 So, what we're going to talk today about is how to structure activism, right? We all know this feeling that we're frustrated with the ways things are right now and we want to change it, but it's a grind against the machinery that are the e-corps of this world. And we want to defeat them and we want to win this fight, but in order to do that, we might need a little more structure than we have right now. It works for camps because those are short-time investments, but maybe for longer-term projects and longer-term interests, we need some other structures. So today, Dr. Rybak is going to tell us about these kinds of ideas that they are using. She's CEO at Radically Offensive Security. Radically Offensive, offensive. Radically Open Security. Radically Open Security, yeah. And so, take it away, a big round of applause for her, please. Hello. So, good evening. So, today's talk is, I think, a little bit different than some of the talks that I give. I oftentimes give technical talks, sometimes I give business model talks, but today what I actually really want to do is give a little bit of a personal talk. I'm busy with a social enterprise that also happens to be a security consultancy company, and I'm hoping today that by explaining what I'm doing that I can perhaps inspire some of you to want to attempt some similar things. So, let's start with a question. It's a bit cliched, but what would you do if you knew that you could not fail? So, a lot of us in the IT industry, we get sucked into these very comfortable living patterns and employment patterns, and many of us, of course, are quite lucky. We can get pretty good paychecks doing the stuff that we love, but at the end of the day is what we're actually spending our time on what we really want to be spending our time on. If you really choose anything, like what was your dream from when you were young? What is your dream now? If there's one thing that you could change about the world, what would it be, and what would you do if time wasn't an issue, if money wasn't an issue? What would you do? Well, for me, part of the reason right now why I think, for me, tourism is really important is because of the current political climate. Like many of the people here in the room, of course, some of the political events in the United States are somewhat alarming. Of course, the trend that's also spreading to the rest of the world, including Europe, it's undeniable, and at least for me personally, I feel a calling in the changing political climate to try and at least do something best of my abilities to try and make some positive change. But I think that for me personally, the call to really want to make things better started actually quite a while ago. So this is a picture of me back in high school. Basically at the time, sort of a teenager growing up in the south of the United States. Now we're basically talking about probably the mid to late 90s. And just as a little bit of contextual information, not that I think it makes a whole huge amount of difference, but I, for example, myself happen to be a lesbian. Now growing up in the late 90s, again, this is 25 years ago, in the south of the United States, it was not the most amicable political climate, shall I say, you know, and I got a bunch of pushback from a lot of places. You can react to that in several different ways, but for me, the way that I reacted to that was kind of wanting to push back. So I did, you know, after a while decide that part of the way to kind of harness that energy was to try and put it into activism. So for example, for a while, again, these are stories I don't usually tell, but for example, I was a member of a group called the Lesbian Avengers for a while. Anyway, big, big trouble, bunch of troublemakers, we ate fire and like caused all kinds of problems, but you know, basically it was me sort of at the time trying to take something, you know, that directly influenced me and really to try and mobilize it, you know, turn it into something impactful so I could ultimately make the world better. Also at the time when I was in the United States, you know, again, at that political climate, it was basically very, it was still pre-911 and the country was very much looking inwards and there were so many things about the American dream that I just didn't think were right. You know, things like, you know, I grew up in an upper middle class suburb, you know, all the students, you know, had sort of larger cars than their teachers, you know, I thought it was incredibly irritating and obnoxious, but what I discovered of course at that time is sort of, you know, that, you know, the house, the big house with the white picket fence, that actually doesn't make people happy. You know, to the point that, you know, these people who sort of have everything, they're not politically engaged, you know, they just are trying to, you know, live that American dream, you know, to the point that, you know, one neighbor around the corner at some point actually committed suicide. You know, and it kind of starts to make you evaluate and sort of ask the questions of, you know, what are we spending our time on? You know, we come from these places of opportunity. We come from these places of economic opportunity, of education. You know, for me personally also, I mean, I'm white, which also confers any number of, you know, undeserved advantages. But then the question starts to become, how do you take these privileges, how do you take these advantages, and how can you actually turn it into something where you can attempt to have this positive impact instead of just getting caught in the rat race and just doing everything because you think you're supposed to be doing it? So, you know, for me, my first real foray into probably what I would call tech activism, because of course me also, another thing about me that's undeniable is I'm an incredibly huge geek, and I love it, and I'm proud of it. And, you know, for me also, technology was also one of those things, you know, I'm just like many people, of the people in the audience here. I have been using computers since I was seven. I started on 8086, you know, in GW Basic, you know, with a 300-bot modem, you know, I'm one of those. So, you know, tech always has been also, you know, a hobby of mine, you know. If I were, you know, an artist, tech is my clay. But I don't have to explain it to the people here in this room. You guys know, you know, I'm preaching to the choir and this kind of stuff. But the first time I think I did something really what I would call tech activism was when I was working as a PhD