Chief information security officers long perceived cyber compliance as a check-the-box exercise separate from security, often resulting in a less than optimal security posture.
A West Point Graduate and former DHS security leader had the foresight to change that thinking with the introduction of the concept of converged continuous compliance with the founding of Qmulos in 2012. Qmulos provides a compliance, security, and risk management automation platform relying on Splunk big data analytics. This founder’s journey is based on my interview with the founder and CEO of the Chantilly, Virginia-based company, Matt Coose.
Qmulos is part of the massive global governance, risk, and compliance (GRC) platform market valued at $14.42 billion in 2022 and estimated to reach $27.65 billion in 2028, according to Business Research Insights.
After graduating from West Point and after his 7-year tour of duty in the military, Coose went to work for an ecommerce start-up. “I was running a managed services group, almost like a cloud, hosting servers for Dominion Power and Weight Watchers managing their ecommerce software. And there was a lot of money transacting every day through those servers and I realised how poorly instrumented we were for actually monitoring security and it was really crazy with the amount of dollars going through the systems,” says Coose.
The September 11, 2001 attacks happened and Coose ended up transitioning to the government and the department of homeland security in the cyber security arena. His role was to help the federal executive branch improve their cyber posture. In 2002 congress passed The Federal Information Security Management Act (FISMA) requiring federal agencies to develop, document, and implement an information security and protection program.
“My group took over, the FISMA reporting given my background in the commercial sector, and then listening to all the CISOs for the different agencies talk about their challenges. There was a lot of paperwork they were having to write and report on while spending less time on defending their networks,” says Coose. That process culminated in the creation of a CDM program and is one of the second multibillion dollar Homeland Security programs that is still kind of going on today.
During this time Coose met the CEO of the emerging big data and resilience platform Splunk, Godfrey Sullivan, where he learned about big data, the key to cyber defense and the ability to monitor cyber tools in real-time. “Having that experience and seeing the new technology emerge, gave me the idea of hacking together a system to help people get better at cyber defense and move compliance away from this manual static collection of evidence and opinion and make it really technical and really valuable. So that’s why I made the jump and, and started the company,” says Coose.
Prior to Qmulos, technologies in the GRC space at the time were all relational database technologies. Coose likened to being like a file cabinet for your compliance policies with static data collected in a survey. It took Coose and his team some two years to build the relational database needed to monitor compliance in real-time.
According to Coose, MIT Lincoln Labs (Department of Defense federally funded research and development center) became their first customer. Today the near 100 person-company is generating 40% year-over-year growth and partners with Splunk to work with many US security agencies, companies in the large defense industrial base and commercial companies in industries like financial services, healthcare and energy. In May of 2022, the company announced a strategic growth investment from private equity firm PSG. The financial terms were not disclosed.
Coose grew up in Northern Virginia where his dad was stationed in the Army and where he went to high school in Alexandria. He was selected to attend West Point for College. Following his West Point years, he spent seven years in the Army as part of his West Point commitment. “I flew helicopters for a couple years and loved doing it. I was kind of the junior guy in staff office at the squadron and I ended up kind of being tasked with figuring out how to network computers together. Sometimes it pays to be the junior guy as that’s how I gained my experience in network computing,” says Coose.
After the Army, he began working at GE where he earned his Six Sigma Black Belt doing quality control consulting. “But I didn’t love the big company thing. In the army you have a lot of responsibility. In a big corporation you have a tiny amount of responsibility. So I think that’ what drew me to the startup world where you can wear many hats and solve big problems,” says Coose. He worked for a start-up after GE, followed by his stint at DHS for seven years before founding Qmulos.
As for the future? “I would love to be the company that changed the game in cyber compliance from this legacy, static system with no security value, to the key thing you have to do to have really good cyber defense. My goal would be to have folks look at Qmulos as the company that changed compliance into something very valuable,” concludes Coose
Read the full article here
