The Case For Steward Ownership And Open Source With Melanie Rieback

“Melanie Rieback: So, steward ownership and open source is a match made in heaven. But of course, most people that are involved with the open-source community don’t even realise that constructions like this exist, but they need to because, you know, with, you know, our time’s changing and with these technological innovations, you need these business models that will support the commons, right?

We haven’t done it too much up until now. But if you look now at the developments, Signal has become steward-owned. Proton has become steward-owned, Mastodon has become steward-owned, you know? It’s we’ve got a wave here, you know? And finally, awareness is starting to spread, that we need to equally reform these business models, in order to preserve and protect our open source.”

[INTRODUCTION]

[0:00:49.1] ANNOUNCER: You are listening to The Secure Developer, where we speak to industry leaders and experts about the past, present, and future of DevSecOps and AI security. We aim to help you bring developers and security together to build secure applications while moving fast and having fun.

This podcast is brought to you by Snyk. Snyk’s developer security platform helps developers build secure applications without slowing down. Snyk makes it easy to find and fix vulnerabilities in code, open source dependencies containers, and infrastructure as code, all while providing actionable security insights and administration capabilities. To learn more, visit snyk.io/tsd.

[EPISODE]

[0:01:28.7] Danny Allan: Hello and welcome to another episode of The Secure Developer. I’m Danny Allan, CTO at Snyk, and I am super excited to be with you here today because I’m joined with another former pen tester and someone who has built a super interesting business model at Radically Open Security, and that is Dr. Melanie Rieback. Melanie, welcome to the show. How are you?

[0:01:48.4] Melanie Rieback: Hi, hi, I wouldn’t say I’m a former pen tester.

[0:01:53.6] Danny Allan: Well, is it true, though, that you have a background in security and security analysis?

[0:01:58.1] Melanie Rieback: I’m still working in security and security analysis. I’m running a 50% pen-testing company. So, I absolutely still consider myself to be a pen tester. Although, that being nuanced, of course, on management these days. So, I’m just a slightly more obsoleted pen tester than I used to be, but yes, I’ve been in the field for 25 years. I’ve been a – I’m a former assistant professor of computer science from the Free University of Amsterdam, also where I was doing research on at the time on RFID security and privacy. So yes, but I’m, yeah, I’ve been involved with security for 25 years, so.

[0:02:37.6] Danny Allan: Yeah, I love the security space and probably, like yourself, while I say, I was – am a pen tester, it’s been a long while since I’ve actually been engaged in an actual penetration effort. You get into management, and I guess, that’s the way it goes. Now, is it true that you're still teaching? I know that you have an academic background, or did I read correctly that you're an assistant professor as well at Uni Amsterdam?

[0:03:02.8] Melanie Rieback: So, I was an assistant professor at the Free University until 2012, and that was basically teaching in computer science. So, I was in the computers systems group, and I taught computer operating systems and sometimes in security. After that, I moved over to the industry. So, I worked for Citrix, I worked for ING Bank, and after that, I started my own cyber security company. So, that was 10 years ago that I started the company.

Nowadays, I do still teach, but I actually teach a different topic. I teach now as a lecturer at the University of Amsterdam Business School, and I’m actually teaching something called Post Growth Entrepreneurship, which is basically I talk about not-for-profit business models, and yeah, and basically, just sort of teach ways that we could make kind of next-generation social enterprises and how we can move past the Silicon Valley model of startup incubation.

[0:03:56.4] Danny Allan: Well, I’d love to dive into that because having been in the security space for a while and building lots of software, it is extremely unusual to have an organisation that’s not for profit in this space, and I’m a personal believer that it actually results in a much long-lasting organisation. These exponential companies that are being built now out of Silicon Valley, they’re not optimised for long-term sustainability. So, I guess I’m – let’s just start, what’s the motivation in a not-for-profit type of organisation, whether it be security or not?

[0:04:30.7] Melanie Rieback: Yeah. So, when I started the company a little over 10 years ago, I think my primary motivation was just a bit of discontent with the market leaders at the time, and there were a few things that had bothered me. The first was just that I was working at the time, in the cybercrime team at ING Bank and we had a DDOS incident and some consultants had appeared and basically said, you know, along the lines of, “You know, stand back, we’ll solve, we’ll fix the problem for you and give you a big report and a big bill at the end.”

