Hello, Sym: Announcing our Series A

Hello, Sym: Announcing our Series A

Ode to the Accidental Security Engineer

Salute

Here’s to the accidental security engineers. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently.

To every engineer who’s ever spent a day scratching their head, wondering how to comply with a new security policy.

To all those lost sprints building annoying primitives that “have to exist somewhere already”.

To all the stressful weeks of getting pulled off new features to help prepare for an audit.

To every web app, Slack bot, CLI, and microservice that was hacked together to help roll out a new control, only to become a pain-in-the-ass to maintain.

It was us. We’ve been the ones tasked with building this mess. Constantly trading off velocity and security. But no more. We’re going to solve this problem, together, once and for all.

Enter: Sym.

Hello, Sym

Sym is the security workflow platform made for engineers, by engineers. We solve the intent-to-execution gap between policies and workflows by providing fast-moving engineering teams with the just-right primitives to roll out best-practice controls.

Our hand-crafted Terraform templates let you easily provision instances of common security controls, while our Python SDK unlocks ridiculously simple customization to meet your team’s needs and integrate with existing tools. We’ve got our sights set on fixing the “Build vs Buy” problem with security workflows… the problem being that both options currently suck.

I’m overjoyed and humbled to share that we’re not embarking on this quest alone. We’re off to the races with a $9M Series A led by Sunil Dhaliwal at Amplify Partners, following hot on the heels of a $3M Seed led by Robin Vasan at Mango Capital and Andy McLoughlin at Uncork Capital.

They say “never meet your heroes”, but with participation from security & technology executives at GitHub, Datadog, Atlassian, Google, Bugsnag, and Segment, alongside early design partners like LaunchDarkly, we’re sure glad we met ours!

We’re excited to unveil our vision to the world, and announce that we’ve partnered with some of the best investors, engineers, and leaders in the industry to tackle this mountainous problem space. Every single person behind Sym has experienced our struggle first-hand (phew, we’re not crazy!), and won’t rest until we solve it. Let’s do this!

How’d we get here?

Story time! I met Adam and Jon when I was a freshman at MIT. I distinctly remember walking into the Startup Career Fair wondering how I could circumvent the “no freshmen” rule most companies seemed to have when hiring interns. A friendly senior had let me know to watch out for the scores that recruiters would scrawl on resumes before haphazardly throwing them on the pile. A week prior, I watched a Facebook recruiter scratch a “1” onto mine, circling the sad number repeatedly before smiling and telling me to have a nice day. My world fell apart. This week was going to be different.

After having a great chat with this guy named Vlad (Robinhood wasn’t a Big Deal yet), I ran into Adam. He was the VP of Engineering at a Boston-based company called Localytics, and seemed as relieved as I was to be having a conversation. I hesitantly bought into his pitch, and scheduled a time to come onsite. Little did I know, that thoughtless commitment would totally change the trajectory of my life, and one day be responsible for the founding of Sym!

The first meeting was uneventful, or so I thought. I showed up 30 minutes late to a rather exasperated Adam lecturing me on the demerits of interview tardiness. Throughout the years, I’ve grown very accustomed to that frustrated expression 😅. Though I’m still notoriously late for most things in life, I’ve never again failed to be punctual for a job interview!

Against his better judgement, Adam brought me on as an early intern at Localytics. It was my first job, and he was my first boss. I learned the ropes (read: how to ignore everyone’s advice while minimally pissing them off), and got to collaborate on some really fun projects. Jon (our third cofounder) spent a lot of time reprimanding me.

We spent the rest of the summer fighting working together, and ended with a particularly controversial project where, against the better judgement of basically everyone, I pumped out a heap of flaky Javascript code for saving reports, and then peaced out from the company ✌️.

I’m extremely grateful that over the span of a decade, I stayed in touch with these two. Our relationship evolved, from manager-intern, to mentor-mentee, to peers, to cofounders. When I stepped away from my last company to start Sym, those two were my first call. And boy, am I glad they were.