student, and then later as an assistant professor at the Free University of Amsterdam. So, some of you, if you go back a little while, might know me from back in the days when I was working on RFID security research. Back in 2006, I have the notoriety that I was the first person to publish a proof of concept of malware for radio frequency identification tags, the so-called RFID virus. This basically went viral back in 2006. Again, this is 10 years ago. I'm starting to feel old. But, you know, but it really, you know, went viral in a period before viral was even a thing. It was all over the papers. It caused a whole lot of reactions. And ultimately, you know, to the point that like after the research was published, I got 200 emails in the first day. You know, I mean, everything ranging from people who love the research, people who hated the research, you know, people almost who threatened me, people who like marriage proposals. I mean, you know, I sort of... No, but it's the kind of weird stuff that you get, you know, when occasionally when things get in the news. After that, I also did another project called the RFID Guardian which was basically building an embedded device which was sort of like a firewall man in the middle device for RFID tags. It actually was my intention at the time to attempt to commercialize the RFID Guardian. I had some subsidy, which I had at the time, but sort of due to circumstances, the subsidy dried up before I was expecting it to. And ultimately, well, the problem with hardware is if it's half finished, it's a doorstop. Basically, we never finished our analog front end, and then that basically caused the project to die. Well, it happens. I mean, I basically consider it... I consider myself to be an entrepreneur, and I sort of look at the RFID Guardian and how I wanted to realize it sort of as my first failed startup. But that's okay, you know, you have to sort of have failures before you can move on and have your successes. And of course, I learned a whole lot from that process. One thing I learned was that hardware is hard. Yeah. But, you know, I also learned quite a bit sort of, you know, my initial leaning sort of into being interested in business. But what really struck me from the time, though, was sort of the impact and the dialogue that it caused. I mean, at one point, people got mad at me. At one point, I was at a conference, and the chief privacy officer at the time of Phillips looked me straight in the eyes and said, your research is bad for my company. And this is the chief privacy officer, right? Anyway, but look, I'm not saying this to pick on Phillips, but, you know, the point is that, you know, sometimes your research is going to ruffle some feathers. Also at the time, also with the RFID virus stuff, F-Secure Antivirus had actually published a full-page ad saying how, among other things, they debunked the RFID virus. You know, so people were debunking my research. This is when you know you've made it, when people take out full-page advertisements attacking your research. But, you know, not that I was unique in that, because, of course, some of the other great RFID security researchers at the time, I mean, heaven knows the team at the Robboud University had got more than their own share of problems. So, you know, your research is good when you start getting problems. But, you know, at the end of the day, though, I mean, for me it was never really just about, you know, research. It was about RFID, and it was about the ubiquitousness of computing, and it was about privacy, and it was about the security implications, and the fact that, you know, the companies wouldn't own up to the problems. And what I really learned from that period of time is that you can say to a company, you're insecure, and then their reaction is going to be, no, I'm not. You know, and the thing is, you can't really tell them, you know, that they have problems. You have to show them. And this is sort of what I learned being an academic. You know, you can try sometimes and have a dialogue. A dialogue can help, but I think at a certain point it actually only gets you so far. But then the question is, you know, if it only gets you so far, what else can you do? You know, what else is next? So, you know, so the problems then, you know, if you do want to change the world, answering the questions of what's next, you know, people might ask the questions of, okay, so what do we do if we want to build a change-making organization? You know, do we create a charity? Do we create an NGO? Do we create a foundation? You know, but the problems with a lot of these forms of, well, building social organizations is that they're dependent. So, for example, dependence upon subsidies. And as an academic researcher, that was one of the problems personally that I had. You know, again, due to the economic climate at the time, the subsidy dried up. And then once the subsidy was gone, it's game over. You know, and most of the not-for-profit entities out there are either dependent on subsidies or they're dependent on donations. And, well, I'm going to get a little bit more into things like social enterprises, but, you know, part of the reason why I think it's actually important is because sometimes if you want to build a change-making organization, if you can create something that can actually operate independently, that actually gives it a lot more freedom to move and it also gives it a lot greater chance to actually survive. So, and of course, coming back to the whole political climate now and Trump, I mean, a lot of the problems, of course, is that if you are running some kind of an ideal organization, you know, this is not the most stable climate right now for getting those subsidies. They're starting to reroute them, you know, to other places. So, I think, you know, unlike any other period in time, I think that creating self-sustainable, you know, positive change-making organizations is going to be more important now than it ever has been before. You know, because the generosity, you know, from some governments that we've had, you know, might be a thing of the past, and I wouldn't necessarily rely on it. So, you know, another thing is that and coming back to the issue of trying to tell companies to change their behavior. So, I'm a member of this thing called the Spindle Inspiration Council. There's this organization called PARTOS in Amsterdam, which is this sort of group of NGOs that work together. And one time I was speaking with a lot of these people from the NGO, and they were talking about, for example, companies like Shell. And