And I was like, “Great guys, you know, if you’re so elite, you know, I'm sure you can learn something from you. So, I would be very interested in looking over your shoulder.” And then, they didn’t seem very interested in letting me do this. Eventually, you know, I did look over their shoulders and you know, they were using the same open source as everyone else, but they didn’t want me to know that because they want repeat business.

So, I wasn’t super impressed by that, and the other thing also was that around that time, there was some scandals that had been happening with one of our cyber security companies that was building surveillance systems and they sold it to developing countries with authoritarian leaders, and then the hacker community at the time was like, “Hey guys, can you stop doing that? That’s not so nice.” Did they stop? No, they just sold that part of the company.

So, between that and just working with intelligence agencies, hacking activists, selling zero days, I mean, to me, that’s weapon trade, you know? I mean, there was a great discontent through the Dutch hacker community at that time, and I kind of noticed that, you know, the customers aren’t really happy with the lack of openness and transparency, but the hackers are also not really happy with how, you know, the companies are behaving.

And that was when I decided that you know, “Gee, you know, I think actually we need a social enterprise in the cyber security space.” But when you say social enterprise, what does that mean? Because these days, there’s so much greenwashing. You know, it just seems like it’s some layer of marketing, you know, over the usual toxic business models. So, you know, the first thing that I had did was physical construction from the Dutch Church called a fiscal fundraising institution.

And essentially, this was a kind of tax construction which basically – so sometimes, churches want to do a commercial spinoff. The profits go with the tax benefit back to the church, but the key here is that it forces the company to send 90% or more of their profits basically to a registered charity. So, I heard about this thing and I thought, “Woah, that sounds kind of interesting,” and thought, you know, maybe we can make our cyber security company the – basically, the commercial spinoff, and then we can make our “Church” the NLnet Foundation, NLnet is like about a 35-year-old charitable institution that donates to open source projects, digital rights initiatives, and anything for an open Internet.

So, yeah, it was a total business model hack, or maybe it was actually precisely using this construction as it was maybe meant for, but nobody had done it before with a tech company. So, we figured, “Well, why not?” right? So, we started it this way. Of course, people didn’t think it was possible to run a company where you donate 90% of your profits to charity and, you know, and still survive.

You know, the last 10% is basically our cash flow buffer that we use to make payroll at the end of every month. Now, don’t get confused, I said that we donate 90% of our profits, not 90% of our revenue. So, what that basically means is our customers pay us market-conforming rates, I pay market-conforming rates to my staff. We reinvest everything we need for growth and stability of the company, including project management, IT and infrastructure, our finance department, you know, a managerial overhead, right?

And it’s only after all of that has been paid and we can even create reserves for next year if there’s a big expenditure coming up, that then, and only then, do we calculate the profits, and then at that point, 90% of that gets donated to NLnet. The last 10% stays within the company, that’s our cash flow buffer, and it accumulates year on year. So, it’s a bit of a ballet with money, it’s not the most obvious way to operate a company, but actually, it’s worked.

And over the last 10 years, we’ve managed to grow to a 50-person company, we’ve had hundreds of customers, including everything from Google to the European Commission, to the Dutch Energy Grid. You know, we have pen-tested COVID apps for the EU and also for several nation-states during the pandemic, including the DCC, the European bar code, the QR code basically in front of the apps.

Yeah, and for the rest, we, yeah, test for everyone, really. I mean, like Core Internet, like Amsterdam Internet Exchange, Right Band CC, NRENs, but also Telcos, hosting companies, you know, just software companies, not-for-profits, startups, and also we do not-for-profit work on a zero-margin basis at cost price for nonprofits, NGOs, and civil society organisations, and that’s been really fantastic because we have some really wonderful nonprofit and civil society customers.

We’ve also done pen tests on organisations like the Tor Project and Tails and Shadowsocks and GlobalLeaks and Ushahidhi and you know – but it also just core, Unique’s Libraries, I mean, iTerm and you know, package managers like Home Brew and I mean, we’ve really done a lot of, you know, pen testing on a lot of usual suspects, really, and in open source and in civil society, and we’re super proud that we can, you know, be the kind of company that works both for big corporates, you know, to help us keep the lights turned on.

While at the same time, we then use that same split-spinning flywheel to serve as all the smaller organisations and more sensitive organisations that also needs the same kinds of services but might not have the same budget.

[0:10:37.6] Danny Allan: I love the ethics and motivation behind starting the company there, especially because I’ve also witnessed kind of the sale of zero days, and I don’t want to call out organisation, but Pegasus and things that are happening in the space that are questionable ethics, and so I love the motivation behind it. A couple of things I want to touch on, though. You mentioned you had 50 employees.

