June 30, 2020 · 7m read
Why Security Is Hard
After three years of secrecy and partnership with some of the world’s best organizations, today we’re finally ready to unveil our company: Material Security.
Some of humanity’s most consequential problems are relatively obscure and mostly of concern to specialists. Others, however, are so massive, systemic, and unavoidable that they can exhaust us, desensitize us, and tempt our surrender. The infamous hacks of 2016 marked, for billions of people, the moment when cybersecurity and privacy moved from the first category to the second. Nothing’s really changed: if the world’s wealthiest organizations can’t stem a perpetual flood of data breaches, and hacked email from a handful of personal accounts can scramble elections in the world’s oldest democracy, aren’t we all just screwed?
We don’t think so. To understand why it’s important to look at how we got here and what makes security so hard in the first place.
New technology spreads because it’s useful (not because it’s safe).
It’s powerful to think about a technology (and its implications) as something in motion: more than what it does, how does it spread? How fast, how broad, and how disruptive is the change? What drives it?
The primary driver of new technology throughout human history is utility. From the pointed stick to the smartphone, we adopt new devices and techniques when they let us do more, faster, cheaper, and better. With today’s tech hangover, it’s easy to forget just how fundamentally useful it can all be. You can search 15 years of your life in your email in seconds while grabbing coffee and instantly communicate with anyone in the world for free. During the pandemic, millions of us were lucky enough to continue our lives and careers in relative health and safety because of widespread digital innovations that are less than ten years old.
Now the bad news: a technology’s adoption is driven by its usefulness and not its safety. A powerful enough invention (like nuclear energy or the Internet) can remake our entire world before we have any clue whether it can also nuke us or ruin our fragile multi-century experiment with democracy. Given the compounding exponential nature of computing and information technologies in particular, it’s no wonder the resulting security and privacy implications are shaking our society’s foundations, reshaping geopolitics, and dominating our public discourse.
A technology’s adoption is driven by its usefulness and not its safety.
As computers do more and more for us every year this has become a race against ourselves with higher and higher stakes now felt by ordinary people.
Good security requires both creativity and common sense. The cybersecurity market requires neither.
When faced with the negative consequences of our technology, we have three responses: revolution, regulation, and more innovation. Each has its merits (it’s hard not to be a fan of the Reformation and traffic laws), but let’s talk about the last one. The automobile was invented in 1886, but modern seat belts weren’t invented until the 1950s, and the first three-point harness wasn’t patented until 1959 (thankfully Volvo gave away the patent). The 70+ years in which cars took over the world while still being deathtraps were the bad years: and that’s where we are with computers now. We know how to make them fast, we know how to make them ubiquitous, we’re just bad at making them safe. History shows that it takes just as much creativity to make a technology safe as it does to invent it.
History shows that it takes just as much creativity to make a technology safe as it does to invent it.
The cybersecurity software industry is massive: billions are spent every year on software to protect people and billions are invested in new companies. It is also, unfortunately, famously uncreative. Driven by a market for silver bullets, buyers drown in a flood of “next generation” solutions and are peddled AI technobabble by a cynical cybersecurity industrial complex whose major companies are (or resemble) private equity firms and defense contractors. Trillion-dollar companies operate SaaS platforms with billions of users and minimal roadmaps beyond commoditizing old ideas and old vendors via the market power of bundling. Barring a few bright spots, there are basically two types of products: software that blocks bad things and software that goes beep to alert someone to bad things. The paucity of new ideas is on display at the RSA Conference where you can find actual clowns in vendor booths unironically performing magic tricks.
Meanwhile, unrelentingly, the race against the expanding usefulness of our technology continues.
Good security makes users safer and more productive.
Most security software hides from the user (or worse).
If seatbelts were painful you wouldn’t wear them. When security software sucks to use or hurts productivity, users bypass it (almost always to everyone’s detriment). If you break the network they will tether, if you break their phone they will carry two phones, and if you break email they will use their personal account (a much softer target you’re not protecting) or just have the conversation in WeChat. Most traditional security software is typically sold to executives and so tends to be afraid of (and allergic to) end-users. It lurks, unnoticed and dubiously effective, in the network, the datacenter, and the system tray.
Two of the most transformative security advances this decade, ubiquitous Single Sign-On and dead-simple Multi-factor Authentication, took the opposite approach. Companies like Okta, Duo, and Yubico taught us to make it easy, make it usable, and to bring the user along. Once they’re implemented, they actively simplify workflows while reducing risk. Like a good seatbelt, they give us peace of mind so we can safely drive fast enough. When faced with a choice between security and productivity, the only viable answer is both. This is too hard to be worth it for many vendors and so it almost never happens. This is the last piece of the puzzle.
When faced with a choice between security and productivity, the only viable answer is both.
Material Security: Our Mission
Material’s mission is to make technology safer and human beings freer and more productive. We exist to make crazy new ideas (like protecting an account even after it has been compromised) seem obvious in hindsight. We implement these ideas seamlessly by using ubiquitous tools in unexpected ways that make them look easy. We are thoughtful but pragmatic, we measure risk, and we try whenever possible to learn the lessons of history. We also work our asses off for our customers.
When we left Dropbox to start the company in 2017 (under the code name Stellarite), we didn’t anticipate how widely our ideas would resonate with the thousands of people we’ve met since. We were shocked to see so many world-class security practitioners share our product with their peers even with us in complete stealth mode. We lucked out with the best possible angel investors for the problem, and our Series A with Martin Casado and Andreessen Horowitz in 2018 was providential. The founders and early employees built this technology the right way: with obsession and love and in close collaboration with the best early adopters at iconic companies thousands of times larger than us.
Best job in the world. Back to work.