SCS in a nutshell with Jean-Philippe Aumasson and Jonas Wagner
Switzerland has become a hotspot for security startups. Our program chair Christian Folini discusses this with his guests cryptographer Jean-Philippe Aumasson (@veorq), co-founder and Chief Security Officer of Taurus, and Jonas Wagner (@_jwagner), co-founder and Chief Technical Officer of Threatray. Both startups started in 2018 and both closed successful financing rounds. Yet this is about where the parallels end: Taurus has positioned itself as a go-to shop for anything around the management of crypto assets / digital ledgers (we’re trying to the obvious term here). Taurus is therefore using its FINMA licence to address banks and investors. Threatray in contrast is a deep tech startup that supports malware analysis with machine learning and strong indexing. Obviously Threatray’s market are security researchers and their labs.
This 4th episode of SCS in a nutshell discusses the plan behind the two startups, the technology, financing, growth, hitting your market, recruiting and much more.
Jonas Wagner, Christian Folini and Jean-Philippe Aumasson
Video of episode on youtube: https://youtu.be/lJDZJ5uCcJg
Pure audio podcast edition: https://anchor.fm/swiss-cyber-storm/episodes/SCS-in-a-nutshell-with-Jean-Philippe-Aumasson-and-Jonas-Wagner-e16e84p
SCS youtube channel: https://www.youtube.com/channel/UCY-Wb3JuBv_xpa8s6ZrpUxg
SCS in a nutshell podcast: https://anchor.fm/swiss-cyber-storm (https://anchor.fm/s/4e5c0668/podcast/rss)
Swiss Security Startup Map: https://cysecmap.swiss/
Dr. Christian Folini: Welcome to Cyber Storm in a nutshell. Today, we’re talking about start-ups. With me are Jonas Wagner from Theatray and Jean -Phillippe Aumasson from Taurus. Thank you, guys, for coming.
Jean-Philippe Aumasson: Thank you.
Jonas Wagner: Thank you for having us.
Dr. Christian Folini: Jean-Phillippe, you are a scientist and cryptographer, you’ve worked for Kudelsky many years, you had one of these rare scientific positions in the industry, I presume a certain salary and you gave this up to work in a start-up, to fund a start-up. And on top, you continued to publish books and you’re also a family. The latest book you published was with your daughter, you look very healthy, you’re back from holidays – you still have holidays. How do you do this? What is your secret to this life?
Jean-Philippe Aumasson: Well, thank you Christian for this introduction. I don’t know if I deserve so many good words, but regarding the first point you mentioned, I’ve been working almost 10 years for the Kudelsky group. I’ve been lucky to work in different roles doing very technical stuff, learning a lot, doing consulting, working with software and hardware and at some point like many people you feel like, okay, I’ve worked in a big company maybe it’s time, at this stage in my career, when is the best time if I want to do my own projects, my own start-up. So that’s what I decided. So, I left Kudelsky on very good terms, it’s a very good company and I started these new adventures. But the time management, as many start-up founders know, it tends to be the most challenging part of it.
Dr. Christian Folini: Okay. And you started in 2018, I think, and Threatray also started in 2018. You have a bit of a different background, Jonas. You did your studies and out of your studies, you started Threatray.
Jonas Wagner: Exactly. So let’s say the core part of what we do was actually part of my master’s thesis. So, we had this university lab at the University of Applied Sciences in Bern, and we developed algorithms around analyzing malware threats and out of that came basically the fundamental algorithms that we now transformed into the product at Threatray.
Dr. Christian Folini: Okay. So this is what you’re doing, you researched something, which you thought is interesting, it kind of worked and then you guys decided, hey, let’s build a company around this idea, because apparently there is something to this.
Jonas Wagner: Exactly.
Dr. Christian Folini: So, you mentioned malware analysis. What is it that you do?
Jonas Wagner: So, from a technical background what we try to do initially is to have a new way of identifying malware threats. So, instead of looking at high-level patterns, as it often is done, we try to go deeper and try to identify code fragments of malware, because malware is just like software, right?
Dr. Christian Folini: So, we’re looking at code, threats are already code in software.
Jonas Wagner: Exactly. So, we try to identify, to re-identify, similar types of threats, to connect them with each other, which then allows you to very accurately identify certain threats. So not just say bad or good, but is it type A or type B or type C and then out of this idea basically came the product, because we’re very good at identifying that. And that’s a use case everyone likes to have on one hand and on the other hand, we also make these threats searchable, just like a search engine. So, you can go through millions of threats in seconds and say, well, have I seen this before? Have I been affected in the past by this? And out of that then basically came this product.