When you’re building an organisation like this, are they employees of Radically Open Security, or are they contractors that you pull in per engagement? Like, how do you scale up to hire 50 people if you’re a not-for-profit organisation, giving away 90% of the profits?

[0:11:19.2] Melanie Rieback: Right. So, we do work more with contractors. In that sense, I think Radically Open Security is kind of more of a collective in that sense, but it was necessary because I mean, I bootstrapped the company without capital. So, basically, working with contractors in the beginning was the only way to do it. As the company grew, you know, I made a few offers to some of the contractors to work full-time, and they were like, “What? You want us to work more hours potentially?” So, you know, so if it ain’t broke, don’t fix it, right?

[0:11:52.1] Danny Allan: Yeah.

[0:11:52.2] Melanie Rieback: So, in that sense, we’ve kind of maintained the structure that we have. It works really well. We also partner with other SMEs as well, other pen-testing companies also, to sort of swap capacity, and it’s really – yeah, it’s just a system that works. You know, we basically build, you know, platforms that are kind of win-win amongst those who are participating. Everyone who is involved is also super –

I mean, it’s not just that we have cool customers, but it’s also just that, you know, seeing that 90% go to NLnet. You know, we’ve donated also over the last 10 years over one million euros to NLnet. Yeah, and a large part of that also went to helping them with also partnering with the European Commission on something called The Next Generation Internet, NGI Zero Project, which actually wound up getting a bunch of EC money, which led to yeah, NGI Zero is actually the largest funding initiative for open source, not just in Europe but in the entire world.

So, there’s been literally a thousand projects over a thousand that have been funded by NGI Zero. No, that’s not all from our donations; that’s from the EC Money, but of course, it was our donations also to NLnet that gave them the financial freedom to be able to work on those grand applications and also manage the project. So, in that sense, I think actually our donations have really had a kind of multiplier effect and yeah.

I mean, and just the kinds of projects that are getting funded, I mean, it’s just all the freedom tools, you know? I mean, all the – just, you know, just open source things that are the glue, you know? And then yeah, I mean here in Europe, of course, it’s also of great importance somehow, so just to try and stimulate the open source ecosystem. I mean, for so many reasons. I mean, in part, because of Geopolitics, which, of course, at the moment, is quite a lively topic.

You know, but even beyond that, I mean, also just looking at supply chain security, SBOMs. I mean, you know, you can sell all the proprietary stuff you like, but it’s still going to have open source under the hood, and if you're also relying on critical national infrastructure, as all of us are, then it also means you need to care for the health and maintenance of open source projects as well.

[0:14:10.7] Danny Allan: It’s one of the major shifts that I’ve seen in the development community, at least, over the last 20 years is we’ve gone from proprietary software to 90% of the stack now is open source components, and I would argue actually there would be benefit of the remaining 10% were contributed to the open source because the differentiation is probably not in the code that is written.

But more in the delivery of the services to the organisations, and actually, I guess it’s a question for you, Melanie. The model that you built works very well in the services-based company, Could or would the model work as well as in a software-based company, to be, you know, completely open in the way that you are? Because often, you need your cash upfront in a software organisation because you don’t have software to start or services you can often start on day one, or is that a myth? Am I not understanding it correctly?

[0:15:04.3] Melanie Rieback: Yeah, that’s a very good question, and I think the truth is somewhere in the middle. You can use services to bootstrap product. We’ve done that in my own company, we – by delivering cyber security services, we essentially kind of almost like, crowd-funded, you know, the production of a pen testing documentation and automation system. Because we didn’t have any investors that put up capital for it, it basically meant we were able to open-source it and give the whole thing away for free, and we even made it an OWASP Project.

So, it’s called OWASP Indexed; that’s one example. However, of course, there are things that you cannot bootstrap in that way, and I think in those particular cases, there’s two other things we need to consider. One is that venture capitalists, you know, they – finance itself can also be reformed. So, I’m a big advocate of a business model that’s known as steward-ownership. So, steward-ownership, essentially, what this means is that the real definition is that you’re separating profit rights from voting rights.

So, what it means is that if anyone is extracting financial value out of the company, they don’t also hold voting shares that exercise voting control over the operations of the company, so – but you can have stronger versions of this, which also includes something called asset locks, which basically means that you are locking the value of the company inside the company. So, very frequently, this happens with constructions that are known as golden shares.