they were saying, you know, they're doing all of these really horrible things in Nigeria, you know, in other places. What can we do? You know, can we talk to them? You know, we've tried talking to them, but what do we do? And this is the problem. I mean, you can lobby, you can protest. Again, you can publish research, but it doesn't necessarily mean that they're going to listen. And one of the things I think that I've discovered about social entrepreneurship is that the one way that I think you can get the companies to listen is to hit them where it hurts. And you know where it hurts? In their wallet. That's the way it is. The only way I think that these big companies will listen is if you hurt them financially. And how do you hurt them financially? Build something better. So, business. Activists consider it to be a dirty word. You know, business. Big business. Business is always the problem. But the question is, can business if we repurpose it in just the right way, can that business actually be part of the solution? Now, one of the things about business that I think makes it a really ideal form of well, vehicle for activism is that it is set up in such a ridiculously independent way. I mean, the whole concept of corporate personhood. You know. I mean, obviously corporations are not people. But, you know, they've done enough lobbying to sort of set up in the legislation as if they are. You know, companies, they have rights. I mean, oftentimes companies have more rights than individuals do. But the point is, as activists we can exploit that. You know, precisely because of this corporate personhood it means you have a lot of freedom to be able to act. And it means you have a lot of freedom to be able to set things up in the way that you want to set things up. One of the problems, again with charities and foundations and NGOs is that they only perform a certain small amount of commercial activity before you start getting restrictions from the government. I mean, if, for example, you're a foundation that's registered as charitable with the government there's usually only a certain amount of financial transactions that you can do before you start coming into a gray zone where you might lose your charitable designation from the government. You know, if you're a company you don't have any of these issues. And if you're a company you have two requirements that you have to fulfill. One, you have to stay within the law and two, you have to be able to cover your own expenses. That's it. And for the rest you can do whatever the heck you want. You know? And again, it's a big business that's set it up this way. But we can repurpose it. We can reclaim it. And we can use this one entrepreneur that I mean, look, good or bad, agree or disagree, but I think he sort of exemplifies what you can do with social entrepreneurship is Elon Musk. I mean, talk about disappearing subsidies. Of course, you know, the three things that he's working on, you know, the space race, solar energy and electric cars. I mean, those are three things that absolutely can no longer count on being funded by anything government related, you know? And research grants and things like that. I mean, all of that is probably pretty much guaranteed to dry up. But people like Elon Musk are doing more for things like, you know, like electric cars than any academic researcher has ever done. You know, what he's also doing now with SolarCity, for solar panels, he is harnessing the vehicle of a company to essentially try and change not just technology but the political climate that is influenced by that entire ecosystem. If he can actually accomplish what he's attempting to do between SolarCity and Tesla, you know, it could eliminate our dependence on oil, for example. Imagine how that would change, you know, the climate of the political climate of the world. You know, not that everything Elon Musk has done has been perfect because, of course, you know, he's also human he's also made mistakes, you know, he's also got personality quirks. But for me personally, I see him as a really inspirational example, you know, and he's also faced a lot of hurdles, had some problems, managed to get over them, and, you know, has managed to build impressive, but what's most impressive is that self-sustaining organizations self-sustaining, you know, and that, for me, I think somewhat exemplifies what we can do but I think it can get even more idealistic than that, but I do take him as a good case study and a good example of what you can accomplish with social enterprises. Another example that I really, really love, this is a more local one for folks here in the Netherlands, is an organization called Burtzorech. So Burtzorech is a home health care organization in the Netherlands and the problem with health care is that health care oftentimes has been structured in a bit of a pyramid fashion. So, you know, you've got sort of the bureaucrats at the top, you know, and then they might be running, you know, the hospitals or the health, home health care thing, and there's, you know, then the layers of management and then eventually you have the nurses that are absolutely at the bottom, and basically they go as far as calculating how many minutes it takes to apply a bandage, you know, how many minutes that nurse is actually allowed to spend, you know, and then calculating into their route, okay, and then it takes 20 minutes to get to the next patient and then, in fact, they're not even patients, they're customers, you know, that's sort of how they're treated in traditional health care and nobody likes it. The nurses didn't like it because, you know, they don't want to be treated like, you know, like machines, and they also don't want to treat their patients like numbers, you know, in a system. So, this guy, his name is Yolst the Block, he basically figured out that, you know, what we could do is we could actually take that whole health care structure and we could try decentralizing it. So, instead of having this really huge top-down structure, instead we can create these little localized circles and then we can ensure that they are completely decentralized, they can operate completely, uniquely, you know, independently of one another. You know, they're all sort of Burtzurek, so they all operate with a similar set of principles and operating procedures, and if they need help, they can sort of phone into the headquarters to get advice and tips and to help resolve disputes and things like that, but except for that, they actually all work completely independently. And what wound up happening was because