Dr. Christian Folini: So, you’re getting like a lot of malware samples and then you try to group them with algorithms. That sounds a lot like machine learning.
Jonas Wagner: Yes, we use some machine learning in between and we make it searchable and by making them searchable, we basically lift capabilities of identifying and correlating attacks to a new depth that is not easily doable or easily accessible for a lot of companies.
Dr. Christian Folini: So that’s a new thing that you’re doing there. Talking about new, you’re a blockchain start-up in the wider sense, Jean-Philippe.
Jean-Philippe Aumasson: No Christian, we’re not a blockchain start-up.
Dr. Christian Folini: But you’re working in cryptographic assets?
Jean-Philippe Aumasson: Yes. It’s related to the blockchain space but you’re right, many people are confused when they go to our website are like, what do you do? So ultimately, we talk not truly of blockchain, but of digital assets, because today there’s a big evolution whereby not on individuals, but also institutions and financial actors and even financial regulators, like Finmain Switzerland are moving into this space. So, what we do, we enable financial institutions, mainly banks, to work, to manage digital assets. So, when we say digital assets, it can be cryptocurrencies such as Bitcoin, Ethereumthe ones that everybody knows, but also digital currencies, such as DM, or if we have one, the digital Swiss Franc, and it’s also, that’s maybe what’s the newest: tokenized securities. So financial instruments that live in the classical finance squad but that can be represented as digital tokens on a blockchain or marginally on a digital ledger.
So, if you read the new law that was passed a few months ago in the Swiss parliament, it allows in the context of the Swiss law to work with tokenized securities, but the word blockchain is not even mentioned, so they talk of “electronic ledger”. So, going back to what we do, we are a FinTech, a financial technology company. We’re a technological company and we do the technology that banks can integrate or work with in a SAS model to manage, to store safely their securities. So storing is not like gold, the more you have the more stuff you need to put in a room, it is just digital. So, it is just one cryptographic key or a few cryptographic keys that you have to protect and if these keys are stolen, then you lose the money. So that’s the biggest challenge.
Dr. Christian Folini: That’s the biggest challenge, this is where you come in, because you bring that cryptographic knowledge to banks that don’t have it.
Jonas Wagner: Exactly. So, it’s like a security person, it’s security engineering, but maybe the most challenging part, at least from my perspective, because my background is in security cryptography, I’ve been doing this for 10 years, I know this in and out, but what is often quite challenging is to integrate this technology in the bank’s ecosystem, in the banks IT and to connect all the pipes, to make sure that your product doesn’t jeopardize the security posture, the compliance posture of the bank, because Swiss banks are using very strict procedures, processes.
Dr. Christian Folini: Oh, of course. So, compliance is a big challenge for you as well and your customers risk a compliance problem, unless you do your job properly?
Jonas Wagner: Right and we’re very serious because are regulated ourselves. We have a FINMA license, a security house license.
Dr. Christian Folini: Yes, that was the first time you really hit the news, when you obtained the license.
Jonas Wagner: Yes, so we’re in this funny situation where we are on the one hand a start-up, a bit young, a bit chaotic, but we cannot be so chaotic, because we are working with banks and we are also very strict in terms of procedures. So as Chief Security Officer of this company I’m responsible of making sure that we follow all the processes in terms of, for example, vulnerability management, working with malware detection, for example, change management, incident response, we are audited regularly by top firms. So we are very, very serious about it because we know that if we fail in terms of compliance, then it’s bad for us, it’s bad for the clients.
Dr. Christian Folini: Okay. I see that. So that is very different outset for you Jonas because you have the freedom to develop something, and market a few labs while you guys need to talk to top management.
Jean-Philippe Aumasson: Yes, it is maybe a different business model I think, from what I understand. So what you guys are doing is, I don’t know if it can be called “deep tech” but you’re already innovating at the core of malware detection engine. While our work also encompasses the architecture.
Jonas Wagner: And we have to integrate to a degree as well because in most teams you already have different tools. You collect logs, you collect binaries, you collect all different kinds of things and all of those technologies try to talk to each other, ideally, and then there are some technologies in between that try to make talking much easier and now comes our new technology and you need to tell people, well, where does this fit? What does it connect to? What’s the input, what’s the output? Then we also have to gain that understanding of where do we fit in.
Jean-Philippe Aumasson: How to integrate, how to connect to CMs and so on.
Dr. Christian Folini: But the problem you were addressing, how to integrate and fit together, I mean, that is a global market, a global community, and everybody uses the same tools I presume. More or less. While as you have now a Swiss license and I take it the regulation is different in every country. So, if you have to be so close to the regulation, it’s challenging to go to a bigger market.