And what this is, is this is a share of voting stock with voting rights but no profit rights that enables the holder to veto certain governance operations, and this can be things like mergers and acquisitions, dividends out of the company, even just changes in your mission and statutes if you wish. Basically, what this means is we’re trying to create a company where you literally are locking the value of the company inside the company, which means that everything is then reinvested.

Now, the interesting part is that you can do the same thing with investment funds. So, you can actually take a VC fund and then apply a steward ownership model to it, and then what you can do also is VCs are paid by fees, basically. So, if a company grows exponentially and exits, they will tend to get 20% of this. It’s known as carried interest, and there’s also a 2% management fee on the money of their investors, the limited partners generally.

Now, the point is, you can change this fee structure, so you basically get rid of this carried interest. In other words, you get rid of the incentive to grow exponentially and exit with these portfolio companies, and then you also reform the 2% into the cost of running the business, assuming middle-class salaries in the pension. Now, the point here is what you’re actually doing is you’re creating a not-for-profit VC fund, in the same way that Radically Opens Security as a not-for-profit cyber security company.

So, what you’re doing is you’re fundamentally realigning incentives of the venture capitalist. Now, I think for the – coming back to your question, if you then want to fund open source projects or any other kinds of projects in a way that they are incentivised to serve, in other words, making the world more cyber secure rather than just optimising for growing exponentially and getting acquired.

Then basically, if they get funding from such a kind of financially non-extracted VC fund, then that actually sort of changes the incentives and in such a way then that the whole thing, I think, is relatively okay, and you can have longer discussions about this. I apologise that I’m getting slightly technical now with finance, but look, I mean, the stuff basically – I think the TLDR of all of this is finance and entrepreneurship itself are basically machines.

And that we need to take a hacker mindset too, and I think until we actually start understanding how it works, you know, and sort of understanding how to kind of disassemble with it, tinker with it, you know, put it back together, probably wrong, and of course, most importantly, where do we stick the ice pick, you know, to make it behave differently. You know, I mean, this is basically, I think, what we need to do to be able to fix capitalism, and these are really major issues.

So, you know, in that sense, I think it’s of great importance for open source because oftentimes, open source gets mission drift. It goes freemium, right? We all know premium, and most of us dislike freemium. You know, for those of us who have been in cyber security for a long time, you know, maybe we can remember the moments back when NSIS was free, you know, completely open source and free, back when Metasploit was free, back when Snort was free. Back when, you know, I can go on, you know?

[0:20:01.5] Danny Allan: Yeah.

[0:20:01.8] Melanie Rieback: And these discussions, you know, don’t go away. I mean, you know, we’re having that same discussion now with Semgrep, so you know? So, the point here is, you know, part of the reason why this whole movement towards freemium is happening, you know, and then we’re lucky, you know, as consumers if they don’t just torpedo, you know, the community open, the true open source community version at a certain point.

You know, and a large part of why this happens is because of the incentives that are embedded by VCs. So, steward ownership and open source is a match made in heaven, but of course, most people that are involved with the open source community don’t even realise that constructions like this exist, but they need to because, you know, with, you know, our time is changing, and with these technological innovations, you need these business models that will support the commons, right?

And we haven’t done it too much up until now, but if you look now at the developments, Signal has become steward-owned, Proton has become steward-owned, Mastodon has become steward-owned, you know? It’s – we’ve got a wave here, you know? And finally, awareness is starting to spread that we need to equally reform these business models in order to preserve and protect our open source.

[0:21:20.9] Danny Allan: Well, I love the approach, and I’m going to come back to technology in a moment. I have to ask one more philosophical question just because I’m interested. Are we really discussing a shifting culture away from greed? Because typically, organisations right now, and I’m going to associate this with security because I always say, the technology is the easy part, right? It’s the culture, shifting of culture to be security conscious.

That’s the hard part, and what you’re really describing is culture away from greed and profit, to one of magnanimous contribution back to the community, and if you look at the business world right now, less than 1% are focused on giving back. 99% are all like, profits, profits, Wall Street, you know? How do you – this is a philosophical question. How do you shift the culture away from a greed-based culture to a give-back-based culture? Is it just awareness, education?

[0:22:17.2] Melanie Rieback: Yeah, a couple of things. First, if you’re talking about techies, hackers and open-source developers, I do not believe they’re greedy.

[0:22:27.1] Danny Allan: Okay, yeah.

