Accidental Entrepreneur: Cryptography Research President Paul Kocher (Part 4)

SM: What kinds of people come to you, and how do they find you?

PK: Hiring is our most difficult problem. If I were to pick the thing that most limits us in doing the things we want, it would be finding people who simultaneously meet our three criteria: we want people who are technically brilliant, communicate well and are fun to work with. It is frustrating for us because we find plenty of people who have two out of the three. It is really, really hard to find people who have all three attributes and to recognize that in the interview process.

I am sure we have interviewed people who have all three and we just did not recognize it. We had one bad hire where we thought we had those attributes and we didn’t. I know interviewing is a horribly imprecise process.

SM: Trying to evaluate all the capabilities of a person in a matter of hours is very difficult.

PK: It is also a high-stress environment for that person, so seeing how someone behaves in that type of environment is interesting, but 99% of the time on the job, we do not want people who are stressed. We want them to be comfortable. We want them to do what they really enjoy doing.

SM: Are people coming to you, or are you searching for them? I ask because there is a lot of naïveté in the world of business about where people seek work. There is conventional wisdom that if you go work for a company that is heavily venture funded, that is a great place.

PK: Usually the people we are hiring are not straight out of school, although we have made some exceptions. They are folks who are already involved in security. Word of mouth plays a big role. We are unique in that we are working on systems that are widely deployed. There is a huge amount of security work focused on meeting compliance requirements such as Sarbanes-Oxley or HIPAA. I am allergic to those kinds of projects. You are not solving a problem in the technical sense. Whoever can solve that problem for you the cheapest is the person to go to. That goes well in a consulting model where there are a few smart people and lots of junior people to work the billable hours.

For us, services consulting is less than 5% of revenues. We do it because it is a great way to learn more about who people are, what the challenges are, and to solve problems for customers. We usually do our projects on a satisfaction guaranteed basis; we tell our customers not to pay unless they are satisfied.

SM: I think identifying the most critical problems in the industry is the biggest benefit of that model. Being able to touch the problems really has to help your IP business.

PK: Absolutely. RSA had RSA labs on one side and people who were selling and making stuff on the other side. There was much less mixing than I thought there should be. My view is that an academic paper is a fine thing to do, but is not really the true result of research. It was a great place and I am not trying to be critical at all.

The folks working with me here spend time in front of customers even though they are researchers by training. They will do engineering, get their hands dirty and understand what the user interface and customer service impacts are. They know how to fit into a legacy system, and they know what to do in order to get a system rolled out. In comparison, the academic paper would allow the environment to be defined and conclusions to be drawn; however, those conclusions are not mapped to the real world.

SM: Let’s move back to the chronology of the company. After you did the SSL project at Netscape, what was your next move?

PK: We had done several hundred different projects for different companies. Most of them are confidential. We typically get called in by someone who was at a company that was a client of ours and has since changed jobs. In their new role they call us in for their newest challenge. The mixing in Silicon Valley is just great for that. People switch jobs, and that plants seeds for us. Usually the situation is that a company has rolled something out and it is being attacked, or they are building a new product and they bring us in to do a design review.

About the same time as the SSL project I started an effort internally to look at a way to secure semiconductors. I wanted to figure out how to put keys into them that could not be pulled out. That remains one of the areas I am really fascinated by, for many reasons. The core problem is, how do you make something that can prove its authenticity or do something that a person cannot copy? Cryptographically it is a straightforward problem. You put a key in it, and you put an algorithm that uses that key to decrypt data, but the key itself  should not be something you can solve mathematically.

When somebody starts prying the chip apart or measuring the power consumption of the chip to observe variances and make inferences about what the keys might be given power measurements, it becomes an incredibly difficult problem.

This segment is part 4 in the series : Accidental Entrepreneur: Cryptography Research President Paul Kocher
1 2 3 4 5 6 7