What does that mean for the government? Do they have to overhaul their entire contracting process to fix this?

I think they have to make it easier to hire and fire. Firing is probably the bigger deal than hiring. It's very, very hard to move ineffective people out. By that, I'm not busting on everyone in the government, but the ability for the government to keep speed with what's actually happening is exceptionally difficult. Everybody assumes that the government knows a lot more than the private sector, but that's just not the case. Government is not going to shift quickly. I think there are some interesting moves afoot in the use of the cloud. If you look at AWS and CIA's adoption of AWS, I think they might be able to do a heck of a lot better if each agency didn't seek to run their own IT infrastructure. That could probably help. That's painful, especially when you bring in the jurisdictional issues on Capital Hill. It's an ugly game. It's a very political game. It's definitely not an even field.

Talk about TruSTAR Technology. What is that and how does that address these challenges?

I had this idea that if only we could get better at sharing incident data and if I could develop a product around it that would enable that, along with collaboration and correlation, that might be a lot of fun. That's what I've done. I've been following the space for a long time and what I see is largely failure on the enterprise security side, not because security products are bad, not because people don't care, it's largely because it's far easier for the bad guys to tear apart the good guys. They have it easy. If you're a CISO today, you have a real challenge of trying to keep things up and running and not be attacked and when you're attacked you're all alone. I want to change that paradigm. I want to make it far easier for the people to work together and do intel and that's what the platform is about and incentivizing people to share data is what it's all about.

Is it like crowdsourcing? Is that a good comparison?

Change crowd into company. The information sharing mechanisms that have been out there today so far, such as the ISACs, are okay but they've struggled in many ways. One, they're often seen as a government portal. You might not share because government might come wanting more info about the incident. The real issue is, though, is market reputational risk – you don't want to share right away in those forums unless you have some sort of protection. That's where anonymous authentication really helps out.

People share with their buddies. We can't have these ad hoc exchanges going forward because the bad guys just continue to take advantage of it. At the OPM, United and the health insurance company hacks indicate, the bad guys are using the same infrastructure to go after different sectors. That's the paradigm shift that I'm trying to change. We can't just be enterprise security focused, we have to be able to share and share effectively.

What happens when an organization finds something? How do the other organizations put that into effect?

Most enterprises, but not all, have a standard response protocol in an incident...but in general we can take a Word document, we can take a PDF, we can take STIX and upload it. We are actually just now rolling out a web-based agent, and you use that to generate the report and send it to us anonymously.

Is this the piece that the security industry is missing? Or is it a piece of the puzzle? How do you look at it?

I would like to say that it's the piece that's missing, but it's not a panacea. In other words, we have to continue to do enterprise security. Palo Alto has to work, Symantec has to work, FireEye has to work, you have to use your multi-factor authentication, you have to continue to educate your employees...But, everybody is going to get hit. When you get hit, what has been missing is the ability to share that data quickly and be able to work together going forward. That's what's missing. There are those who would argue that that's been around, but it's been a government-facilitated effort and that spooks people. I think this infrastructure for company-to-company sharing is the missing link.