they were smaller and decentralized, it eliminated the overhead. So, what wound up happening was not only were the nurses able to stop treating their patients like, you know, like numbers, but they actually were allowed, in fact, were encouraged to actually sit down and drink a cup of coffee, you know, with their patients and to actually get to know their patients, and the nurses were happy because they were actually allowed to start treating their patients like people, you know, because, you know, the work that they do, I mean, it's God's work, you know, and it's their calling. And, you know, finally they had the freedom again to be able to spend the time doing it in the way that they wanted to do it, you know, and the patients, of course, also loved it because now, again, they were no longer treated like numbers, now they were actually being treated like people, you know. The only people, perhaps maybe who didn't like it, you know, were some of the bureaucrats, you know, who were losing some of their margin and some of their overhead off of this, but the truth of the matter was Beurtzorch became so financially efficient because they had stripped off all of that overhead that they were starting to actually become more profitable than the, you know, the previous market leaders that they were actually trying to replace. So at a certain point what wound up happening was the other health care providers went to Yolst the Bloc and said the way that you are structuring Beurtzorch, we want to do that, too. And what he did, and this to me is really the sign of a great leader, he helped them. He went to his competitors and he helped them to restructure themselves so they also could be more decentralized and so that they also could change the way in which they were operating. Yes, to become more cost efficient, but of course it also made them more social and in such a way it wasn't about market share for him. You know, it was about having a positive impact on the world of home health care. You know, and regardless of whether Beurtzorch had the percentage of market share or his competitors did, that was actually irrelevant because he changed his competitors and thus he raised the bar, you know, with home health care in the entire Netherlands. You know, this to me is really inspirational. So, for me personally, you know, I've also attempted to build a similar kind of social enterprise. So for those of you who are not already familiar with radically open security, but that basically is my own social enterprise and it I set it up actually as a not-for-profit computer security consultancy company. I started about three and a quarter years ago and when I first started it everybody was like, you're doing what? You're foolish. But, you know, and people looked at it and they were like, well not-for-profit, that's kind of weird. I don't know, you know, is this going to work? But, you know, three and a quarter years later and well look, I'm up here telling this story to you, you know, on the big stage in this nice hacker camp, so we've done a few things right, but I mean what I think actually we have managed to do is change a lot of the things about the dialogue, about computer security and the industry and openness and transparency, you know, and sharing and I think slowly but surely we also are starting to influence also our competitors and causing them to start re-analyzing their own behavior. So, really quickly, I guess before I go on to the next slide, but just the core principles of radically open security are basically just ethics. Again, open source, everything we develop we release into the open source and openness and transparency. So, openness and transparency, what that means in practice, we invite our customers to join us in chat rooms and they see and hear absolutely everything that we're doing while we work. We also release all these tools to everyone. So, we work using this principle called chat ops. I'm not going to spend a lot of time talking about that right now, in fact I have a whole separate talk on that that I give, but I'm not going to be giving that today. But the idea is that we work in these chat rooms with a globally distributed team and we have a chat robot that actually facilitates our operations and the chat robot is actually quite interesting because it assists us with everything from penetration testing to documentation and reporting to project management to billing and scheduling and all these different kinds of things. So, it's super important to us and we've open sourced everything. Again, with the hopes that at some point our competitors can take these tools and run with them. Why not? But a lot of people if I tell them about what we're doing, they're a bit hesitant to want to take similar steps to do similar things themselves. Another thing I really like about Radically Open Security is I really consider us to be a bit of a lifestyle business. I work, we are essentially a collective of freelancers and small businesses. I am the only internal employee in Radically Open Security still after three and a quarter years but we have about 35 freelancers that are walking together. And again, the organization is the people. So, they're contractually bound. Occasionally customers look at us a little bit funny and say, yeah, but you have contracts, you have NDAs, yes, of course we do. But ultimately what it means is that people are location independent. So we have people working all over the place because it's essentially business to business contracts with our freelancers. I don't have to deal with immigration or work permits because it makes hiring really easy. And yeah, ultimately it's just a construction that's really scalable and that's really worked really well for us. That's why I haven't been inclined to change it. But a lot about how we operate is actually really quite weird. But at a certain point I just figured out that weird is actually a benefit. Weird is actually an advantage. The other thing also is when people know that you're weird, they actually will accept that weirdness from you and they will actually come to relish it. So we get away with a lot of weirdness and we think that some other companies can't because we have the reputation of being weird. So people kind of accept it. But it works well for us. So, again, I started it three and a quarter years ago and I was optimistic when I started it. But I don't think I really understood how far perhaps that this all would go. I mean we have won a ton of awards for how we've set up our organization. Both for our operations but also for our business