Interview with Mark Stamford

um hi Mark it's really nice meeting you and chatting with you thanks for taking time out of your schedule to talk to me nice to meet you thanks for thanks for having me yes and I heard that you are a supporter of bside NYC since its Inception so can you share a bit about why you've been supporting besides NYC and what brings you back sure yeah I mean um I've been in New York for 22 years I moved to New York from London obviously with my strange accent so New York has really sort of become my home and the besides I think it just encapsulates you know an actual security event in New York right so this is home

territory let's have a conference and uh that's really what brought to me brought me to it right so I mean having been around other bsides and other places going to one in San Francisco going to one in Vegas doing one in Rochester actually and just uh when it came to New York it was like you know we have to support the one in New York so that's that's it really it's just you know it's it's home territory I wanted to succeed I like that it's busy this year so um whatever we can do to help it we're going to keep doing wonderful I think we had a lot of people uh coming from different parts of

the country and the world we had International representation as well so that's amazing you know those are all great additions to our community here in New York City yeah it's great it seems to be bigger this year than it was two years ago now so it's it's it's cool Wonder hopefully we have lots more yes yes absolutely what are you most excited for like what's a thing that you're looking forward to listening today or attending a workshop what are you most excited about today well I just came from the terraform talk about exploitation in terraform which actually is something I know absolutely nothing about other than talking to guys on my team who use terraforms all right let me

go find out so that's really good um there is a there's a talk on S bombs which is which I want to go to because it's this pet peeve of mine because I really hate the whole concept so I'm tempted to go to that just a Heckle which I probably won't do um yeah so beyond that I'm just I'm just always looking to find things that are interesting there was the kubernetes one earlier that I got into for a little bit but then I had to get out to take a call um and then there is one on Russia and China the chess one that I may swing by as well so I think just again finding

it's good to find talks on things you don't know about right so what what whatever I can do there even though in my current job I don't really do a lot of technical stuff anymore it seems I still like to keep this going I still will be somewhat technical in 20 years time so that's what I'm trying to achieve wonderful it's I mean I love that enthusiasm to continue to be technical that's fantastic and I'd like to hear a little more about your background I know that you're at aamc in fact you're the founder of aamc so could you please talk to us about what it takes to start a company how does fun work what it means

to be successful and continue to drive a company forward I think all of these things are huge tasks and I for run I'm very interested in learning more about that okay well I started out in Security in 1984 thanks to watching war games so I'm not going to rehat that because I think I've rehashed that like a thousand times so far um so Aram SEC began 12 years ago and on the subject of funding we actually had no funding so Arham SEC was let's go and start a company I guess I will go I had some some cash I had some a little bit of help there but no actual let's go and raise round of funding okay

so then what happens is you just hustle endlessly right so your job is to wake up find a way to get someone to hire you to do this thing that you like do the first thing I found in this in this really unfortunate way was if you work in a large corporation so I was working for an investment Bank okay so I had lots of friends who worked in banking MH so I I'll St a company you're going to hire me yes sure we love you great start a company no we can't hire you because you can't get through the procurement process you're a one person shop this is never going to work so I spent the first

six months just chasing everything there was to chase right and doing little jobs here and there okay and then I got to a point where I had no money basically and uh had no money and in the week I got offer at a job with a hotel company to be a senior security architect and I got offered a contract a three Monon contract okay and I was sitting there I was talking to my wife and like okay which which one do I do it's like well you know which one do you want to do because the job is a job and the contracts so I did the contract because I'm an idiot um and just take a risk

right so I did that and then and then it kind of snowboard from there so you you you just kind of you have to just keep pursuing right I mean I I was talking to someone outside about you know what it is to to start a company or run a company and it really comes down to and this is you can hear this elsewhere from others it's it's just hustle right you always have to be doing stuff right so your friends will be at parties on a Friday and you will be doing work your friends will be playing sports on a Saturday and you're doing work right you have to be working all the time and what's

interesting in our space is you can't rest on your laws right so if you were really good at security five years ago yes no one cares now right that's true I mean when I started the cloud was just clouds in the sky that was the reference to the clouds right um and then so it's changing so much so there's there's this requirement to to keep learning and to keep executing doing and to keep trying to sell right and then the other really important thing besides just hustling is to find really good people to work with so the first year first year and a half was just me okay then I found my first employee who's still my first employee

is in Texas um and then you just you just sort of grow right so so you get enough work to max out who you've got and then you find someone else and you find someone else and that's that's just what happens right and you network and you make friends and you you make a lot of mistakes like you go to lots of networking events they're all a waste of time because everyone at the networking event is also there to try and sell work for the same purpose right so the whole thing is like why am I here um and so yeah I mean and you just grows and I think I've been really lucky in in the

