“Privacy is a basic expectation and human right, but it’s something that should never create any friction or slow down the speed of technological advancement.” – The Evervault Encryption Manifesto
Security isn’t exactly the most glamorous part of development. There are a plenty of shiny objects that can seem much more exciting – beautiful UX, new features, speed and stability. But getting security right from the start is essential, and that means encryption.
As Shane Curran shared with us ahead of his talk at Turing Fest 2022, security is a key part of building things the proper way. Shane is founder and CEO of Evervault, a Dublin-based data encryption company enabling developers to collect, process, and share sensitive data securely without any added friction.
Evervault’s “encryption as a service” infrastructure encrypts sensitive data before it ever leaves an individual’s device, then processes it in a tamper-proof “Cage” that only the data owner can access.
In their Encryption Manifesto, Evervault shares their big mission: to encrypt the web and end data breaches. So far, they’ve raised $19.4 million to support this, from firms like Sequoia Capital, Kleiner Perkins, Index Ventures, SV Angel and Frontline Ventures.
We’re thrilled to have Shane join us on the Turing Fest stage to show us how to get security right from the beginning of the development cycle.
To start taking steps in the right direction, enjoy a read of our catch-up with Shane ahead of the festival this July…
Shane, without giving away too much for your talk, what needs to be in place to get security and encryption right from the beginning of development?
Generally speaking, the main focus should be on encrypting data before it ever hits a company’s infrastructure. The biggest advantage for anyone working in the security space is that nobody will openly admit that they don’t care about security. Everybody cares about it.
But right now, even if you make the decision that security is really important to you, and you decide to encrypt your sensitive data, you still have to go out of your way to learn how encryption works and how to implement it correctly.
The best option is having a really straightforward developer experience that makes it a no-brainer for developers and people who are starting companies to encrypt all data from day one.
That definitely makes sense. What about if you’re only getting round to it later, and struggling with unwieldly legacy infrastructure? Can you work with what you’ve got?
The general lesson is that some encryption is better than none. I think people sometimes think that it’s a very binary thing: they either encrypt every single thing, or they encrypt nothing. But the reality is that every single additional step towards having all your database encrypted is great.
So even for companies that have really legacy infrastructure and data everywhere, encrypting just one thing makes it much easier to move on to the next, and so on.
Starting off with the most sensitive data makes complete sense. Our general recommendation is to create a list of the 10 pieces of sensitive data that you collect, and rank them 1 through 10. Then just focus on going through that list in that order.
By doing it that way, you end up being much more methodical than the traditional approach of getting certain checkboxes checked so you can pass an audit in six weeks.
Even if you have data all over the place, by encrypting data before it hits your infrastructure, it doesn’t really matter where it’s being stored as long as it’s encrypted before you handle it.
What do you see startups getting wrong? What are the biggest challenges for secure development that you’re trying to fix?
I think part of it is a developer education thing. If you’re studying computer science in university, you go to a bunch of lectures on how to build software that’s really optimised for performance and scalability, but you never really learn how to write secure software.
This is starting to change a little bit, but for the most part, developers just aren’t trained to build that way. It can also compound a lot when you go to work at an early stage company. You might be in some sort of startup accelerator where you have a tight deadline to get a minimum version of your product out the door in two months. Everything that isn’t a core feature gets entirely de-scoped, and it’s almost like a pessimism for your own product.
If you assume that your product will be successful, then security is really important because you’re going to be handling a large volume of sensitive data. But companies don’t focus on security if they assume that they won’t be successful. Because then they’re like, oh, you know, we’ll figure it out if we actually do get a bunch of users.
Implementing security from day one means you don’t have to worry about it in five years when you’ve got a hundred other things on your plate.
That’s very true. Whether in terms of product or as a founder, do you have any kind of unconventional or go against the grain beliefs about building a company? Something that you think you do differently?
There’s this idea of a compound company, where you’re the go-to company for a very broad cross-section of what a B2B customer needs to get done. Prime examples of this are Microsoft in the 80s and 90s. Like anything to do with business systems, you just go to Microsoft.