model. The Dutch Chamber of Commerce called Radically Open Security the 50th most innovative SME in the Netherlands. I'm really proud of that. We've also won a whole bunch of other awards. Things like I was inspiring 50 twice. Our hackers have won some awards at Black Hat and some other places. We've done this awesome net aid kit project. I don't know if you guys know the free press unlimited. But net aid kit is a not-for-profit project that we've done to help build them up completely open source Wi-Fi tour and open VPN router. So that's also a great project of ours that I'm super proud of. And also yeah, Sprout Magazine put us in their Challenger 50. Which was just an entrepreneurship magazine. So like 50 most challenging startups in the Netherlands. And also just sort of to peek it off like two months ago about CIO magazine in the Netherlands actually called me the most innovative IT leader in 2017. So look, I'm not saying this to toot my own horn. I'm saying this because if you take a chance and try and build something different you never know where it's going to go. You know, when I first told people that I was going to start radically open security they thought I was either crazy or stupid or maybe just deluded. But they didn't understand how this could work. And now three and a quarter years later people are seeing it work. And I think in another five years from now I think as far as we've come I think we're going to have a whole lot more impact and I think we're going to make a whole lot more waves right now than we already have. But you know, people are hesitant to want to think differently. And people are hesitant to want to create something that's unique that really fits them and fits their passion and that fits their drives. And there's a number of really common excuses that I hear for the reasons why they need to stick with traditional business models or why they need to stick with their usual jobs or why they need to keep doing things the way that everybody else has been doing it. But we need to pay our bills. Right. Well, we pay our bills too. I mean look, with radically open security we charge market conform rates to our customers and we pay market conform rates roughly to our personnel. So everybody is able to pay their bills. And what's different about us though is that, again, it's the manner in which we operate. So it's, again, the openness and transparency, the open source also, you know, set up as a being a not-for-profit company. We actually, I forgot to mention this earlier, but we give 90% of our profits to the NLNet foundation. 90%. We literally have a contract which is set up with them. We've already made our first donation to them. You know. When we're more profitable, we'll wind up giving them more. But of course right now, we're still a scale-up. So we're still reinvesting a lot to sort of build that sustainable vehicle. But it's starting to roll. You know, three and a quarter years later. And I'm also super proud of this, that we actually already have been able to start giving NLNet some money. And they're actually right now in the process of creating basically the radically open security fund within NLNet. So they can actually start funding community projects with that. Within the next few months, NLNet will start making some noise and announcements about this. So this is sort of your first little preview of that. But I'm so freaking proud of that, seriously. I mean, this was like the vision that I had of trying to take security consultancy, try and reclaim it from these huge commercial black box corporate security companies. And look, I mean, we obviously haven't completely taken over everything. They're still there. But what we are doing is their customers are starting to walk away and their staff is starting to walk away. And at this point I've heard for sure that they are starting to actually have internal strategy meetings, trying to figure out how they can combat the up and coming threat that radically open security is. Think about that. It's a David and a Goliath story. You know, why would something like, for example, a big four consultancy firm be afraid of us? Well, think about it. I think, actually, they do have really good reasons to be afraid. Another thing also is that the common well, I'm actually going to skip since I'm on the topic to not scalable. You know, a lot of people just sort of think, yeah, but the open source business model, that means you have to give away your products and sell services. But selling services isn't scalable. Well, I'm going to tell you that it is. But not in the way that people usually think about. So with radically open security, the way that I see it, yes, we're a services company, but we're also a platform. There's a really good well, you guys are familiar now with, for example, Uber and Airbnb. I'm not saying they're great companies. You know, we all have differences with how Uber and Airbnb sometimes operate. But the one thing about Uber and Airbnb is they are a platform that essentially matches producers with consumers. And they have an IT automation layer in between that facilitates those operations. And because it's ICT facilitated, ultimately, it's almost you know, completely scalable, right? Because as long as they have, in the case of let's say Uber, the producers are the drivers. So they're people with a car who want some extra money. The consumers are the people who want to ride. And they have money and they want to go somewhere. All Uber does is it matches the two of them together, right? So think about it now with radically open security. We have producers and we have consumers. So we have producers. Those are the pentesters. You know, they have pentesting skills. They want a good job, a nice comfortable job. And they want money. We also have consumers. The consumers are the companies, our customers. It could be huge corporations, it could be governments, it could be little tiny NGOs, whatever. So, but ultimately what radically open security is doing because we're a platform, because we only work with producers and SMEs is we are matching the producers with the consumers and we are building a platform to provide a stable process and user experience for both sides. The penetration testers have a certain way in which they work. So we provide them with automated templates. So for example we have this suite that we built called a pen text. It is essentially the core of our documentation workflow and reporting process. We not only open sourced it, but we made it an OWASP project. So OWASP pen text. But that facilitates sort of on