[0:22:27.8] Melanie Rieback: I’m sorry, I don’t. I think most hackers, and I think most open source advocates, are extremely passionate, and I think they are not greedy at all. This is why they choose for open source in the first place, they care about building something great. They care about getting used, they care about making the world better. That is not a culture that we need to change. You know, that’s a culture that’s already there.

Now, the problem though is that when we try valorising open source, if you had, for example, a grant or subsidy-funded project, most of the time what happens is they will start up incubators, you know, the Y combinators of the world, and they will pair them up with VCs, and the moment that a VC gets involved, it’s a lost cause. You’ve basically, you know, lost before you’ve started because it irrevocably embeds, you know, this financialisation into the company in a way that the open-source project founder never intended.

But the problem is they don’t understand enough about what’s happening with incubation and with investment, with venture capital until they’ve been through it once, until they’ve been through the rollercoaster, and then they realise when they get spat out at the end that, “Hey, wait a minute, this didn’t end well.” But the problem is most, you know, techies don’t care about business, and they don’t want to think about business because “money is evil,” right?

[0:23:51.6] Danny Allan: Right.

[0:23:52.0] Melanie Rieback: I mean, so many of us kind of are a bit anti-capitalist that you know, but the problem is we need to know because I mean, what you don’t know can hurt you, right? I mean, taking security, right? So, you know, so the point is, I mean, we need to actually understand the threat model that we have here, and most developers do not, and look, I’m not meaning to say either that the venture capitalist are bad because most of them are also really great people, you know?

They’re the kinds of people you can have a beer with if you meet them; many of them care, many of them care deeply, but the problem is they too are embedded into a system, and it’s good people embedded into a toxic system because even the venture capitalists, they have this pesky thing called fiduciary responsibility, which makes them legally liable, like literally criminally liable, you know, if they do not, you know, maximise the, you know?

Well, I mean, you can interpret fiduciary, what exactly what fiduciary responsibility means, but it’s typically particularly in the States, you know, interpreted as pecuniary factors. Yeah, so the point is even if they are well-meaning and want to do it differently, they literally can’t because they are also held to hostage in the same structure, and even their investors, the limited partners, and also you know, pension funds, and you know, they too are caught in their own structures.

So, the problem is not the people, who are mostly well-meaning; the problem is the system, right? And we know that the system is the problem; we know that, you know, problems are systemic, but then when you, again, when you ask people what is the system, they can’t tell you. They don’t know, and the devil is always in the details, you know? So, the point is that we really need to study these details, you know, in order to – and look, not everyone has to study them because I mean, most of us are probably busy hacking stuff or creating software.

But what we can do, though, is build upon the great work of those who have studied it, right? I mean, the same way with open-source contracts. You know, we have leaned upon the wonderful work that was done, you know, by the Richard Stallmans, you know, and the Eric Raymonds, you know, and the Linus Torvalds, you know, all the people who really have put so much thought into open source, into licensing, into how to build community, you know?

I mean, that’s great but also for these new business models now, there’s similar people thinking about it like the Purpose Foundation that’s spending a lot of time on steward ownership as a concept, and of course that also follows in the legacy of, you know, the cooperative movement, also foundation ownership, which has gone way, way, way back. I mean, not just to European historical examples like in Scandinavia.

But I mean, you know, the concept of endowments, and you know this goes all the way back to like biblical times. So, I mean, we’ve been, you know, considering how to make self-owned companies or more sort of, you know, common good-oriented companies forever. It’s just that it seems in the last 50 years like we’ve forgotten.

[0:27:04.5] Danny Allan: Yeah, it’s – and I think you’ve started in the right place because the one thing that I strongly agree with is that the security people having anti-system mentality, “How do I break it, how do I give back?” And it’s not greed, to your point. In fact, it’s why you sometimes see hackers that hack for political means mostly because they’re angry with, you know, the other side.

Now again, I think we should – I would stay out of that myself, but I agree with you, it’s not greed-based. It is actually more altruistic in nature. So, if you’re going to start a company that is looking at this, you’re a software developer, you’re going to build a company around this, I can imagine that you run into issues with building a culture, especially if you have a lot of contractors who are wrangling the – herding the cats, whatever the term is.

How do you do that in a nonprofit with a lot of contractors to set a culture that puts everyone pointed in that same direction? Because I assume that you had to fight with this as you were starting the company Radically Open Security.