Then today, people stopped building companies that way. Partially because there’s advice from places like Y Combinator that say to focus on doing one thing really well. I think that works in environments where you’re extremely resource constrained and only have a two or three person team and you can’t go any further.
But more and more companies are venture backed, and they have the capital to do things properly. There’s a way bigger opportunity if you can build a suite of products roughly within the same space but for a bunch of different buyers within a company.
This means that if you go to a company and start selling to their security department, it makes it way easier to grow the size of your customer base by selling to the head of HR next.
If you can consolidate that over the space or a year or two, you can become extremely sticky within a company… as opposed to building one very specific tool that they can just pull out and replace with something else that they built themselves or or bought elsewhere.
Is there any advice that you wish you could tell other founders, CTOs, or past you?
Yeah. If founders assume they will be successful, which they totally should because it’s entirely within their control, then they will take security seriously.
Equally, they’re more likely to be successful if they take a strong, vision-driven way of building a company, as opposed to trying to go fishing in the dark and hoping to find something.
That’s how most companies are built these days, but the best companies are built by a very stubborn group of people who are extremely aligned around one thing.
Sure the details change, but I agree with this thing Jeff Bezos said about being stubborn on vision, flexible on details. I think that’s totally true.
I think people conflate the two of them and assume that if you’re flexible on details, you’re flexible on basically everything. But it really does just mean small details.
Are there any details that you really focused on early on in your company, which you’re glad you did?
There’s one particular thing when it comes to hiring. The general advice is that when you’re putting together a team of people, intelligence is number one and number two you’ve got like, culture fit or whatever people call it.
I think intelligence is definitely further down the list of priorities. The most important thing is: are these people going to be extremely cohesive with the other people you’ve already hired?
This is assuming they meet a certain baseline of technical capability and just general intelligence. But if they’re a software developer, they’re already sort of falling into that bucket anyway.
Having a cohesive team that works well together is what will pay off over two, three years. Especially when you hit a couple of rocky spots as a company. You’re not going to get through them unless everybody’s very much on the same page as a team.
For sure. So, is there anything that you’re really excited about coming to Turing Fest this year?
Firstly, I’ve never been to Edinburgh. So that’s really exciting. I have to go to the castle. And I think any event where there’s a large enough crowd that’s also small enough to be curatively selected (is curatively a word?)… there aren’t many opportunities like that around.
I’m also very bullish on in-person everything. We have an office and everybody comes into the office every day, which is kind of counter-intuitive given how companies are built today.
So yeah, I’m looking forward to being with 1000 people in a city I’ve never been in before, across the water from Dublin.
Yeah, it should be great. I’m sure you’ll love it. One final question, is there anything about the future of tech that you’re looking forward to? Or are you hoping that things go in a particular direction?
I hope technology goes back to building things the proper way. Like, obviously the last 10 or 15 years have been really great because there’s been all these lovely user experiences and mobile apps that upgrade, and all that sort of stuff. But they’ve kind of forgotten about how important it is to design things intentionally from day one.
So like Facebook, or Instagram… great apps, but they never thought about how their data is going to be used and how it’s going to be used by the world. Partially because it’s just very difficult to predict.
I think on the technical side, we have all of these iceberg products where the 20% you do see is always really polished, but the 80% beneath the surface is genuinely like a Rube Goldberg machine of third-party theories stuck together in a really fragile way.
But if you look at people who worked with computers in the 80s and 90s, especially the 80s, they were generally just purists who sat in the garage and wanted to just write code everyday. Those kinds of people have disappeared a lot, especially because parents almost encourage their kids to go down the computer science or software engineering route.
It’s like the new version of going to work for a big four accountancy firm or an investment bank or something. Because the career prospects are so good, it’s much harder to find the purists.
I hope that the purists resurge and stuff starts getting built properly again. Just with really great design and user experience too.
Build. Grow. Lead. Grab your ticket for 27-28 July 2022 in Edinburgh and learn from Shane Curran and 40+ other speakers how to build better startups. From product to marketing, growth, scaling, and culture, it’ll be two days of learning and connecting with the best in tech.