the pentesting side consistency and process and making sure that the customers get a reliable experience that's consistent every time. With the pentesters it's sort of like a competitive marketplace of pentesting jobs. They log in and then there's basically announcements and then we basically say we've got a job and it's going from this date to this date we need these technologies, these tools and frameworks who wants it. And then basically based upon skills, availability and the price as number three, we then make a match between the job and then groups of pentesters. Now what we're doing is a bit more complicated than Uber and AirBnB because with Uber and AirBnB the matching is one to one, whereas with Radically Open Security the matching is many to many. Because you will have several pentesters working together on a job and you will also have multiple customers in the chat room that are interacting with us. So I mean it's a more complicated process to facilitate, but fundamentally it's the same thing. We are building a platform company and we are automating almost everything. Radically Open Security is a security consultancy company, but I also see us actually as turning into a DevOps company. That's actually what we've become lately. Because our increased use of things like containerization, continuous integration you know just I have been hiring less and less administrative stuff and more and more coders and sysadmins and DevOps people because we are building this platform we are building this automated open source layer and by the way I'm open sourcing it, right? But that's the point. We've got this platform which essentially means that yes we are a services company, but what happens when we finally get this platform right? How could we scale? Look, I mean I'm not doing this because I want Radically Open Security to grow big. That's not the point, that's missing the point. I'm doing it because I want to change how the industry works and I'm perfectly happy to give away this platform so everyone else can use it. But ultimately what I believe is that how we are working with openness and transparency and with the chat rooms so the customers can actually interact with us as equal partners rather than you know as being traditional you know vendors and customers you know I just think it's a better way of working you know and if I can give away these tools and enable everyone to do it this way then why wouldn't I want to do that? The other question is hard to get funding. So yes being a non-for-profit not-for-profit company makes it harder to get investment. You look at the very beginning an angel investor had offered me a half a million euros in funding and I turned it down because I did not want to give up one iota of control of what I was building because the second you accept venture capital you've already lost you've already lost and if you're trying to build any kind of organization with any amount of integrity having to constantly explain yourself to some investor of some kind it's going to shackle you but I think actually especially for the kind of thing that we're building you don't actually need funding to get it started. We bootstrapped Radically Open Security using my savings account okay and it's not that I'm that rich or anything I'm really not but the way that we did it is we again started as a services company and you need investment to create products but you don't really need much investment to do services and what we did is we actually used services to bootstrap our products and to bootstrap our R&D you know because once you actually have turnover then you can actually start to reinvest some of that into sort of building that vehicle that you're building and you know it's not going to grow as fast as if you have some kind of an investor but it is going to maintain your integrity and it allows for slow organic growth. The other nice thing actually about not having venture funding is because when you don't have very much of a buffer, when you don't have very much of a margin it means when you make incorrect decisions you feel the pain quickly. I've had moments in radically open securities history where I have made incorrect decisions you know in running the company incorrect decisions and trying to decide what to sink money into and what I shouldn't I've had months, I had one month where I literally had to take a 30,000 euro loan from a friend of mine under my own personal title to be able to make a role that month because I made the wrong guess. Fortunately it worked out we basically wind up getting the money back I paid my friend back it's all good. These are stressful moments when you're the director of such a company but at the same time though the other thing also is that if you don't have investment and if you're a charitable organization you will have a lot of friends so we don't have investors but we have had a number of partners that were willing to give us interest-free loans and guess what that's even better throughout the history of radically open security we've had about 25,000 euros in interest-free loans from friends of ours why am I telling you this well openness and transparency right why not but the point is we've paid all of that back now you know and it did enable me to be able to bootstrap the company without giving up any of that control and too many people go to investors because it's easy too many people go to investors because it's sort of that sexy Silicon Valley ethos of do it fast make it big, have your exit but you don't have to do it that way and that's one of the great things I think about being in Amsterdam and not being in the Bay Area I've spoken with people in Silicon Valley before about what I'm building and one particular CISO of a company in Silicon Valley she could not wrap her head around why I would go to so much trouble to build an organization that I'm not going to get rich from you know whereas in the Netherlands I think radically open security is the kind of company that perhaps could have only started in the Netherlands you know because this is a country that is social this is a country that gets it to the highest levels of the government we get support and I've appreciated that and that has helped us countless times the other thing also is things like for example customers won't accept it you know but really huge bureaucratic organizations yeah but you're weird and non-commercial why would they want to work with you I'll tell you why they want to work with us it's because the way that radically open security works and the way that we succeed is we find one