Jean-Philippe Aumasson: So, on the one hand, so there’s the Swiss security license regarding the exchange that we are operating. I did not mention it, but we run this TDX.
Dr. Christian Folini: So, you’re a bit of a Jack of all trades when it comes to digital ledgers?
Jean-Phillippe Aumasson: Well, we try to, I don’t want to use the word holistic, but we try to provide all the necessary tools.
Dr. Christian Folini: The term holistic is used on the website, actually.
Jean-Philippe Aumasson: Maybe it is, but as a client, as a bank, you don’t want to talk to 10 different parties with 10 different…
Dr. Christian Folini: Yes, so you don’t bring anything “digital ledger” to a midsize bank who doesn’t have the know-how and doesn’t have the capacity.
Jean-Philippe Aumasson: Right, so for example, very simply we have both the technology to store the assets also to integrate them in your core banking and also to issue your own token. So, if you want to create a Swiss Cyber Storm coin tomorrow.
Dr. Christian Folini: Oh yeah, let’s note it.
Jean-Philippe Aumasson: And also security. So it is an important aspect, software security. We need to be able to demonstrate that our IT environment is safe, that we have logs of everything we do and that, for example, we’re immune to all sorts of malware. So I’m very interested about what you’d say [Jonas].
Dr. Christian Folini: Cool. But then you’re ultimately targeting a bigger market in Switzerland.
Jean-Philippe Aumasson: I mean, we are global. We have clients in Europe, we have clients in the US as well.
Dr. Christian Folini: And then with Swiss banking know-how you’re ready for the US market…?
Jean-Philippe Aumasson: Yes, we started locally because we are also the key to have in Switzerland a very mature ecosystem and financial actor that have been willing to approach this sort of digital assets and also a very pragmatic regulator, I think FINMA has been doing very good work in issuing new regulations.
Dr. Christian Folini: Okay. So yes, I mean, there is the point we could destroy this new market with bad regulation. So it’s how open do you leave it, how much you do we regulate it and you think Switzerland is doing a good job there?
Jean-Philippe Aumasson: Yes, I think because some people would ask you oh, do you believe in Bitcoin and blockchain. The question is not your personal opinion regarding whether you think it will be good or not, whether it will stay. We have to realize the reality is that it’s out there, there’s tons of money, billions and trillions of money invested, there are opportunities, so regardless of whether or not you like it, or believe in it from a business perspective…
Dr. Christian Folini: There is business to be made.
Jean-Philippe Aumasson: Yes.
Dr. Christian Folini: I think I got that, as much as that. What would you say, Jonas, is you’re doing something new, so that looks like, I was surprised this is new by the way, but the way you explained it to us, this is new technology. So you’re bringing something new to the market and I guess the competition is far different from what I understand is digital ledger start-ups. That’s a shark tank.
Jonas Wagner: Well, we do just B2B. So I don’t know if you guys do B2B, B2C or cloud-based.
Jean-Philippe Aumasson: B2Bs.
Dr. Christian Folini: But there are so many of these start-ups in this domain. I mean, the competition is huge, while as your competition (Jonas) is probably tough or selling is always difficult, but it’s not like a hundred companies who try to do the same thing that you’re doing.
Jean-Philippe Aumasson: Well, I would say the opposite actually, because even this morning, I was looking at the situation where malware detection and port security for different platforms and there are tons of vendors and the old ones trying to catch up, they are the new entrants, but in our space, there are very few companies doing the kind of thing what we do.
Dr. Christian Folini: Oh, really? So, for an outsider like me, it looks like it’s the same with that stuff…it’s not.
Jean-Philippe Aumasson: There are companies doing blockchain things, but companies doing banking grade, digital asset management, issuance, and storage, using things that banks can accept, there are maybe two or three players in Switzerland, and very few in Europe.
Dr. Christian Folini: So, you would say between a bank and a blockchain start-up, there’s a huge gap and you’ll fit in there?
Jean-Philippe Aumasson: Yes, because a bank that is regulated and that has constraints, for example, protection of client’s personal data, regarding lots of phones, it’s a completely different game than even small investment funds or individuals or small organizations that just want to make money quickly. It’s a completely different thing. And I think that sales cycles, I don’t know in your guys’ case, but if you work with a bank, you really have to get their trust because you will be in contact with, well, their founder directly, potentially with their client identifiers. So, it can be very sensitive and therefore it can take a lot of time to go through all the due diligence and evaluation processes.
Dr. Christian Folini: Until you have a partnership established.
