raising money.

THREE: PROVIDE CONSISTENT, QUALITY SERVICES

There are a number of things going on in information security consulting services today (in the more elite firms) that are hurting quality and consistency. Ask any firm buying third party information security services and they will tell you quality is inconsistent and they are not sure if they are really getting quality at all. These firms are right. A number of things are driving this trend: information security is growing really fast so there is a need for more bodies and subsequently many firms are diluting their technical teams to keep up with growth demands. The big corporate growth requirement coupled with the general approach of stick over carrot really drives apathy into consultants.

There are other issues that the company will address but these tend to be some of the most pervasive. This company is approaching it differently. There will be an environment where everyone cares about quality and consistency because what is good for the client is good for them. Crazy, right?

FOUR: BE A PROFESSIONAL ORGANIZATION FIRST

Many elite information security firms are just simply not professional when it comes to their business approach. This company will be. The hacker scene drama will always be there in certain realms. That is understood. However, in dealing with clients, fulfilling contract obligations, and working to provide a work environment that is healthy, this company and all of its employees will strive to be professional. I am willing to go as far as having a clause in our MSA that guarantees a level of service and satisfaction to our clients. If it is not right, we will make it right. Lawyers make this hard but it will get done. Information security consulting needs to continue to grow up and not just by acquisition to the big guys or product companies.

This is it in a nutshell. An announcement on the company and our first partner in the firm is coming later this year. If you have questions or would like to discuss opportunities, feel free to reach out.

About the Author

Chris Elbring is Managing Partner and CEO of Anvil Secure. Prior to founding Anvil, Elbring worked as CEO and CTO of a startup security software development firm, President of a boutique, regional security consulting firm, an independent technology and security consultant, Director of Software Development of a mobile, biometric firm and most recently as Senior Vice President of Research and Delivery at IOActive, Inc.

Tools

awstracer - An Anvil CLI utility that will allow you to trace and replay AWS commands.


awssig - Anvil Secure's Burp extension for signing AWS requests with SigV4.


dawgmon - Dawg the hallway monitor: monitor operating system changes and analyze introduced attack surface when installing software. See the introductory blogpost


nanopb-decompiler - Our nanopb-decompiler is an IDA python script that can recreate .proto files from binaries compiled with 0.3.x, and 0.4.x versions of nanopb. See the introductory blogpost


ulexecve - A tool to execute ELF binaries on Linux directly from userland. See the introductory blogpost


usb-racer - A tool for pentesting TOCTOU issues with USB storage devices.

Recent Posts