Map

Evolution of Sym

When Jon, Adam, and I sat down to build Sym, we wanted to solve a very simple problem: every engineering org we know in a heavily-regulated space was building the same damn tooling. Coming from healthcare and enterprise SaaS, we’d seen permutations of the same few workflows time and time again throughout our careers. A way to grant engineers temporary access to infrastructure? Check. A way to approve one-off queries? Check. Something to make quarterly risk assessments suck less? Check. Chat-Ops for approving outgoing deploys? Check.

The crazy thing was, these seemed to be ubiquitous across companies, compliance standards, even industries. Chatting with fellow founders about stuff I’d built to help keep my team productive would always result in one of two reactions: “oh yea, we built the same thing! let’s trade notes…“, or “oh shit, we should have built this years ago”. So we came up with a crazy idea: what if we just build all this stuff once, and put it out in the world for everyone to use. We were going to start with HIPAA-induced workflows. Sym: HIPAA in a box, for engineers. Of course, things rarely work out that simply.

We rapidly discovered something while talking to potential users: our hypothesis that everyone is building tools for the same workflows was a bit off. It wasn’t the case that everyone’s workflows were identical, but instead that they had the same shared core. It turns out, what most teams do is they start by building the same primitives, and then they layer on customizations that reflect existing processes and tools. So, we adjusted our approach to match this revelation.

Graph

Today, Sym is a set of workflow templates (primitives) for engineering teams working on improving security posture, and a suite of integrations (customizations) that connect those templates to existing systems and policies. Our mission is to enable any team to effortlessly build unobtrusive security and governance workflows, so we make sure to meet developers where they are: our primitives are exposed as Infrastructure-as-Code, and our SDK captures last-mile variance in workflows. The tools we use to distribute Sym Workflows are Terraform and Python, but your organization doesn’t have to be familiar with either to use us.

With Sym, you can roll out many common security and governance workflows with ~30 lines of declarative config and a couple function body definitions. Our goal is for you to blow your InfoSec team away; bring speed, sophistication, and thoroughness to your controls, without losing a whole month each time. Beautiful dashboards with just-right reports will materialize, without a single tedious line of logging code.

Code

We’re currently live (in production!) at a handful of public and private companies in the Healthcare and B2B SaaS spaces. Our initial workflows focus on governance and just-in-time access of cloud and app-level resources.

Our latest customer is locking down SSH access by rolling out AWS Session Manager tunnels as the preferred way to connect to instances, with the IAM Role required to use SSM protected by Sym. This is one of many examples where we’re able to help infra teams adopt cutting-edge cloud offerings while increasing security posture. If this sounds like something that you’d like for your team, please reach out!

But what about X?

We’re in a crowded space! Luckily, we see the world with a unique lens. Sym brings an emphasis on developer experience, opinionated workflows that codify best practices, and an aspiration to be the bridge between Security and Compliance. The jury’s still out on whether we’re totally brilliant or totally out to lunch.

Our vision at Sym is to become the de-facto standard for implementing and showcasing security posture. Importantly, we’re not setting out to be a middleman levying a tax on the system. We saw enough of those in our healthcare days. Instead, we’re striving to improve the status quo for every stakeholder in the security equation; our place as the obvious-choice bridge between security and compliance will be an emergent property of the system we’re fighting to improve.

We’ve got a long way to go to make that vision a reality. In the interim, we’re tackling several problems plaguing our friends and colleagues.

Security intent-to-implementation gap

A security intent-to-implementation gap is endemic in our industry today. Experts are laying out guidelines, policies, and best-practices, only to be foiled by the gargantuan effort required to implement workflows that reflect these intents. And to be honest, we can’t really blame engineering teams for this. As an industry, we’ve learned not to roll our own crypto, because it’s so easy to shoot yourself in the foot, but can you imagine how many ways there are to screw up a Slack bot that issues temporary database credentials? Or how easy it is to forget to put MFA around an admin God-mode dashboard? Twitter hack, anyone?