way that Arham has grown i' I've managed to find really good people and we have a really good culture which has created a really good sort of team spirit right so um we find good people we keep good people we do interest in work we only we actually completed an initial round of funding finally because we we we built a software platform this incentive platform that we pushed out we built that and it's like okay we're going to need to expedite this because we great things we want to do so then we actually did our first round of funding which we completed last August so until then it was just entirely um organically grown right we just grew it we bootstrap it

and all that and every other term that gets used so um it's fun I mean trying to I think where I'm lucky is I I still like security right so I'm still interested in security I still I still have a passion for security right I still do technical stuff I still Break Stuff I still make my son's time of online a nightmare with security control so he can do nothing um if he ever hears this he'll he'll agree because we had to talk about other day um so I think that doing this thing you like makes it easier right because to really I think to be effective at running a security company the people you work with have to

have to believe that you're already in it with them right and if you just kind of become this detached CEO because throws grenades at them it just won't work right so um everybody needs to be bought in yeah I mean and I don't think I think that there was a perception for a long time that you just needed to get fund and build your company up quickly and sell it I think that the last six months have proven that is a terrible idea from an economic sense right um just look at the last three months in banking right so I think that we are sort of reverting back to a time where if you make a company it has to actually

be successful right it can't be that I'm going to run a loss for 10 years and maybe make some cash right that worked for a little while I mean it worked for a long time right how we got Amazon and Facebook and all these companies right yeah but in this day and age it's really become a lot tighter right the economy is slower um people have less money in general right so I think that you have to sort of go back to the Back to Basics right and it's all about that value creation and value proposition right it's really going back to the basics as you said and you touched upon a lot of interesting points there um as to how

your back was against the wall and and you still were motivated because you were interested in what you were doing I don't think a lot of us can muster that if we don't have the interest in doing what it is that we're doing absolutely yeah and the second thing that you brought about was hustling but then that can also be termed as burnout by some people because you're constantly working so how do you strike this balance between working for what it is that you're truly passionate about but also not losing out your creativity and your passion for a problem and not burning out coffee what of coffee um it's like Mal don't need coffee like that I mean it's a good

question right because I mean especially now there is so much more talk of burnout right um I don't know the answer right because I think that I think that if you this is a really terrible reference I'm going to make Arnold schwarzeneger gave a talk once you can hear this St and and and in in the talk he said that to succeed you you don't want to have plan B right you should have no no safety net so I think that if you focus on am I going to burn out how am I not going to burn out you've already lost the game right so I think that the only way to do it if you're going to start if

you're gonna start from scratch if someone gives you a hundred million bucks cool hey have at it right yeah but if you're going to start with not a lot and try and make it work you just have to say you know what I'm just going to do what I have to do and when you find you I mean I mean I found that as I've got older that you you do get tired a little bit more so I had I think last month was the first time in 12 years I took a day off and I didn't go near technology whoa um that's a lot of work to put in but that also shows the

dedication that you have towards making sure that your company is successful and you come across absolutely yeah well you have to be slightly you know something think about that but I mean I think you can do it I mean I think you have to judge yourself right so if you're going for three weeks and then you need to stop for a day then do that right I mean don't don't base what you do off of anyone else right that makes sense because everybody's mileage varies right I mean I mean you can be driven to this point of just destruction if you're not careful right I mean and I've I've got the points where I've really kind of

been like I just got to stop I just can't stare at the screen anymore um but I think that takes self awareness which right takes time to develop and cultivate yeah it took about 11 years to develop that so yeah so I think that will be a good takeaway right you need to have that self-awareness to know when you really have to take a break and step back and when you really have to push through and what critical points you have to push through in order to truly come out uh on the positive side of things but just don't just don't ever start fixating on when is that when that break right just say I'll get to that

break when I get there but you otherwise you just won't win wonderful so thanks thanks for that you and your company you do a lot of Rec teaming you are very Hands-On very technical I want to hear your perspective on um a top chatter in the red teaming or the offensive security space which is our open-source tools good for offensive security and for defens of security or are we handing over malicious things to our adversaries sure I think the answer is they are a good thing I think that the unfortunate truth and you can see I'm still from North London because I can't say th is properly truth um the truth is the bad guys have all these tools right I mean I

mean that's the thing like you there's there's a lot of time that we spend worrying about well we've deployed this tool someone else might go and get and get my tool as well and they'll use it for bad things anything that we've thought to do they've probably thought to do right because there's a simple and this is a conversation I've G through lots of times right sure simple reason is the majority of of Bad actors are motivated by you know profit or nation state motivations right yes okay the majority of good actors are motivated by how do I save my organization money business continuity also right or or they're doing it for some sort of you

know passionate personal reason right the the the advantage in that game is all with the Bad actors right because the quicker they can find ways to do things that are malicious the quicker they can try and make a buck so I think that we probably should not worry about what we put into the open source space I think that the more tools that we can give to practitioners of all skill sets right I mean security is so popular right now and there are so many people coming in who aren't experienced we have to make sure they know how to use these tools right don't give someone Cobalt strike who just read a book and some