Jean-Philippe Aumasson: Yes, it’s like, I guess if you run an antivirus, if you do malware detection, you might have to work with a kernel. You might have to be very low in the system. So I have a friend who is doing something a bit similar to what you’re doing and how to demonstrate that the economic model was not backdoored. They had to do a number of security audits to demonstrate that it was safe. So when you’re a new start-up, and also when you approach big companies, the big companies, they will tell you, okay, you’re a small start-up, you’re very friendly guy who does good tech, but do we know that in two years from now you will still be around, many of this has to be discussed at the beginning, you know?
Dr. Christian Folini: Yes, I see that. You’re not brand-new start-ups, you started like three years ago both of you, you’re still doing fine, you get investments. The way I looked at Theatray, this is a classic Swiss start-up story, guys. It’s a spinoff from the University of Applied Sciences, your team with Endre Bangerter, your professor and you launched a start-up, you got some investments. Would you say this is classical best practice or this is how it works in Switzerland?
Jonas Wagner: That’s hard to say or generalize. For us it worked well, we’ve heard of similar cases before of start-ups who basically got incepted out of research work and saw an opportunity, so it worked out well for us in this case so far. Yes, so far that worked out well.
Dr. Christian Folini: And you have a university background and then you kind of need the business know-how as well. It’s this is, in your situation, where the investors come in, so they are not only giving you a big check, they’re also giving you knowledge, tips, so you don’t have to fall into the traps.
Jonas Wagner: Yeah. So we’re both techies right. We come from the techie world.
Dr. Christian Folini: So you two guys run the company, basically?
Jonas Wagner: Yes, we run the company and the idea to get investors was not just money. That’s important as well, but also experience from this entire start-up process. So we have very little knowledge of business of how do we hire the right people, what are all the legal aspects that we need to consider, how to get from technology to a product, to the market. A lot of those angel investors became part of our advisory board and we basically built that advisory board purely for the reason to support us and extend our knowledge of this entire process; the entire aspects of building a company from scratch basically, just the technology and that was tremendously helpful: to have a lot of insights and past learnings being transported to us.
Dr. Christian Folini: Okay and for the investor it becomes interesting because they can like kind of control what is happening to the money, the closer they get to you…
Jonas Wagner: Yes, I also have the feeling they enjoy that. They want to be part of the process. They want to share the knowledge.
Dr. Christian Folini: So that’s the said real investor who has fun working with start-ups.
Jean-Philippe Aumasson: Yes, they’ve seen start-ups before and to say, well, here I can help, not just with money, but I’ve seen this situation, how about you do it like this because of my experience, I can tell you this works out best.
Dr. Christian Folini: Okay. So in your case, that is Ariel Lüdi from the Hammer Team, for example, Thomas Dübendorfer, well-known Swiss angel investors.
Jonas Wagner: Yes. So, they have a lot of experience in supporting the build-up of start-ups, they also have their own start-ups. So that’s extremely helpful too, to have these insights and these learning from people who have been in this industry for a long time, to basically profit from them and ultimately you need to learn so many things very quickly and that this tough, basic understanding of many different things besides technology and that really accelerates this kind of learning process.
Dr. Christian Folini: Yes, I get that. So there was a professor and a student. In your situation Jean-Philippe that was really different because you guys did not go to school together.
Jean-Philippe Aumasson: Not really, the names I hear from your board, I think you’re in good hands and one other person you mentioned, I had a discussion with him and I guess he will help you on this side is maybe a stereotype, but we as start-ups in Switzerland we tend to have very skilled, very good technology, very knowledgeable people, very smart people, very trustworthy people. But unlike Americans, we have a different approach to setting, to approaching the market. We’re not too much into the “fake it until you make it”, it’s like “make it and then try to…”
Dr. Christian Folini: To find a market: “By the way we have a product.”
Jean-Philippe Aumasson: Yes, and I think as young founders and as people with technical background, like I have we may be a bit naive or inexperienced, but sometimes what I’ve learned from my a few years of start-up is that we should not hesitate into not exaggerating, but being proud of what we do and being bold and telling confidentially to clients, what our stuff is doing because maybe you come from school, you have a scientific background. So the first thing you would say is that we’re doing this, but we’re not doing that, there is disgrace and those limitations and sometime it scares.
Dr. Christian Folini: Okay and does that make you uneasy to be bold and go out and say, we’ve solved this?
Jean-Philippe Aumasson: Yes, usually because you want to preserve your integrity, your intellectual honesty, your reputation.
Dr. Christian Folini: Maybe you’re a scientist, you publish books and you make sure there are no mistakes in the book.
Jean-Philippe Aumasson: I don’t know if I can be called a scientist today, but I stick to this in a scientific approach and going to the market selling stuff and doing business generally is a completely different game and intellectually in terms of integrity of communication is a completely different game you have to play. That was the biggest challenge for me.
