Start-up stories. “Security is always going to be a tough sell”
30 July 2018
TEISS talks with rising star, Samuel Scott, Founder of Kee.sh, as part of our ‘Start-ups and their Stories’ series. In this interview, Samuel talks about the cryptographic community, the challenges of secrets management, and the importance of taking a leap of faith in yourself.
What’s your idea?
We want to make it simple for companies to build and maintain secure applications and infrastructure. We provide a service to automate the provisioning, distribution, and auditing of application secrets. These secrets can take many different forms, such as API and encryption keys, certificates, credentials, and passwords. The challenge is that they need to be tightly controlled, since they control the access to all forms of systems and data. With kee.sh, companies can have the confidence to push forward with fast development and modern DevOps, without compromising on security.
What’s the story behind the idea?
Recently in the cryptographic community, there has been a push to lower the barrier to using secure cryptography. For example, tools which allow people to communicate securely without needing a technical background to operate. I think this is a fantastic goal, and is really the same place that we are coming from. Ultimately, we want to make a secrets management product which is easy for any company to deploy.
Who is your target audience? Who might benefit from it?
Following on from the above, eventually we want this to be a product which most companies would be comfortable using. Initially, however, we are looking to work with companies either moving to the cloud, or hoping to embrace modern DevOps practices with automated CI/CD pipelines. This is when secrets management becomes particularly tricky, and having a solid solution in place can help make sure development, operations and security all work together from the start.
What’s your USP?
Secrets management is deceptively hard to get right. However, my PhD research revolved around solving tough problems in cloud key management, as well as contributing to the upcoming TLS 1.3 specification. Both of these have definitely given me an appreciation for how hard it can be to design something which is secure, meets varying requirements, and is easy to use. Kee.sh is a fresh take on secrets management, and we hope to embody the rise of DevSecOps, bringing three typically distinct roles together.
Which stage are you at?
We are currently funded by the Cornell Tech Runway Postdoc programme, and Highland Capital’s Cybersecurity Factory accelerator. We’re still an early stage company, looking to find partners to pilot our technology and hoping to raise seed funding starting in the first half of next year.
Do you have any clients yet? Are any of them paying clients?
We are in conversations with a number of companies, who acknowledge the difficulty and significance of the problems we are solving. The next step for us is to convert these conversations into concrete pilots, and eventually paid trials.
Is there a quote that inspires you?
“Truth builds trust.” – Marilyn Suttle.
I think this nicely embodies the values of the company, as well as what we are offering.
Is there a place that inspires you?
My wife and I just moved to NYC this January, and from what we’ve seen, I think it definitely deserves its reputation. There’s an amazing diversity of people, perspectives, experience, and talent.
Do you have a mentor?
Thanks to Cornell Tech and the Cybersecurity Factory, we have a fantastic pool of mentors and advisors to talk to. To pick a few key people, my connection with Cornell Tech started with professors Ari Juels and Tom Ristenpart, who continue to be great technical advisors, and between them have an incredible amount of research experience. Additionally, Anthony Bettini from Tenable has been wonderful to work with, and has shared a lot of advice from having been through the process of starting a security company before.
What is your advice for people with a cyber idea?
Security is always going to be a tough sell. Large companies will have a list of thousands of security issues which need to be addressed. Either you need to be solving an issue from the top of that list, or your product needs to make their lives better in some other way.
What have you learnt through the process?
One piece of advice I was given many times is that you should understand your market and your customers before writing a single line of code. Although this is valuable advice, and a mistake I am sure I would have made otherwise, taken to the other extreme this advice can become paralysing. For me, the lesson was that, yes, take time to evaluate your market before leaping blindly into product development, but equally important was to take that leap of faith in yourself, and your idea, so that you can start to build something and put it out there. You have little to lose, and a lot to learn. Adjustments can be made as you go, so get out there and start pitching your idea and see what comes back.
What have been the toughest challenges you’ve faced along the way?
This initial phase trying to come up with an idea has been a bit of a roller-coaster. You come up with some new ideas and get excited, but then discover someone else is doing something similar. It’s very easy to look around you and decide that everything has been done before, and doubt whether you have something unique. There are striking similarities with PhD research, like when you finally stumble upon a particular search term, and find dozens of papers covering exactly what you have been attempting to do.