Phosphorus Cybersecurity founder and CEO Chris Rouland, like many security company founders, got his start as a hacker before founding multi-million-dollar startups. His most recent venture tackles IoT security. And Rouland says it’s the first and only company to provide agentless patching and configuration management for all the “things.”
“Computer hacking was a hobby in the ’80s, and all of us grew up to start companies — except Julian Assange,” Rouland said. “But we were all buddies in chat rooms.”
Rouland was chief technology officer at Internet Security Systems, which was acquired by IBM for $1.3 billion in 2006. He then co-founded Bastille Networks, which enables enterprises to assess and mitigate IoT risk and has raised $39 million to date. And in 2008 he co-founded endpoint security company Endgame, which has raised $111.4 million.
His new startup, Phosphorus, targets a massive — and growing — security threat that stretches across data centers, manufacturing floors, healthcare facilities, and other sectors.
“We’re seeing much more sophisticated botnets and no really good security solutions,” Rouland said. “You’ve got people building firewalls for IoT, scanners for IoT, but no one is doing remediation for IoT. And that’s what we’ve built.”
IoT botnet activity represented 78 percent of malware detection events in service provider networks in 2018, according to Nokia’s Threat Intelligence Report 2019. Another new report from McAfee found IoT malware was up 73 percent in the third quarter of 2018.
Recognizing this threat, Cisco, AT&T, Intel, and other vendors late last month published a report that recommends best practices for services providers, enterprises, and software and device manufacturers to protect against botnets.
Without up-to-date software, devices can have vulnerabilities that allow hackers to exploit these devices and infiltrate entire networks. But ensuring that the hundreds of devices across multiple verticals are patched and updated regularly remains a problem for enterprises.
That’s where Phosphorus’ agentless enterprise-grade software comes into play. Rouland says it will be available in the first quarter of 2019. It patches and updates IoT devices, and it alerts users in the case of an insecure configuration.
“It is a fool’s errand to build an agent to secure IoT, so you’ve really got to put your hacker hat on to solve this problem,” Rouland said.
Google, Amazon, and Apple are the “A players” when it comes to IoT, he said: “They build really good IoT devices.”
The rest of the companies making IoT devices have two types of update mechanisms. “One is an API call, and the other is user-initiated,” he said. “So we do all that. We built the update-all button for IoT.”
But will CISOs actually hit the IoT update button? “I was terrified to ask,” Rouland admits. “But they all said yes or hell yes.”
The startup has five pilot customers. Rouland says two are among the top 10 global technology companies by valuation, one is a financial services firm, one is a national media company, and one is a cryptocurrency company.
Passing the Test
Analyst Richard Stiennon, who covers IoT security at IT-Harvest, says Phosphorus matches his litmus test for success. “The primary thing is the agentless component,” he said. While companies like Cisco take a network-centric approach to IoT security, and some startups like Armis take a behavioral security approach, no one else is attacking this problem from the device, he explained.
The founding team has an impressive resume as well. “The way uber-geeks like Chris [Rouland] work: they see a problem, and they find a solution,” Stiennon said. “Chris has built several successful companies, so he knows how to do that, too.”
Check back in a year after the funding rounds and customer wins. “If they get 20 customers in a year, which they will because the founding team is well-respected, that’s a win,” Stiennon said, adding that Phosphorus will either grow into a successful security company or be an attractive merger and acquisition target.