And even now but I’m looking, maybe it’s a good transition with your question. So you mentioned we are co-founders and Taurus would never be here if I was the only one on board. I think the key people driving the company were Sébastien Dessimoz, Lamine Brahmini who have backgrounds, so they have engineer training, so they did the PFS so they would have the technical understanding and then they have the experience of working with big consulting firms and with financial organizations, private banks, hedge funds.
So they know the language, they have the network and I’ve been learning a lot, in terms of how banks work, how finance is working and that’s maybe our strengths, the fact that we’re complimentary also of the fourth co-founder who has a law background, he’s a lawyer, he worked with FINMA before. And when you approach a client, then you can talk the same language regarding whether you talk about legal aspects, you talk about financials, you talk about security cryptography, and then it’s easier to gain the trust of the other clients, because ultimately it’s just so cliche, but investors clan, they bet on people because the product will change, the world will change, but the people will stay the same.
Dr. Christian Folini: I mean, in the end, they buy you. And you are ready and you’re passioned, and they trust you to create a good product.
Jean-Philippe Aumasson: Right and they trust you in being true to yourself because they know you have skin in the game. So it’s in your interest to make the clients happy too.
Jonas Wagner: That’s a good point because it was funny when we pitched to the first couple of investors, we ask them, so what do you look for and they said: the team. Because sometimes they understand the technology, sometimes not, but it’s fine. They trust the team; they trust all the people who invest in the same team. So that’s kind of this network effect, but ultimately it’s exactly what you’re saying. It’s the team.
Jean-Philippe Aumasson: And Bangerter has a very good reputation and I know him as one out of the people in security, I respect the most in the country. So not the only one.
Dr. Christian Folini: And you talked about this network effect, so when the first investor signs up, then the other investors gets the signal, okay, we can make the step as well. Does that work out with your situation as well?
Jean-Philippe Aumasson: Sometimes in this aspect, investors want to feel they are not the only one to believe in the company but sometimes it’s from my experience, it can be the opposite. They want to be the first to have the best relationship and to be the lead investors and maybe to influence you, I don’t know. In our case, in the case of Taurus, so we did not start by working with VCs by seeking VC investment, we had quite a different approach. We did the first round of family and friends, we did an A series last year where we onboarded some new investors, including big blockchain foundations, including banks. But we don’t have pure VC funds as our investors. It might change in the next round but currently, we have, let’s say full control of the company. The founders did have majority equity in the company, but it’s also due to the nature of the company. I’m not saying that VCs are good or bad, it depends on your approach and as well as I mentioned, they can be very helpful, helping you, first of all, build the network and also, how to approach the market, because VCs tend to have a good network of other companies in the portfolio that they will help you find synergies and they know the mistakes not to make.
Dr. Christian Folini: Yes, I think that’s exactly the same. So it is not only money that you’re getting, but it’s a network of knowledge that you can then use, and otherwise you would have to buy this knowledge and that would be more difficult. Yeah, I get that.
When we look at your two companies Jonas, you stay the two techies learning that, and the investor you’ve mentioned, they’re fairly close to you. So they’re like on a day to day management they play a role as well. But if in your case, Jean-Philippe, you’re more a classical firm where you have founders, they already have an executive board.
Jean-Philippe Aumasson: So, we have a board, the company, we have an executive committee. So we have a structure that kind of resembles that of a bank because to be compliant with the bank, we need to have this, let’s say accountability, these specific roles. So, who is responsible for oversight, who is responsible for operations, and so on. So, we are very structured for these reasons.
Dr. Christian Folini: Okay, well, you are more flexible because you don’t have to be so clear.
Jonas Wagner: Right, the management is essentially the two founders that we have and then we have this advisory board that is more on a pool basis. If we need to know something, we go, and they’ll pick up the phone. Exactly, they do pick up the phone every time. We have the board, which also includes part of the investors and they obviously have a lot of knowledge in how to structure a board, how to on a high level manage a company as well. But ultimately, it’s still Endre’s and my decision to lead the company where we think it needs to go.
Dr. Christian Folini: Okay. Interesting and you’re like 8 to 10 people now.
Jonas Wagner: Exactly.
Dr. Christian Folini: What is your size now? Because you have the same age as a company.
Jean-Philippe Aumasson: Yes, we are close to 40 and it’s mostly engineers and with the HQ in Geneva, there is another office in Lausanne, where most of the engineers are.
Dr. Christian Folini: And you’re at the stage now where you launched your product, your services, you’re accepting customers, the first step is done.