decides they're a pentester but I mean we have no choice right I mean we are in this this this endless arms race and as the the the good team right we are somewhat handicapped by the fact that everyone on our side that we work for is trying to reduce cost they don't want to increase cost so the profit motivation of your average organization is to lower costs right so I don't want to spend too much on security The Profit motivation of the bad actor is to break you to Ste their stuff I once gave a talk where it was like the business of the people who are trying to bleep you is to bleep you

right St right um and that's just it so I think that it's inevitable that it's going to happen I don't think we should stop I think that you know when I started out well once my professional career started cryptography was still embargoed and all this stuff right it was kind of like this is silly right because I was in the UK we had to get a Munitions license to ship RSA code over yeah but it's like well the people we're up against they don't care they don't care where I am geographically right they know that we have this thing they want which was money because I was working for Investment Company um they're going to get it so you won't

give me the tools to protect myself so I think that we have to do it okay great answer I think we what I heard was that it definitely help helps give the Defenders an advantage and it kind of sort of moves them in the direction towards level setting the playing field to a great extent but maybe more thought needs to be put into uh some guard rails that we can do uh that we can put around these um open source uh Red Team Tools yeah I mean you you don't ever want to try and have a fight with your arm tie behind your back right um and I and I mean I think that if we can do some quality control around

I mean there's so many security tools right I mean there's so many Forks of every possible right and that kind of becomes I could see how lots of people are probably confused like which tool do I use for this job right I mean if you take if you take C right there's I know there well a thousand security tools on there right I mean it's it's kind of ridiculous right now back in the old days I should do air quotes there back in the old days you would you would install Linux whatever version you were do I mean I started out actually using BSD so I didn't even use l right if you want to get matics um and then you would

come across a problem and then you would either find a tool that did what you want or you would make a tool right so back in the day you would go all right I want to do reconnaissance of this network to find out what boxes are there and what ports are open right you'd go online hey I'll use end map right and then you would download it you would build it and so on right so you would you would build this this drro based on what you need whereas I think we've kind of we we we've created this problematic solution where you provide people with everything and then it just becomes well our fire this tool this tool this tool

to and people never really understand what they're doing so I think if we were to really back a little bit okay that would help us okay so dial down and more Quality quality C is cool but I'm just saying that like giving people a thousand different tools you know everything just becomes I run everything and everything and it's like you know really helping the situation here great I think that's a great pointer for uh the people who are looking get into the space and figuring out how to use the tools uh make sure that you know why you're using them and for what purpose you're using them that's a great pointer yeah roll your own drra right take a Dr

I mean take take any Dr you want start at zero and say I want to solve this problem okay what tool does it do some research Build It Go and then do that do that it it will take you a longer time to get somewhere but you'll be much better wonderful thank you so much for those insights and I think the last question for you today today would be what would you recommend people who are attending besides NYC today or next year what would you recommend them to definitely check out and definitely do how to best use their time find all the people from Arham and talk to them there are six of them downstairs um I mean I

really think that you have to maximize your time at these things right I mean I mean the bsides is is a sort of I mean firstly it's really not expensive as security confisco I mean someone was telling me the Defcon is going to be like 4 500 bucks this year which is I mean this is 15 bucks right um you're not going to get a day's training at that amount of money anyway so so start from the principle as I'm going to this conference I should maximize the time now going to a whole day of talks gets a bit tiring Yes again that could just be a product of my Advanced age um no a lot

of people find especially when there are multiple tracks also yeah so I think you you know do some research before you get here pick the things that are most interested if there's a speaker you know who's who you know is good before go to that and then also I think the other great thing about these is networking right talk to people right I mean I mean there's there's there's folk here who run their own companies there's people here who have been security researchers forever there are people here who work in tech companies there's there's people from everywhere right and they're all in one place and there's really no there's no hierarchy right so it's not like

people people who are CEOs are all over there and people who are researchers over it like everyone's mingled so the opportunity is you know sit down next to someone hey what do you do right and just go for it right I mean I remember being at RSA years ago sitting down and there's some guy next to me with a beard hey who are you I'm BR okay cool we can talk right um it has to be like that so I really think that go to the talks that that seem interesting but but just as important like do the networking piece even if it's just one person just share a business card share an Emil address

share something because then you'll probably have conversations later on that that lead some because we're all here for the same thing right we're all here to learn how to be better at what we do and and that's cool right no one's here trying to sell you something right that's right there um everyone's just here to improve their skill set so they can actually collectively make things better right and that's cool wonderful thank you so much for giving us those pointers and for sharing your wisdom with the wider Community it was a pleasure talking to you thank you nice to you thanks a lot thank you very much thank you