New Lexumo CEO on IoT, Startups & Government’s Role in Cybersecurity
Dan McCall thinks the timing is right for Lexumo, a Boston-area startup aiming to help secure the world’s rapidly growing collection of Internet-connected devices and embedded systems.
And Lexumo’s leaders think McCall is the right person to take the two-year-old company to the next level.
McCall (pictured above) has spent 30-plus years in the technology industry, working in cybersecurity, computer networking, data storage, and other areas. He previously co-founded Guardent, a managed security services provider acquired by Verisign in 2004 for $145 million, according to his LinkedIn profile.
McCall served as Verisign’s vice president of corporate development for two years before getting the startup itch again and founding Virtual Computer, which managed mobile and distributed computers on enterprise networks. He led that company for five years before selling it in 2012 to Citrix Systems, which named him a vice president and manager of its desktop and apps product unit.
Now, McCall is back at the helm of a small, young company. Lexumo spun out of Draper Laboratory—the not-for-profit R&D center next to MIT—to commercialize software that uses an automated process to sniff out vulnerabilities in open-source software written for connected devices and embedded systems. The technology was developed by Gaynor, Nathan Shnidman, and Richard Carback, who are PhDs with expertise in cybersecurity, big-data analytics, and machine learning.
Lexumo has raised nearly $5 million in venture funding from Accomplice, .406 Ventures, and Draper. The company currently has 15 employees and plans to double its staff in the next year, McCall says in an e-mail message. Lexumo will soon relocate from Accomplice’s offices in Cambridge, MA, to a nearly 5,000-square-foot space in nearby Burlington, MA, he adds.
Xconomy talked with McCall about his thoughts on Lexumo’s potential, his approach to building startups, the government’s role in advancing cybersecurity, what the security industry could be doing better, and more. The following is a lightly edited transcript of our e-mail exchange.
Xconomy: What drew you to Lexumo? What intrigues you about the company?
Dan McCall: There were really three things that made this decision easy:
1. The timing for a Lexumo is perfect. Open source is consuming the world of software, and [the number of] Internet-connected devices (consumer IoT, industrial IoT, and embedded systems) will soon eclipse mobile phones and computers combined. IoT devices are predominantly built on open-source software, which will make them the largest attack surface in the world.
2. Most of the time you look for a single, brilliant, and inspirational founder to partner with to build an early-stage company. In Lexumo’s case, I found three, all with PhDs and offering unique leverage and value to the company.
3. The approach, which was spun out of the prestigious Draper Labs and DARPA, is unique in our industry. Using big-data analytics and machine learning to understand software and replace the tedious and error-prone process that companies use today to secure their use of open-source software is a winner.
X: Any big lessons from your past companies that you will apply to your new role leading Lexumo?
DM: After spending time in both large and small companies, I think the most important thing to realize is that small companies succeed where large companies fail nearly every time because larger companies get so much LESS done in a week and generally do it with three to four times as many people. What that means to a smaller company like Lexumo is that we need to focus on execution every day because that’s our competitive advantage.
The second big lesson is making sure we keep our hiring practices at the highest level. Startups often make the mistake of a few mediocre hires because of the amount of work they have to do. When everyone is working 60-70 hours/week the desire to just get anyone to help becomes overwhelming. And it’s a mistake every time and actually detracts from productivity. This is doubly hard while we are working down in Boston/Cambridge with the land grab for talent that’s going on. I’m proud to say that today we’re a great team, to a person, and when we move from Cambridge to Burlington in a couple of months, we’ll open up a whole new pool of talent we can grow with.
X: What’s one widely held opinion/idea/prediction in the cybersecurity industry that you think people have got wrong?
DM: I think most people are missing the role the U.S. government is going to play in protecting our security interests.
First is regulatory. While government regulatory requirements (or the threat of them) has created a great deal of new expenses for certain industries, can you imagine a world without HIPAA, when a healthcare record is worth 10 times more than a credit card?
The next frontier is going to be IoT devices and requiring some level of security validation before we allow manufacturers to continue to put out products with such poor protection. Big companies with big brands and a lot to lose are already taking it seriously, and they form our current market at Lexumo. That discipline won’t, however, find its way into low-cost commodity providers selling big-brand knockoffs or smaller companies who don’t have as much to lose. It will take regulations or the threat of them to motivate such a variety of companies to take action in terms of how their products are built, protected, and updated. Security recalls on IoT/embedded systems are going to become common in our near future.
The other area I believe many security professionals are missing is that government is going to drive how we protect ourselves. It was popular to think of government and their cybersecurity teams as slow and plodding versus the cutting-edge teams deployed, for example, at major financial services firms. While there may have been a time when that was true, it’s almost the inverse today. With the rise of nation-state cyber threats, our government and, particularly, our military, are deploying and managing some of the most advanced protection in the world. It’s in our national interest for their technology, techniques, and best practices to flow back to the people who are paying for it.
X: What’s one thing cybersecurity companies should be doing better?
DM: In the past, it was enough for a cybersecurity company to identify problems for their customers. If you left open ports on your firewall and exposed a vulnerable application, we could point it out and be heroes. We could find many, many flaws in your networks, your applications, and the configuration of your infrastructure.
That game has changed. Customers today don’t want, and in some cases don’t need, to know about another problem—especially if you can’t help them fix it. So two must-haves if you are in the business of finding problems: 1) helping customers prioritize their issues and 2) helping them fix those issues. I would be remiss if I didn’t say those are two core elements of our value proposition!