Jean-Philippe Aumasson: Yes, we have clients. We’ve been lucky initially because I mean, to make a long story short, the first product we have our flagship product called Taurus Protect which is the technology to store and manage credentials. So the premise of the company was to find an exchange platform. So to have an exchange, we needed this kind of storage management solution. We looked in the market and we did not find anything satisfactory. So we ended up building our own solution.
Dr. Christian Folini: Ah, that’s interesting.
Jean-Philippe Aumasson: And the story is that in spring 2018 we had a meeting with a bank and they were telling us, they were also looking for this kind of solution and we tell them all, by the way, we’re building our own, we’re considering offering it to the market and they said, okay, so join our RFP [Request for Proposal].
Dr. Christian Folini: That is not the idea of the company.
Jean-Philippe Aumasson: But they were maybe 12 entrants inthe RFP and we ended up putting in the RFP and now we are working with a big private bank. So sometimes you have a plan initially in a start-up, it is good to have a plan, you need to have a plan for three years, but ultimately…
Dr. Christian Folini: …the market could be completely different. I think that is typical of a start-up, isn’t it? That as you approach the market you’ll learn and actually that a side product is much more interesting.
Jean-Philippe Aumasson: Yes, and it’s based ultimately in our position, we are really driven by the demand of the clients and their needs. So we try to listen to them because maybe we might believe as an engineer, engineers, “oh, this is exciting. You can try this new feature is so cool”, but then the client will say, well, from our perspective, from the business perspective, we want to support this platform that you may not like, and everybody has a different perspective. So you need to consider all aspects, both on the short term and long term.
Dr. Christian Folini: Because that again has an effect on the company and your long-term plan.
Jean-Philippe Aumasson: Yes, because also a client might say “we want this now in two months”, but you have to consider that there is this new technology being developed that would be matured maybe in one or two years and then the clients that don’t know it, they don’t understand it but in two years.
Dr. Christian Folini: And if you’re always running off the two-month projects, you’ll never beat it.
Jean-Philippe Aumasson: Right. And you will be left behind because a new start-up will be there. So, you need to do all the tactical stuff and all the strategical stuff as well.
Jonas Wagner: That’s very nicely said, because we also run into this several times. So on the one hand, you have this internal drive to create something cool out of this technology, but you still need to kind of manage it towards the market and target it towards the market and then the market is, I would say more short term in the sense of, I want this, I want this, I want this. But on the other hand, you still have to have your internal strategy for the next year, for the next two years. And as you said beforehand, sometimes you see things that the market might not see or not yet see. Maybe only certain parts of the market see that then you also need to have a little bit of a belief that what you’re building could be valuable in one year or two years. Maybe not now, but in a year.
Jean-Philippe Aumasson: Yes, the market might not be right so far.
Jonas Wagner: Yes, exactly.
Jean-Philippe Aumasson: Well, the real challenge for you is that the security market and specially, the cybersecurity detection market, it’s often driven by hype and the problem is that clients, they rarely have a way to benchmark to evaluate the efficiency of a product. So if you look at the big names, they have tons of marketing to do this and that maybe they have good products, I don’t know. But as a client, you have very few ways to measure how effective is it? Like you buy a new car, you drive the car, you can try it. But malware detection is very hard because you can detect everything. It’s easy to detect everything. You block everything. The hard problem is to know how to manage false positive, false negative, how to manage risk, how to integrate it in the platform, how to manage performance overhead.
Dr. Christian Folini: And the customer will not notice until he has used it for a certain amount of time.
Jonas Wagner: Yes.
Dr. Christian Folini: That is also a problem where I work. Okay guys. Next question: looking at your two websites when I did my research, one thing that struck me is there is a total absence of women in this game. This tells me, or might tell me two things. A: start-up world is a man’s world or B: you don’t need women because you have enough good men around. Who wants to pick up?
Jean-Philippe Aumasson: Hiring is a very important point in the company because I mean, as you mentioned hiring it’s also, you cannot afford getting errors. People is very important. So we are very diligent in our hiring process, how we talk to people, how we carry out interviews. This time we spend talking to people, listening to people and regarding diversity, that’s a conversation we often have because we want to be open, we want to moderate in terms of company culture to be open to your different opinions, different types of people. And regarding women specifically, so it’s not a surprise that when you put an open position for an engineer, a developer, you receive 50 applications, and if you receive 50 applications, you will likely receive 45 men, that’s how it is. Then you do the interviews and you hire the people that fit the best and you’re open to any profile. As a matter of fact, so we have two women in the companies and one who is an engineer and that’s how it is. The market is such that you put a job application, a job opening.
