Virgil Security is a three year old startup focused on application layer security for the IoT domain, with open source libraries, tools, and a universal API designed for software engineers and other end users who are not security or crypto specialists. For the firm’s two founders, Dmitri Dain and Michael Wellman, solving security at the developer level is essential for an IoT environment with billions of sensors and huge volumes of data. Baking security into an application at inception is essential.
For much of the cybersecurity industry the focus is on the network – rules based administration, monitoring software agents, information and message protection, compliance, certifications, rating systems, firewalls – with solutions marketed across specific industry verticals – such as healthcare, financial services, energy, government, education, insurance, and e-commerce. Complimenting this network focus, many cybersecurity firms provide consulting services to dovetail their product and solution offerings. So, while figures vary slightly, put together, global cybersecurity is an industry currently valued at USD $120 billion in 2017 and expected to grow smartly into the foreseeable future.
Virgil Security seeks to turn the industry on its head and in Mr. Dain’s words “break the wheel” of centralized security by focusing on the needs of an overlooked constituency in the cybersecurity space – software developers and end users. Virgil seeks to empower them. Regardless of focus – iOS, Android, front end, back end – software developers are often ignored in the push to provide security with a network centric approach. Compounding the issue, most cryptographers specialize in math, not software development.
Virgil has developed a single set of open source APIs and SDKs that are crypto agnostic, interoperable, software language and political environment neutral. Everything is secured from the application onward with private keys for both the client and the server. The firm’s product security structure includes a Virgil card, a Virgil key, a digital signature, and configuration utilizing AES256-GCM encryption. The firm also offers a cloud based infrastructure to manage client and server public keys and their signatures while providing the customer full control over its infrastructure. For Virgil, the focus is security not compliance.
Their integrated solution mean any software developer or end user with sufficient skills or a desire to tinker can use Virgil’s open source software to secure any development application in any global market – even those with unique crypto security requirements or limitations – such as the U.S., Europe, Russia, China, or India.
To highlight the challenge and the opportunity, in China and Russia VPN connections are not permitted and thus securing applications, protecting data integrity, and maintaining software independence present unique requirements. Virgil’s software solutions take these limitations into account.
For example, if a U.S. based software developer needed to secure a Java based application using TCP/IP as the transportation protocol, he could use the exact same Virgil software solution pulled from GitHub as a software developer in Russia writing her application in C or Python and using a different set of transportation protocols. The same would be true for a developer in China or India writing in .NET and using SMB for transport.
Moreover, Virgil is developing software at the firmware level for a number of global IoT chipset manufacturers to provide further protection in a similar manner to what Apple has done for years with its operating systems, apps, and hardware to serve a global community of users. Virgil seeks to foster a similar ecosystem where confidence and trust are core attributes of each IoT device via interlocking functionality – application security, firmware integration, chipset safeguards – so that determining whether a hardware device is in fact an authentic IoT product of the company is a certainty, not a best guess.
Billions of sensors and other hardware coming online will communicate with humans and other machines. If the authenticity of these devices and the data sets they produce are in question, key decision makers will lack confidence in any derived analytics. The same challenge will exist for machine-to-machine communication. If a sensor network lacks confidence in one or more nodes, perhaps due to sharing corrupt information or questionable public certificates, the integrity of the network and its data will clearly be at risk. In the near future, direct communication among hardware devices without human interaction will monopolize the IoT space. Centralized security in an environment dominated by network cyber solutions is simply not a viable option where networks will auto negotiate in real time and potentially create their own communication protocols.
To Virgil’s knowledge, no other cyber security firm focused on application security and providing solutions to those most in need – software developers – to secure IoT software and hardware deployments in the same way on a global basis, regardless of the country jurisdiction. Competitors certainly exist in the form of established participants – Symantec, Netcraft, Cisco, Microsoft, IBM – and other startups – Enveil, Baffle – but the former are very much part of the centralized cybersecurity landscape and the latter are focused on data security in the cloud and threats from within an organization.
As a strategist, what I find most compelling about Virgil Security is their deep understanding of the global cybersecurity industry, its drivers of profitability, the trade offs made by current rivals, and the key sources of potential competitive advantage. Concerns include some of the usual challenges startups face – execution, pressure to scale, serving different customer segments, and the potential for new rivals as Virgil gains traction.
On a couple of occasions, Mr. Dain argued that “security is the value” being created by Virgil, but I am not sure I agree with that view. Virgil’s key customers – software developers and global chipset makers – are very concerned about security. As an end user of software products and services and as a decision maker at work, I am also concerned about security. However, in my view, the value being created for stakeholders by Virgil is confidence and trust in a rapidly growing IoT ecosystem.
During my two hour interview, Mr. Dain laid out a compelling case for Virgil’s approach. After our conversation, I reached out to some contacts – software developers to gauge their security expertise and current professionals in the cybersecurity space. Both groups confirmed Dmitri’s industry assessment – and indirectly the opportunity.
Furthermore, the firm understands the “why” of their efforts. Most companies – regardless of size – focus on the “what” and the “how”. As I speak with quite a few of them for potential blog posts, these conversations unfold in some predictable ways. But rarely do firms talk about the “why” – which is the core impetus and motivation for a company’s efforts – and therefore doing something genuinely unique. Simon Sinek gets to the heart of this topic in his TedX talk. Mr. Dain, implicitly covered the topic early on when describing the challenges software engineers face building security into their applications and workflow.
Solving the security problem for software development professionals represents a significant opportunity to help a key constituency in the crypto space and simultaneously reshape the cybersecurity industry on a global basis. As well known security professional Bruce Schneier has said, “Amateurs hack systems, professionals hack people.” Virgil Security is focused on helping a group of people at the heart of the ecosystem solve a set of challenges with tools that prevent cybersecurity problems from even sprouting.