[0:28:08.6] Melanie Rieback: Yeah. I mean, I think culture is difficult no matter what you’re doing and structure is. I mean, just because, of course, you are dealing with people, and people, I mean, you know, I’m you’re usual sort of semi-autistic tech geek. So, like my motto is, you know, technology is easy, people are hard.

[0:28:26.9] Danny Allan: Yes.

[0:28:29.4] Melanie Rieback: But how have I done it? I mean, in part by trying to lead by example, and in part by making a whole lot of mistakes. I mean, you know, that’s what it is. I mean, any time you start something, absolutely you’re going to be doing things wrong. You know, you’re sometimes going to have conflicts with people, you’re sometimes, you know, going to get up on the wrong side of the bed and say that thing you regret later.

I mean, it’s just, you know, it happens to all of us. I mean, I think that it helps if you can embrace things like horizontal organisation. So, I’m a very large believer in, of course, yeah, methodologies like holacracy and sociocracy, and I use this somewhat hybrid form of holacracy within my own company. I mean, it’s still hierarchical, I think, at the center of the governance just because I used to lead directors that are written into the Chamber of Commerce.

But you can try and find your own balance with that, and then beyond that, I mean what I’ve done with non – with sort of Post Growth Entrepreneurship, which is sort of this methodology for “not for profit businesses” or non-extractive businesses, I’ve tried, I’ve attempted in that sense to create almost a kind of culture document for the company. You know, I mean, I in part, you know, wrote everything down because for myself to scratch my own itch with it.

And then, also in part, a whole lot of other founders were approaching me saying, “Hey, Melanie, I would like to create a similar company, could you help?” So, you know, that was when I really developed the whole methodology. I also put it in the larger macroeconomic framework of new economics and wellbeing economy just because I felt like it fit really well, and I think you need to be a little careful about some of the terms, though.

Like, degrowth, in particular, has gotten super politicised, and it’s quite widely misunderstood these days, so I typically use the term post-growth instead, but even that is getting politicised now. But I think really just the point is just again, like really realigning incentives and really taking a systems thinking perspective to entrepreneur, and I think that’s really the core and the essence of it.

[0:30:48.6] Danny Allan: You think that that type of software company is more in-lined with people who have, I mean, experience or maturity in the space, or do you think that there’s a model here for new graduates coming out of school to be entrepreneurs in this type of organisation? I haven’t seen a lot of it in the United States, maybe there’s more in Europe. I guess I’m just – is it more in line with people that are further along in their career or early, or it doesn’t matter?

[0:31:15.5] Melanie Rieback: Yeah. So, I mean, first of all, start with employees. I think that anybody could be employed by a company like this because we basically just take other people along for the ride as entrepreneurs, you know? And plenty of my, you know, hackers at Radically Open Security, some of them don’t really care, you know, about this stuff, and you know they just want to break stuff, so.

[0:31:39.1] Danny Allan: Yeah, paycheck to paycheck, and I like breaking software.

[0:31:42.1] Melanie Rieback: That’s it, and they shouldn’t need to be interested in working that. I mean, like, that should be enough because that’s what the company does. Yeah, and beyond that, I mean, as for the founders themselves, I found personally that there is a greater resonance with this with people later in their careers just because younger people tend to see startups portrayed very romantically on places like Netflix, you know?

And just, you know, sort of pop culture kind of you know, you sell your company you get lots of bling, you know, buy your Lambo, whatever it is. You know, it just resonates with some young people, not all of them, but some of them, but I think though that once people are in their 30s, 40s, 50s, you know, the honeymoon is over because you know we worked, you know, for corporates for a while, and we’ve perhaps also worked in startups.

We’ve seen what happens also with venture capitalists and when things are acquired. You know, maybe we’ve been through it before. I mean, it’s not that you know, there’s even founders who have sold their companies, and had a bad experience with it, and then said, “You know, next time I’m going to do it differently.” So, I think that in that sense, it’s going to be easier for those who are older and who have more life experience and work experience. I mean, I think anyway older founders are more successful in general anyway.

[0:32:56.7] Danny Allan: Yeah.

[0:32:57.2] Melanie Rieback: From personalised, a set of reasons, but I think for the younger people, it’s more just anxiety. I mean, climate anxiety, just polycrisis anxiety, yeah, I mean. So, I mean, there is a certain number of them too, I think, who would be interested in exploring this, but of course, they still do need to accumulate the life experience to be able to, I think, have the insights, and the network, and the experience.