geek you know like a tech geek like the kind of person who is at a conference like this we find one geek that gets it and then that geek fights to get us into their company you know and that geek navigates the bureaucracy within their own organization for us because they know why we're doing this and they want us there you know and this is the kind of stuff that like money can't buy this is the kind of stuff that the only way you can buy it is by believing in something and fighting for something and letting other people know what you're doing so that they want to help you and support you and in such a way you know radically open security in the first you know again three and a quarter years we already have had between 50 and 60 customers you know across sectors from government to law enforcement to banks insurance companies, media companies telcos, hosting providers IT companies, software SMEs, little law firms you know NGOs universities everything in between you know and how did we get into so many places it's because of those geeks that get it it also doesn't hurt that sometimes those geeks happen to be the see-so but this is something that you know our competitors can't do and this is why they're starting to get afraid again for good reasons won't competitors steal our IP now that's one that I hear a whole lot you know sometimes I talk to other people about startups and I'll say to them you know what you're building is awesome if you just open sourced it you guys would kill the market and then they say yeah yeah but if we open source it then our competitors are going to take it and run with it I think that whole line of thinking is really a fallacy because if your competitors, first of all your competitors are not going to adopt it pride you know many of them have not developed here look I mean I'm giving away my tools already as open source as radically open security have all of my competitors adopted it yet no are they going to? I don't know we'll have to see but the moment they do it's going to be admitting that the way that we're doing it is better so I mean I think they're probably not going to adopt it until the point where they realize that they have to you know but you know that's cool another thing also like from my days with the RFID Guardian I also made open source hardware and software stuff and I know again first hand from experience just because you put stuff out there as open source doesn't necessarily mean that other people are going to use it because then it would mean that they have to learn it, they have to troubleshoot it, they have to be able to debug it, maintain it upstream things to be able to keep going well being able to benefit from additional developments you know that kind of stuff so it's actually complicated for other people to steal your stuff but what other people don't realize though is that if you do give that stuff away what you're going to get back is goodwill, what you're going to get back is reciprocity when you give you get you know I mean you don't want to do it with those intentions you know I mean you don't want to just give so you can get but if you give it makes people want to give back and that's the thing you know and as soon as the other thing also is that when you give it lowers the barrier to entry for people to actually use your stuff you know and ultimately you know one of the rules of business is once you have users you can sort of monetize the whole thing but until you have users you know there's nothing to monetize and the point is that if you keep the stuff proprietary and then sell it or have licensing fees you are creating a barrier to entry for people adopting your stuff isn't that silly you know but people don't think about it that way you know but business is changing the world of business is changing how it's being done is changing and the people who don't change you know are dinosaurs and you know those dinosaurs are going to also change in similar ways you know but again this is the kind of stuff now that is going from the IT field to you know to MBA programs you know but so these are again some of the common objections but I have to say that you know radically open security has managed to do what we have been doing not just despite these things but because of them you know and that's why I'm out here talking about the story if you do things differently and you do things that are unique sometimes it will evolve in ways you didn't expect and it will also pay you back in ways that you don't expect so the sky is the limit I don't think what we're doing as radically open security is necessarily unique you know there are other social enterprises that are out there I mean I do think we're somewhat unique in the computer security space but I don't think there are a lot of other organizations out there doing good like the Mozilla Foundation and you know others but I mean take the whole concept of a not-for-profit business so you know basically taking a commercial front end for a not-for-profit back end how many other industries could we take that concept and use it with you know I mean Beardsourch has already sort of doing that for education could we also use it for transport, for agriculture you know perhaps for banking you know also with banking we've seen other examples like Grimmie and Bank and you know the world is changing you know and if you can take the area that you're good at I mean for me it happens to be computer security you know that again I'm an artist and computer security is my clay you know other people are going to have different clay and you know I'm an artist of computer security and other people can perhaps be artists of banking maybe they can be artists of agriculture, artists of healthcare why not you know and you don't just have to do art to be an artist you know so that leads me then back to begin I think to end where we started so let me ask again what would you do if you knew that you could not fail thank you if you have any questions please line up at the microphones in the middle and then you can ask them there do we have a question here aren't you scared in your task of not becoming a corporate bastard that you become a corporate bastard yes all the time I mean I think that from time to time it's really important to re-evaluate where we're at and to re-evaluate where we're going and you know sometimes I also make incorrect decisions about things you know I think it's good to have the people in your company thinking along with you and also to make sure that they're sort of imbued with the same values you're right the open and