http://www.businessweek.com/smallbiz/content/apr2005/sb2005045_4318_sb013.htm Edited by Rod Kurtz APRIL 5, 2005 The security guru and fiercely independent creator of free software tool SATAN explains why he teamed up with VCs to launch Elemental Software Most computer aficionados associate Dan Farmer with the word "free," both in terms of spirit and software. In the early 1990s he co-wrote and released for free a software program called SATAN (System Administrator's Tool for Analyzing Networks), which helps companies take a good look at their computer networks and identify any weak spots. When Farmer first released it, many in law enforcement worried the program would help the bad guys break into computer networks, while colleagues in the computer-security world figured he was giving them the tools to keep the bad guys out. A former Marine who applied for and received conscientious-objector status during the first Persian Gulf War, Farmer has always done things his own way. He became one of the tech industry's leading experts on computer security, working as a consultant and occasional employee for companies ranging from Sun Microsystems (SUNW) to Geffen Records (V). About two years ago, Farmer decided to start his own company, Elemental Security. He and engineers at the San Mateo (Calif.) software startup have built a package that allows corporate-tech managers to devise and implement security policies. They took the wraps off the technology at a security conference in Orlando (Fla.) on Apr. 4, but Farmer spoke with BusinessWeek Online Technology Editor Jim Kerstetter a few days earlier about his devilishly named free program, and why he's happy to be Elemental's chief technology officer rather than CEO. Edited excerpts of their conversation follow. Q: The release of SATAN generated quite a buzz. How did your work on that eventually lead to Elemental? A: We just released SATAN once, and that was in '95. I had this great idea of writing a book in '96, a compendium of security. Sort of like the project [French philosopher Jean-Jacques] Rousseau did on the Age of Enlightenment. One area we thought we knew a lot about was auditing. But we discovered after a year or two that auditing is really hard. I suggested, let's scale back and work on forensic security, because no one was working on that at the time. We put out a forensic-tool kit, back in '99, I guess. I was also doing some work for the recording industry at the time. Q: Really, on what? A: Back in I think it was '99 there was this young company just starting up called Napster. I had never heard of them before. But I was doing some work for a friend of mine at Geffen Records. And he asked me to do some technical due diligence on the thing. This turned into being an expert witness for the recording industry against Napster. People would ask me: "Hey, you gave away software. Why can't they give away music?" But it was a choice I made. Napster was predicating its business model on violation of copyright. I happen to believe in copyright. Eventually, I won a gold album from the recording industry for this whole trial thing. And this eventually led into the whole Elemental story. Q: Why did you finally start a company? A: I had been offered a lot of money over the years for things like SATAN, especially during the boom years. I thought if I could start a company now [in 2002] and make it succeed, there could be some merit to it. Bessemer [Ventures] and Mayfield [Ventures] funded it, and later in a second round they were joined by Sequoia. Q: What was your elevator pitch? A: It was about policy management. What is a policy? It's an expression of your desire. If you are talking about computer security, you know what you want: You want your systems to behave in well-defined ways. You don't want surprises. You want a list of things you wish to see happen. The hard part is expressing those desires in a way that is meaningful to computers. Automation is the key here. Express your desire, and find a way to enforce that process. That sounded like a great idea to me. Q: You've been pretty independent over the years. So there must have been a serious crossing-the-Rubicon moment for you. A: Oh, absolutely. One of the big reasons I didn't start a company before is it's a lot of responsibility. We're up to 35 employees now. I can't say all 34 other people are depending on me for their livelihood, but they wouldn't be working here if they weren't. You really have to give your heart and soul to the company for a considerable length of time. I was pretty confident the idea was sound, and the technology would work. But the real reason I started the company was, if I could have done it myself and written it and given it away, I would have done it. I had no burning desire to start a company. But the idea was so huge, there was no way I could have done it myself or with a couple of pals. The resources a company gives you allows you to take on bigger challenges. Q: Do you get sentimental about your independent days? A: Oh yeah, all the time. Elemental probably won't last forever. If it does, great. But at some point, I'll probably go back into research mode. If there's one thing I'll never run out of is ideas. I'll probably go back at some point to writing free software or something like that. Q: So it sounds like you never thought you'd be the guy running the company. In fact, security industry vet Peter Watkins is running the show. A: I'm not a business guy. I'm not a manager. I believe I understand the problems and strategic issue. But the tactical matters, how to raise the money, raise the company. I'm a really huge believer in marketing and messaging. Part of SATAN's reason for success was its name: System Administrator's Tool for Analyzing Networks. That acronym propelled it to a lot of places where it wouldn't have gotten much visibility. I think the power of names, the power of messages, the power of how people perceive things is really crucial. The technology by itself, if no one knows about it and no one uses it, is pretty useless. Q: Do you see Elemental staying independent or getting acquired by a bigger security company? A: That's a good question. I think, by and large, the investors feel if all things are equal, most people would prefer to see a company stay independent. On the other hand, acquisitions can generate a lot more cash, and people are vacuum-cleaning these companies up. But the basic model for the company was we weren't going to hit just one little niche. We started from a pretty broad base. We had to have a broad product from the start. Perhaps it makes us a little less desirable takeover target. I don't know. _________________________________________ Network Security - http://www.auditmypc.com Free vulnerability test - How secure is your computer?
This archive was generated by hypermail 2.1.3 : Wed Apr 06 2005 - 03:20:29 PDT