Also, to understand how to pull this off, and it’s – I’m not – I would never say that young people can’t. Of course, young people can, and some of them are very charismatic and very energetic, and most certainly they can, but I do think though that older people have an unfair advantage.

[0:33:38.8] Danny Allan: Yeah, I – my career trajectory, I started in the public sector as a complete idealist. Now, I went over to the private sector 25 years ago because I had issues with some of the things that were happening in the public sector that probably we’re not supposed to talk about in the middle, telling your intelligent space, but I can see why after a period of time in the public sector, you – sorry, the private sector, you want to go back to build this type of organisation.

Who do you hold up? What organisation, software organisation, you hold up as being an example of an organisation that has done this well, or are there big organisations in the software space that you would say are close to this model or near this model?

[0:34:24.5] Melanie Rieback: Yeah. I think a really nice one is Mozilla.

[0:34:28.2] Danny Allan: Right, yeah, of course.

[0:34:30.7] Melanie Rieback: I mean, they’re a great – they’re a wonderful hybrid between a foundation and a commercial company.

[0:34:36.6] Danny Allan: No, I like that. You know, Mozilla has always had an impressive ethos towards building browsers, and it’s actually resulted out argue in perhaps a better privacy policies and security policies than some of the commercial browsers that you see. So, that is a great example.

[0:34:54.0] Melanie Rieback: Absolutely. Yeah, I mean, another thing also is if you consider things like Shadowserver. You know, I mean they’re run as a foundation. I mean, Team Cymru was also that kind of a hybrid for quite a while, National CSIRTs.

[0:35:07.8] Danny Allan: Yep.

[0:35:09.0] Melanie Rieback: You know, I mean that’s all – I mean, it’s public sector, but if you consider some of also the wonderful innovations, and software. If you consider it like threat intel sharing and misspend, you know a lot of that has come out of a National CSIRT teams. So, I think that there’s absolutely, you know, a lot of wonderful innovation also coming out of sort of more not-for-profit oriented kinds of organisations, but I think we just don’t pay attention to that enough.

[0:35:34.1] Danny Allan: I love the conversation, the topic. Usually, we delve into coding and security and those types of things, but I think it’s a higher-level meta point on the industry itself on how it can evolve. Maybe just finish up on that. What has you most excited about where the industry is going? Do you see hope in the future for better software organisations and a realignment towards a post-growth world?

And the reason I say this is my only visit at the current growth trajectories of software companies is unsustainable in the long-term, like it can’t keep going. It’s going to burn people out, it’s going to burn the industry out. You maybe disagree with that, but what gets you out of bed in the morning? What makes you optimistic for the future?

[0:36:17.6] Melanie Rieback: Yeah. So, I mean, what makes me optimistic is that really awareness of the importance of governance and ownership is spreading, and it was like I mentioned before with just, you know, the gradual adoption by some of these prominent digital liberty kinds of projects, right? You know, it’s people are saying this, and you know, it’s sort of the snowball is starting to roll down the mountain.

And I think as people see it that we’ll build more mind share, and it will become more normal to do. So, I think that that is going to grow in adoption. I also think some of our national efforts that we’re also having. I mean, the fact that now also in Europe we have basically a steward ownership legal form initiatives that have made it through the parliaments in multiple EU nation states. I mean, Germany basically was the first.

You know, the Netherlands is the next one, but you know, hopefully, this is also going to continue spreading in more locations, right? I mean, because we actually started the whole thing just by putting up a petition. That was sort of enough to get the issue raised in the parliament, and it got through successfully on a vote. So, basically, you know, I think more EU nation states, you know, can easily start to pick this up.

I think also even the US. I know it’s not going to be the lowest hanging fruit, but I think that at least, you know, by the act of trying, you know we can at least really start to put it on people’s radars, and the thing is we need to make sure it also doesn’t become politicised because it’s very easy also I think to stamp this kind of stuff as, “Oh, it’s idealistic woke,” you know? But it’s actually it doesn’t have to be like that because if you also consider things like geopolitical factors and national security.

Then you start also understanding why corporate governance is important, you know? I mean, in the Netherlands, for example, I mean, we had one incident where there was a company making monitoring boxes, and at a certain point, the company – well, basically the boxes were all throughout defence, the corporate world, you know? And eventually, they got acquired by the British, and then the entire Dutch ecosystem led out sort of a collective.

Like, “Oh shit, you know, our data is going to the British.” Like, hello GCHQ. So, you know, they all jumped ship and then moved over to a different startup that had actually spun out of the same company that was making similar monitoring boxes, and they figured, “Well, at least it’s a good Dutch startup, right?” And then, of course, what happened next is predictable, right? You know, they go to the incubator, they get a venture, they get a VC.