Dr. Christian Folini: But it’s not only a matter of recruiting, it’s also who is founding security start-ups in Switzerland and apparently you guys are all male founders and in your company is it’s all males as well. So there seems that founding a security start-up, it doesn’t seem to be very interesting or less interesting for women and apparently, the pool is smaller.
Jean-Philippe Aumasson: I think it’s evolving, I see more and more women entering this game. So of course, when you’re a minority entering a world, then you have all the problems of being a minority. But I think it should not be about you finger pointing but just being open and maybe stating maybe on your website that, okay, you’re open to every application, you encourage this. Some companies have kind of affirmative action or positive discrimination, some people chose not to do this, I don’t think there’s any good or bad, it depends on your ecosystem, but ultimately what matters a lot it’s the company culture, because many companies they do greenwashing, they put “diversity” on their website but it’s completely hypocritical because internally they don’t have good company culture. So what we really enforce in the company is a culture of respect, of respect of opinions, avoiding politics and when someone is, let’s say not in line with this, we respectfully tell the person, okay, this was not okay, please be careful next time.
Dr. Christian Folini: Good. And as you were apparently smaller, is that a problem you already have, or that you’re looking at, or this is something for next year when you’re approaching the 100 employees?
Jonas Wagner: So obviously we also want to have an inclusive culture and we have cultural values that we hire for ultimately and if it doesn’t work out, then it doesn’t work out. But I think it’s a very important point, as you mentioned before, and to have this proper process of hiring and selecting, because if you’re so small, you cannot really make a lot of mistakes. Otherwise, you end up in the ditch and so the hiring process really has to be focused on avoiding mistakes very early on and we tried to optimize for that and again, it’s good to have people who have done this and created this process before. I think we also want to drive culture, it’s not as specked out as you mentioned it before. We’re not there yet, but that will come as well with growth.
Dr. Christian Folini: Okay. Jean-Philippe you said when you do have an engineering position open, you seriously get 40 applications?
Jean-Philippe Aumasson: Well, I just made up this number. We get an overwhelming majority of men.
Dr. Christian Folini: Yes, but you get a lot of applications when you have a job offer?
Jean-Philippe Aumasson: We tend to receive a lot of applications.
Dr. Christian Folini: That is great because what I hear for other company is, they are scratching …
Jean-Philippe Aumasson: Well, I said applications, I did not say good applications.
Dr. Christian Folini: Sure, but only the best people are working for you, I presume. So you weed out all the bad ones and you identify them quickly, but still, at least you can choose.
Jean-Philippe Aumasson: Yes, we do our best, but for certain roles is relatively easy, for other roles it’s much harder. What has worked well is leveraging your network because people join a company, or when you join a company, well there is of course the salary, the job. But for many people it’s, well, you join not a new family, but you join new world and you join people. And it’s important the first impression you make on the person you talk to. If you are rude, if you’re not respectful… you know, people they will forget the words, but they will remember how you made them feel. So, you want to be very welcoming to people and people talk or when you do an interview, the people you interview, even if you don’t accept them, they will talk about you with their friends, with their colleagues and word spreads. So we try to be very, very careful to this and to respect the time of the people we interview both in the positive and negative ways, so we don’t want to waste their time, but we value their time and we take time to answer everybody’s questions.
Dr. Christian Folini: Yes. I guess that’s – you said this before – you’re not allowed to make a lot of mistakes because if you’re hiring, let’s say a bad apple in a small company that drags you down really.
Jonas Wagner: Yes, for us, it would be a tenth of the company.
Dr. Christian Folini: A tenth of the company and five people are affected and then you have quarrels.
Jonas Wagner: Exactly, if you have five hundred people and one or two people are bad apples, it doesn’t fall so much into the way, but with 10 people…
Jean-Philippe Aumasson: We’re lucky in Switzerland, in the management, the work environment, we tend to have a culture of respect of listening to others. That’s good. But if you work with many remote people, you might have in, especially if you work remotely, you don’t have people face to face and the language barrier, the cultural difference, you have to be careful to avoid misunderstandings.
Dr. Christian Folini: Absolutely and that naturally creeps in.
Jonas Wagner: Especially when you work with engineers who tend to lack people skills.
Dr. Christian Folini: So recruiting is still possible in Switzerland: You find people, it depends on the position, but it’s not like the big corps have eaten up the market and everyone who wants to work in Zurich.