Headlines

Sensitive access workflows are the perfect example of a control that should be implemented once, and safely customized many times. This is where Sym is starting today.

Everyone is building the same damn things

We’ve talked about this one extensively already. How many of us have to fight with the same obscure Okta setting before we say enough is enough! As an engineer, I find it incredibly frustrating that everyone is doing the same work. Don’t you?

Think about the last time your company went through an audit or security review. I bet it was a mad-dash, all-hands-on-deck month filled with anxiety, slapdash SQL queries, and hacky regular expressions. Everyone’s sprinting to compile evidence and showcase compliance. But the report that comes out of that sprint? It’s more or less the same as the company down the street.

Building

It’s time to standardize the tools we use for all parts of the security equation, demonstrating compliance included. Sym bakes best-practice evidence collection and reporting into our templates, and understands how the customizations product teams make should change the reports.

Compliance is just a checkbox to engineers

This one makes sense. There’s been an age-old tension between GRC teams and engineers. I mean, who wants to be the one putting annoying roadblocks in place for their coworkers trying to do their jobs? But the world is changing. Security and privacy are top-of-mind for customers. Deals are won and lost on the basis of trust and genuine security posture. Irreparable damage is caused on a daily basis from breaches, hacks, and leaks. Security is exciting now! What a time to be alive!

Checklist

As engineers, it’s time to embrace security as something we own, and are excited about. It’s time to bring security back into the fold, the same way we did infrastructure, and quality assurance. At Sym, we’re building the platform to help every team, small or large, push this frontier forward.

Our village

Village

2020 has been an insane year for a lot of us. At Sym, we started the year with nothing but an idea, some demo-ware, and a bunch of bills to pay 🥺. However, we were lucky enough to have some incredible industry leaders take a risk on us and our crazy vision.

In April of this year, we raised a $3M Seed round, co-lead by Andy McLoughlin at Uncork Capital and Robin Vasan at Mango Capital. Together, Andy and Robin bring decades of investing and company-building experience, having partnered early with companies like Coder and HashiCorp, respectively. The two of them have been crucial to Sym’s progress to date, and I couldn’t be more grateful for the flier they took on us. Alongside them, we brought on a set of early angels who have been instrumental to our evolution, including Gerhard Eschelbeck (former CISO @ Google), Sri Viswanath (CTO @ Atlassian), James Smith (CEO @ Bugsnag), Ben Porterfield (Founder @ Looker), John Kodumal (CTO @ LaunchDarkly), and Jamie Barnett (former CMO @ Netskope).

Six short months later, we have the pleasure of adding Sunil Dhaliwal from Amplify Partners to our board as Amplify leads our $9M Series A. Amplify’s focus is on “radically technical founders”, and Sunil’s background as an early partner to Fastly and Datadog, among others, will be invaluable as we continue building. A host of fresh angels are teaming up with Sunil: Jason Warner (CTO @ Github), Adam Gross (former CEO @ Heroku), Calvin French-Owen (CTO @ Segment), Amit Agarwal (CPO @ Datadog), and Spencer Kimball (CEO @ Cockroach Labs).

We’ve also built a team of incredibly passionate engineers to help us bring Sym to the world. I couldn’t be more proud to be working alongside alums from Facebook, Square, Microsoft, Amazon, Google, Hubspot, Palantir, and Accenture. We’re hiring for a variety of roles, and would love for you to come join us!

What’s next

Our journey is just starting. We’re imaging a world where engineering and security teams work in tandem to define and easily roll out constantly-evolving controls, and won’t rest until we’ve delivered the tools to make this world a reality. Over the next few months, we’ll be rapidly iterating on the Sym platform, rolling out more workflows and integrations, and working closely with our design partners to shape the best possible developer experience. Check out symops.com to follow our journey and learn more!

Yasyf Mohamedali, CEO

Adam Buggia, CPO

Jon Bass, CTO