like for example when we have customers I have sometimes staff members that will actually question whether or not we want to be working with a particular customer police defense you know those are the kinds of things that tend to raise discussions internally and sometimes I'll make decisions about things and sometimes my staff members will call me on it and whenever they call me on it I thank them so yes you're completely right at some point yeah at periodic intervals we do need to re-evaluate what we're doing to make sure that the direction that we're in remains consistent but I also think that because I'm so open and public about what I'm doing I'm pretty sure that if I were to change it I would get a hell of a lot of criticism for it so I think that's also a whole lot of you know a little bit of insurance also to make sure that we also stay on the right path and on the good and narrow you know I'm trying to almost be a caricature of myself and I'm trying to make the company a caricature of itself in sort of how you know pure I'm trying to make it take that path and I think if we were to stray from it I think I would hear that from several places at least that's what I'm hoping sure hi there when you talk about creating a company it's always a the question is how you people will sorry how do the legal kind of what is it called the LLC or what did you found so we are something so we're a Dutch company but we have this designation with the Dutch tax authorities that's something called a fiscal fundraising institution fiscal funds there for the instilling so that basically is a construction we stole from the Dutch churches so churches sometimes want to do a commercial spin-off okay and then the the church does this commercial activity and they want to get the money tax-free back to the church again so there's a Dutch language institute called Regina Chaley that those of you in the Netherlands might know them otherwise as being called the nonnen van Vucht the nuns from a little village called Vucht and what it is is the language institute is an independently operating language institute I mean it's a commercial enterprise but 90% of the profits from that go back to the nuns so we essentially stole that construction from the churches and we just made our commercial spin-off a security consultancy company and we made our church the NLNet foundation so it's a bit of business model hacking but that's how we set it up yes hi my name is Kees thanks for the talk I like this a lot I have a very similar business called The Hive it's about 40 people and differences I actually have employees so but probably doesn't matter much because I find that the hardest thing is getting loyalty and the only way you can do that is by providing training and learning options so I was wondering how you do that yeah I mean training is a bit difficult because we work with this whole peak over our shoulder concept which basically means again customers are in the chat rooms with my pentesters the problem is if I use junior people it becomes evident to the customer incredibly quickly that they're junior so I have to admit I have a bias towards hiring senior staff because they're less likely to screw up in a way that my customers are going to see it I mean I will sometimes hire mid-level staff and then kind of attempt to train them up but people fresh out of school as things are right now they tend to not be a very good fit for my company I feel bad about that I wish I had a better training budget maybe when we're larger we'll have more of a margin for that kind of stuff but as of right now I sort of avoid the problem by not hiring juniors maybe that's not a good solution before you're a senior people they will only stick with you if you keep them continuous chances to learn and also improve I mean this is the way especially millennials are and nothing I can do about it so they have to deal with it yeah well I think that they do learn a whole lot I mean I'm providing them a stimulating environment with a lot of freedom where they have a lot of smart colleagues so I mean if they have questions about I'm hacking some system and I'm stuck can you guys help I mean we've got a lot of smart people together and I think that we tend to keep the smart people because smart people like being with other smart people so once they're there they don't want to leave the community you know so at least the good fits don't want to leave so that is one way of retaining people yeah the other thing also is just that I think we have the reputation that we've built up that we are very competent in pen testing and a lot of customers tend to come to us with sort of their specials so if they have something that's particularly hard or you know this weird embedded system they want tested or a cryptographic audit or sort of a mix of different things in a single pen test they will tend to choose for us and that's actually really nice because when they give us the harder jobs it actually also tends to keep our staff really sharp so you know I guess just by having the seniors we've been able to provide better quality and because we have the better quality it means the customers give us the more challenging assignments and that turns into a virtuous cycle cool yeah one hack I also use is having them give a training to their peers they love to do it and it's good for everyone yeah thank you for the questions another one yeah I come from Germany and when you look there there was kind of trendy to do social entrepreneurship so and when you look at the companies in the end you would still seeing investments venture capital so how do you experience the kind of social washing that's kind going on when you in the sphere so how do I experience the one I call my term would be social washing like greenwashing social washing of these companies but in the end when you look at them they have venture capital and in the end they will do stuff that is not from my point of view and I mean to me I mean if anybody's accepted any kind of venture capital I don't think they can really call themselves social I mean maybe again this is kind of dogma this is like my religion this is my belief I mean maybe there's good investors out there but I've never seen them you know and look it's easy to call yourself a social enterprise but I mean you need to walk the talk you know and ultimately the community will see what you're doing and judge so I'm sure the speakers around afterwards some minutes our time is over now so I really enjoyed this talk and I hope you did too let's give our speaker another round of applause