Digital Bond was born on October 5, 1998. We turn 25 this month. In this article I’ll highlight the biggest failures and lessons learned, and next week I’ll crow a bit about the success.
Swing(s) And A Miss
In 1998 the dot com bubble was ballooning. With $75K of friends and family money and no salary, Roger and I started the company to develop a smart card based solution to digitally sign stock transactions in the new day trading market. Our product would by your digital bond that the trade was authentic. It would prevent spearphishing, watering holes and other attack techniques not yet named.
We had demos on how easy it was to capture credentials and use other peoples money to do profitable shenanigans in the market. And how our solution thwarted these attacks. Some interest and testing in a big brokerage, but never a big beta test customer.
Why did we fail? I could have done better with the sales/marketing/bizdev. The fact that we didn’t see this type of protection until 20 years later with Google authenticatior and other phone based solutions probably means the market wasn’t ready. Largely driven by the level of fraud being low enough to not require a solution. We were way too early.
Not wanting to raise more money and desiring a paycheck, we started consulting and security product resales. We were Checkpoint, Cisco and PGP/NA certified resellers. Security product resales were/are low margin. And installs on poorly designed and maintained networks we saw in Florida made many projects high wire acts. “It worked before the firewall was installed” led to too much unpaid support. My favorite was a Saturday install when the UPS started smoking and set off the fire alarms. We were blamed. Fortunately we hadn’t connected any cables yet and were quickly cleared.
Roger and the dev team left the company. They didn’t like consulting.
We shifted to focus on consulting, primarily assessments, and opened up a second office in Jacksonville as part of a “dominate the Florida market” strategy. We abandoned this approach in 2001 because there wasn’t enough business. Even the largest vendor Florida cybersecurity vendor topped out at 5 people and mostly focused on firewall installs.
There were some sleepless nights during this timeframe when I was unsure on a Wednesday how I was going to make payroll on Friday. Credit card cash advances, slow paying bills, and exhausting savings met payroll, except for me of course. Often when you read these stories it’s followed by a big success. Unfortunately, not the case here.
We finally started to have some success when we moved to cybersecurity consulting outside of Florida, which eventually led us to stumble into the “SCADA” security world.
Not Hiring A Great COO
There were multiple times in the 2005 – 2013 timeframe when we had a team of ~10 great consultants. To sustain this number and grow we needed someone who excelled at leading operations. I could market and sell. I was great with the client. I could lead and perform on a project. And I am not a good manager, probably a lot worse than not good, and not good at the planning required to run multiple teams on multiple projects. I could force myself to do it for months, but lacked the staying power.
Digital Bond needed a COO, or CEO, with those skills to grow from 10 to 25 to 50. There was enough business, but like many in small business will tell you we had cycles of: get a lot of work, focus on doing the work, have no work, rinse and repeat. The only good thing was I could always think of interesting research projects for the team’s down time.
There were two people who I seriously went after, good money and equity, for this COO role that I still believe would have been great and might have Digital Bond as a 100+ premier OT security consulting practice today. One was an immediate no and the other was a yes … until a counter-offer came way over the top of my offer.
It’s not a great revelation that getting the right leadership team in place is required for growth over a 10 or 15 person firm. I should have made this a higher priority and even taken a chance with someone I wasn’t 100% comfortable with.
Too Much Government Money
In 2007 – 2008 we were cranking on the research front with government funding for our Bandolier (ICS Security Audit), Portaledge (ICS SIEM), and QuickDraw (ICS IDS signatures and preprocessors). The team was great, the best ever assembled in private industry to that time, and probably until Dragos in 2017. The projects had a lot of buzz. The USG was very happy, highlighting the projects in congressional testimony, and ready to approve the next and much larger round of funding … and then the 2008 financial crisis hit.
The Recovery Act was passed which meant even more money. Great! Right? Nope. The USG procurement had to spend $787B very quickly. Our 7 figure contract was tiny and got set aside because the priority was getting large dollars into the economy (lots of smart meter projects). Don’t worry, it’s just a delay. Your project has all the approvals. The problem is paying salary for a team of 10 talented people is a big hit on the wallet. A few moved over to consulting projects we were able to get on short notice. The rest were told to go look for another job while we kept them on the payroll. More “how are we going to make payroll” sleepless nights.
They were all talented and quickly found other work. I didn’t need to fire anyone, and all made more money. Still some took jobs they liked less than what they had at Digital Bond and their previous employer.
Freelancer Not An Entrepreneur
This was a major blow, and at least the fourth time an approach to the company fell on its face. I gave up. Not on the company, on trying to grow the company. I never had trouble finding an interesting and profitable project to work on and was really enjoying learning about the physical processes and key mission metrics of the various sectors using OT. I decided for the next year I would not try to grow Digital Bond. Just do projects, enjoy the work, and make money.
What a surprise. It worked. A profitable and enjoyable year. And then another. And then another.
Seth Godin has a riff about the difference between a freelancer and entrepreneur. I wish I had heard this years earlier. It likely woudn’t have made a difference because I came up in the late 90’s entrepreneurial mania. Even after this epiphany I fell for the entrepreneurial bug a few times. It is enticing the idea of growing something big and cashing out. I’m not a good entrepreneur, and I’m a damn good freelancer.
Too Long To Realize S4 Isn’t A Hobby
We started S4 in 2007. There were about 40 people in one room for two days. While the early years had some difficult twists, such as a softcover Proceedings book and live streaming / virtual attendees way back then, it was not too much work to put on. It grew into the hundreds of people. We tried S4 in Europe and Japan. It all was run as a time available side project. It helped grow the personal brand of the Digital Bond team and led to some consulting work.
In 2014 we finally hired some help, but still struggled on with an in between consulting gigs approach until in 2017 I realized I either need to treat it as my main project, make it smaller, or stop holding it. S4 has always been my favorite activity because it exposed me to the bleeding edge ideas from the best in world talent. It was a creative outlet.
Since 2017, S4 has been my main focus, taking at least 2/3rds of my time. I believe it shows in how the size and quality of the event has grown. People were telling me to do this much earlier, but for some reason I stubbornly refused to give it the time until I was forced to make a decision.
Those are some of the failures and lessons learned, and this article could be 10x as long. There is a lot I’m proud of over the 25 years, and I’ll write about some of that next week.