Jonas Wagner: You have of course the big companies that we know in Zurich but sometimes it’s the other way around. For example, we hired some people who left Google for a variety of reasons. But I believe in Switzerland, we have some good companies, we have some good schools and the challenge of course from the school’s perspective is to provide training that kind of matches the IT technology evolution and that matches the needs of the market and it’s really hard because I mean, two or three years from now all the cloud-based systems, things like Kubernetes was not the same in terms of low level processors, and now are much more let’s say relevant than it used to be 10 years ago. So also schools need to adapt.
Dr. Christian Folini: And you see them doing that? Or is that a topic, where you studied at BFH? Like let’s produce graduates that fit the market, like train for future jobs?
Jonas Wagner: Yes, I mean, the education I had at the University of Applied Sciences was truly applied. So we learned a lot of concepts that you can actually apply in the industry. It’s a bit less theoretical and a bit more practical, let’s say programming courses or a lot of the malware courses and cybersecurity courses that we have are actually a good amount of knowledge for a foundation on top that you can grow.
Jean-Philippe Aumasson: And that’s something, that’s a point I agree with, we have this in the Fachschule, and we have people who do very applied stuff than to work with industry a lot. So it gets students very close to the market, doing actual things and then we have EPFL, ETH that tend to be more fundamental. But generally, both places they tend to do their best to be close to industry, to the real world, so to speak, which is not the case in every country.
Dr. Christian Folini: Okay. So that is something that works in Switzerland, you think?
Jean-Philippe Aumasson: As a French person, as a French citizen, I appreciate this.
Dr. Christian Folini: I was going a bit in that direction, that’s interesting to learn. There is a map of security start-ups published by Dream Lab Technologies and it’s a huge map, a surprisingly big map. It just shows how many security start-ups there exist in Switzerland. I don’t know if you’re familiar with all the names, I don’t understand what most of them do, many of them, I’ve never heard the name, but apparently, they exist. Why do we have so many security start-ups in Switzerland? Is that a Swiss thing about security? We tend to think it’s a Swiss thing, is that true? Or would Austria or Italy have the same or a larger amount of security start-ups? Do you even know?
Jean-Philippe Aumasson: I think there are multiple factors into play that like we’ve ever seen, but the ones I’ve observed. So there are of course, like you mentioned, the tradition of Switzerland in terms of security, privacy, and some countries trusting Swiss laws with technology and Swiss people. There is also support from the public sector with initiatives, I mentioned for example EPFL, they have the center for digital trust. They had the Trust Valley. They had projects that were also supported by the local politicians by the Geneva Canton, the Vaud Canton. So there’s this push from the public sector and of course, another factor is the need or the perceived need because we have, let’s say much more reliance on IT and that’s all the things we see in the news every other day, there’s all the ransomware. There are all the hacks in the blockchain defined space. So, from an emotional perspective, what people get out of this is that there’s a lot of things to fix, there are a lot of things to do. It’s not really fixed so far and then people try to seize the opportunity. Maybe they have new ideas, maybe they’re motivated by making money. There’s a lot of reasons we have many start-ups now. So the question is what is the return on investment? What will be the success rate?
Dr. Christian Folini: That we’ll see, but do you think it’s an active scene and people are interested in that.
Jonas Wagner: I think too to add to this list is also, we have plenty of investors and people that are interested not just in security, but in general, if you look at, for example, the Swiss investor club that grew immensely over the last couple of years in terms of the members and in terms of the investments and the amount of investments they did. So, there’s really a good ecosystem in Switzerland since a couple of years now to actually start a company and find funding for a company.
Dr. Christian Folini: Good, so would you guys generally say it’s a good thing to start a start-up, you would recommend that?
Jean-Philippe Aumasson: Yes, it depends. It’s always a learning experience regardless of the route you follow. Of course, there are companies that have many different profiles. Every company has its strengths and weaknesses. But from my own perspective I feel some companies enter the field and some of them are, let’s say trying to leverage the fact that we are a Swiss company, but to approach the global market, I feel that even though Switzerland is respected, having a Swiss-made label is not sufficient anymore.
Christian Folini: Maybe it works in Germany and France, but beyond Europe, doesn’t sell that much.
Jean-Philippe Aumasson: In the countries you mentioned, there are also some companies that are successful because the big companies in these countries and the government for sovereignty reasons they want to, they have to, or they prefer to work with local companies. So you have company in Germany or France, they only work with companies from that country that do not want to work with Americans for good or bad reasons.
Dr. Christian Folini: Great. Thank you guys for joining us, thank you for watching and listening on Swiss Cyber Storm in a Nutshell.
This was probably the last edition of this year and the next real thing we’re doing is the Swiss Cyber Storm Conference on October 12th here in Bern, in the Kursaal. This is going to be an on-site conference for good or worse, but we really try to push through and see you at Swiss Cyber Storm on October 12th. Thank you.