And then two years later, I really read the press release. Yeah, congratulations to this other startup. They just got acquired by the Romanians. You know, leading us to ask the question of like, you know, will we ever learn? And yeah, it actually turns out the Dutch government did learn because they started requiring Dutch cyber security companies that were involved in critical national Dutch infrastructure to give a golden share to the government to prevent them from being able to sell it to other unauthorised companies.

So, really posing it in this way, I mean, do we want our young tech companies that we’re incubating to be sold, you know, to you know, in the case of Europe, do we want it to be sold to the States? Do we want it to be sold to China? Do we want, you know? I mean, and it’s just it is a matter of national sovereignty, both data sovereignty as well as just operational sovereignty for serving our own citizens.

You know, similarly also in the Netherlands, there was a company that had built vaccines, you know? And it was a spin-off from a line university, and then, of course, they went through valorisation, but then they got – went to the academic incubator, got hooked up to the VC, you know? Of course, what happens next is predictable: they grow exponentially, get acquired by the Americans.

Then along comes the pandemic, and then suddenly, vaccines are really a hot topic, but the US owners of the company forced this Dutch company to serve the US market before it was allowed to serve the Dutch market, you know? So, we really need to be asking ourselves the question of are we actually serving our own country, and why is it that we’re enabling foreign interest, you know, to interfere with our local companies, and how do we keep, you know, how do we keep Dutch companies Dutch?

How do we keep American companies American, you know? And in this sense, I mean it can be a bit populous too, so you know, and I think we need to be able to explore it and also to respect it from all of these angles.

[0:41:10.9] Danny Allan: Well, I love what you are doing. Like I said, I don’t think before this podcast I’ve heard of very many not-for-profit security organisations, let alone security development, but I do think the concept is very appropriate, and not just in Europe but in American models as well, and like you, I believe that most security people, and developers in general actually are give back contribution type people.

In fact, many of the people listening to this podcast are. So, thank you for sharing. If they want to – if they want to learn more information about the corporate structure, where do they best learn that, Melanie? Is it on Radically Open Security, or do you have a different location that you point people towards?

[0:41:53.4] Melanie Rieback: Yup. So, good question. So, I run a startup incubator called Nonprofit Ventures.

[0:41:59.9] Danny Allan: Okay.

[0:42:00.1] Melanie Rieback: You can basically find it at nonprofit.ventures. I have also I mentioned earlier that I teach a class called Post Growth Entrepreneurship at the University of Amsterdam Business School. I recorded two years ago the entire class, and I put it for free online, on YouTube, with a Creative Commons license. So, it is an entire –

[0:42:20.3] Danny Allan: That’s a good model.

[0:42:21.7] Melanie Rieback: Yup, that’s the model. So, basically, it’s 11 hours of content. So, it’s a considerable sit, but if you really, really, really want to understand how business and finance works from this kind of a lens, I would highly recommend that you have a look at these videos. Another thing that I’ve also seen people doing also is starting watching groups for these videos, and what they’re doing is they’re meeting with, let’s say, a dozen people, and they’re just like, going through one or two videos a week, and then having guided discussions on it.

And that’s also sort of a way to be able to get your own little, like mini, you know, learning circle going in your own local areas, as well as also discussing how to apply this also to your own context whether it’s your own geographic location or your own industry, so.

[0:43:11.2] Danny Allan: Well, that’s fantastic, Melanie. Thank you for that, and we’ll put a link in the show notes to those resources, and thank you, everyone, for joining us for another episode of The Secure Developer. I loved the conversation today, and let’s go out and change the world as we build software securely and more efficiently.

[0:43:27.1] Melanie Rieback: Thank you.

[END OF INTERVIEW]

[0:43:30.4] ANNOUNCER: Thanks for tuning in to The Secure Developer, brought to you by Snyk. We hope this episode gave you new insights and strategies to help you champion security in your organisation. If you like this conversation, please leave us a review on iTunes, Spotify, or wherever you get your podcast, and share the episode with fellow security leaders who might benefit from our discussions.

We’d love to hear your recommendations for future guests, topics, or any feedback you might have to help us get better. Please contact us by connecting with us on LinkedIn under our Snyk account or by emailing us at thesecuredev@snyk.io. That’s it for now, I hope you join us for the next one.