In simple terms, Thinkst, which was started by Haroon Meer and his team in 2010, is a software security company that builds software and sells hardware products that are deployed all over the world. But to truly understand what the team at Thinkst does, it may help to picture a world you would likely find in a high-tech spy thriller: hacking into company networks, developing high-tech devices and training “department of defence type-organisations”.
Today, Thinkst’s business operates all over the US and Europe. Says Meer: “If you are using the internet today, you are using a company that uses our software, including lots of the big guys in Silicon Valley […] We are pretty lucky to have a great bunch of customers.”
The start of Meer’s career in cyber security basically coincided with the arrival of the internet in South Africa, at a time when cyber security started showing its teeth as a field.
Meer completed his BCom degree at the University of Natal, and his Computer Science degree through Unisa, before becoming technical director at SensePost, a company he ran with friends since 2001. After selling SensePost in 2007, Meer and some of his team members started Thinkst.
“With SensePost we were breaking into networks, and we spent a lot of time trying to creatively come up with a way to defeat things. What I wanted to do with the new company was see if we could spend that much effort and creativity coming up with ways to actually protect networks. And that is kind of what we do now – we build software to help defend networks,” says Meer about Thinkst.
Despite their consultancy and advisory services being in high demand, Thinkst is tightly focused on selling two products. The one product (which was niche when they first built it, notes Meer) provides companies with the ability to test their phishing defences and to build phishing antibodies into their organisation. The other product, The Canary (which is what Thinkst mostly makes its money from), is an intrusion detection system that lets organisations know as soon as their systems have been breached. One of the biggest problems organisations face when they are hacked is the lag time to actual detection of the hack – giving the intruders plenty of time to make the most of the attack. “We hope to solve this problem with Canary,” says Meer.
Meer believes that much of the success he and the SensePost team initially enjoyed came down to timing.
“None of this was planned. If you started doing internet stuff in 1994 – which was literally just when I got to university – there weren’t many people who could say they had been doing it for longer (than us). So I just about started working when the industry kind of started. Even though we looked like we were 16 and nobody should have actually trusted us, there was nobody who could say they had 20 years more experience than us in the field. If you put in the hours, you were the expert at it, which ended up working out very well for us,” explains Meer.
Of course, it helped that they were good at what they did, and as the business grew, so did the recognition as Meer and the work of SensePost became quite widely published. Meer has contributed to about six books on the subject of cyber security, has spoken at the industry’s biggest international conferences – Black Hat and Def Con – dozens of times, and was invited to deliver the keynote address at Black Hat in 2015.
Is SA cyber savvy?
Given that a South African company is doing so well in the field, and is internationally renowned, how does the country measure up? Is SA business, for example, geared for cybercrime?
“Good questions, without great answers,” says Meer. And this comes down to the fact that South African business is very split when it comes to being up-to-date with security technology.
“Our banks, for example, have always done surprisingly well. Most of the big banks can hold their heads up with just about any organisation in the world, which doesn’t mean they are not going to get attacked or breached, it just means they are reasonably competent and are making good investments in cyber security,” says Meer.
When it comes to other big business – like Eskom and Armscor – one will find that they do worse, and when it comes to government, cyber security competence dips sharply, according to Meer. He also points out that small- to medium-sized enterprises are pretty poor, but they are pretty poor all over the world.
“So, essentially [our overall competence is] kind of all over the place.”
But before this can be addressed, South Africa will need to address the lack of cyber experts and software engineers in the country to begin with – something Meer feels very strongly about.
“If I cast aside any humility, as SensePost or as Thinkst we achieved really good reputations internationally. People hear about us and know about our research. But at the same time, SA is certainly not creating enough of these sorts of skills,” believes Meer.
Using his own career as illustration, he explains that although his background is cyber security, and is certainly Thinkst’s area of expertise, a lot of what the company actually does is software development.
“I think it’s there where SA is doing much worse than we should be, and it’s sad because I think we have a lot of potential. And there are a lot of people that I would like to blame for it, but in particular I unapologetically blame our universities. I think our universities are doing particularly poorly at churning out guys who should be building the future, software wise,” says Meer.
“In computer science in particular – and I will probably receive a fair amount of hate for saying this – we are dealing with a lot of really old professors whose teaching material was barely relevant 15 years ago.” And he firmly believes there are increasingly fewer excuses for this to still be the case.
“Our universities are still teaching computer science almost as a purely academic pursuit. Nobody should leave university with a computer science degree not having built something for real.”
For Meer this is particularly troubling, as he feels it robs the country of a rich possible source of income going forward.
“We should be coming out of university building stuff. We are becoming users of things that the rest of the world builds instead of becoming builders of things that the rest of the world uses.”
SA’s lag could become permanent
To be fair, Meer believes that although our universities are in large part to blame for the current deficit, “we also have a cultural mindset that is putting us in huge danger right now”.
And yes, things such as the high cost of data certainly plays a part, and speaks to SA’s infrastructure limitation for innovation, but at the same time South Africans have access to the infrastructure that saw the likes of Snapchat and Netflix come into existence.
Says Meer: “If you look at a lot of [those] Silicon Valley mega companies, many of them started up and built completely on Amazon’s or other infrastructure. This means they didn’t have to start up by building data centres; they used a credit card and built this amazing platform.”
South Africans can also access this infrastructure and Meer doesn’t deem it prohibitively expensive, but this is something that doesn’t form part of the way we think about developing tech, due to our historically poor infrastructure in this sector.
“If you look at how Google started, it was literally two guys that sat together and said: ‘Let’s download the internet.’ And they literally downloaded the internet to their university computers and then played around with indexing stuff,” enthuses Meer.
This isn’t something someone in SA could have done at the time, even if they wanted to. At the time, it was a struggle to just download images from the internet. So building Google or starting an on-demand video service like YouTube was simply not conceptually possible.
And if SA’s infrastructure in this regard continues to lag behind the rest of the world, “we are going to miss opportunities that we should be thinking of, and it will become increasingly likely that we hit a position where we will never catch up”, laments Meer.
This is a shortened version of an article that originally appeared in the 20 April edition of finweek. Buy and download the magazine here.