SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: Hivint's cofounder on Security Colony & the power of the hive approach
Mon, 13th Nov 2017
FYI, this story is more than a year old

Nick Ellsmore is building the infrastructure needed to tackle cybersecurity as a collective threat. He is the co-founder and Chief Apiarist of Hivint and Security Colony.

“The names and title come from bees. Even though bees only have a lifespan of a few months, a hive can possess communal knowledge running back years. We are trying to create that kind of collective response to cyber threats. We want to enable organisations to adopt solutions to problems that they haven't even yet seen because someone else has already confronted it.

Hivint is Australia's fastest growing cybersecurity consultancy. Security Colony is poised to exponentially expand into the international market — having just secured a US launch through the joint AustCyber and Austrade landing-pad programme.

MitchelLake's Robin Block sat down with Nick to understand what a collective approach to cybersecurity means and why it is a necessary move for the industry.  

What does collective security mean — have there been challenges in getting organisations to cooperate?

Nick: The inspiration for the company was to break down silos. Security Colony is a collaboration platform that is then fed by our consulting business Hivint. The whole thing, however, is about taking solutions that are created in one organisation and making them available to others who need them.

We have never received any significant pushback from security industry professionals. The most common concern expressed is that we are cannibalising our own market. But, I think that anyone who understands the field can recognise that the market is so big and growing so fast that we are never going to run out of problems. Sharing solutions will just raise the bar for the whole industry.

The largest challenges we face have come from legal and commercial departments. However, once we sit down and explain that we are going to de-identify the solutions, and take out any sensitive data, people are generally receptive. The reality is that most companies don't want to compete around security.

They want to outdo their competitors through products and service — not the security of operations. Sharing information allows everyone to get better — it is a win-win situation that creates better solutions more efficiently.

How do you approach running and growing the business?

Nick: I have always thought that one of the greatest sins you can commit as an organisation is to be boring. A large part of our recruitment strategy comes down to brand - there are a lot of talented people out there looking for interesting problems to solve, and an opportunity to be themselves. If you've seen any of our “No Bullsh*t Briefing Notes”, you'll know what I mean - we're not shy about taking a position on things and are allergic to corporate blandness.

When looking to bring on team members, we look for people that want to think differently, undertake interesting projects and solve problems. If I ask my team what they think are the important problems on which we need to focus — I want multiple answers and I want them passionately held. I would never recruit someone who is just hopping between consulting firms looking to push the same cookie-cutter solutions on every client.

Is there an ‘end game' for the business — where do you think the cybersecurity industry is headed?  

Nick: There are a number of end-games for the company. The key variable is Security Colony. Hivint and Security Colony, in many ways, have different dynamics. Hivint is growing and is currently the larger business.

But Security Colony is both an international business and very scalable. It could easily dwarf Hivint in the next few years. The evolution of the business depends on where that goes. When you are growing as fast as we are now, it's hard to look beyond the next year.

The industry has spent so long trying to get boards of directors and governments to start paying attention to cyber that, now that we have their attention, we don't know what to do. The big challenge is that many of the problems are so intractable and engrained in the system that there are no easy answers.

There is no economic incentive for software manufacturers to write better software; there is no economic penalty for organisations that ship insecure products, and there is no real appetite for regulation to change those economic structures. I think it is hard to see a way through that. In many ways, we are almost back to where we were 5-10 years ago — undertaking full reviews of organisational security strategy to basically start again. The key is to make sure that we do a better job this time around than we did the first time.

We ask people to trust us — I think that means honesty in marketing and honesty in delivery. I think there is so much genuine work to be done in cybersecurity that there is no reason to ever push programs or projects on clients that they don't need.

We are all competing against the same bad guys — not each other. If anything, the adoption of that sentiment is the main change I want to see in the market. The facilitation of that change is exactly why we founded Security Colony.