Dan Draper, CEO at CipherStash: “If it’s not a hell yes, it’s probably a no!”

If your email isn’t already on haveIbeenpwned then please share your lottery picks as you’re one of the lucky few. But these breaches aren’t due to genius hackers: “over 90% of breaches occur because an employee has been scammed or their password was compromised,” explains Dan Draper, founder and CEO at CipherStash.

Dan isn’t trying to stop data breaches. Instead, he has developed an encryption platform that will protect companies’ data if and when their defences are breached. In this interview, part of our TakeOff series with startup founders, he explains how he came to create the company.

As with so many of our interviews, there are valuable lessons to learn for any would-be entrepreneurs. For instance, some people would stay away from startups after previous failures; for Dan, they “gave him the bug”. And if you read to the very end, you’ll discover a way to avoid such failures yourself.

What’s your elevator pitch?

CipherStash stops the leading cause of data breaches: compromised employee accounts with excessive data access permissions.

Our unique encryption-in-use technology protects data across the entire lifecycle — not just at rest — and limits data access only to what’s actually needed to provide great experiences and get things done.

Combining sophisticated logging and authentication checks, CipherStash gives businesses the capability to detect suspicious data access and rapidly lock down attempted breaches at unprecedented speed.

What made you launch a startup?

I had two failed startups in my early 20s. It gave me the bug but I knew I needed to gain more experience before trying again. I ended up spending over a decade working in technical leadership roles for a variety of companies, including for other founders. I learned a lot and felt ready to go out on my own again. What I needed was an idea that I could stay passionate about for many years.

In 2018, data security wasn’t something many people were thinking about but I’d already started to see the problems in my role as CTO at a high-growth startup that was providing solutions to big corporations. In Australia, we had more data breaches per capita than any other country on earth in 2022. It is now a problem everyone is acutely aware of so it turns out I was ahead of the curve.

Central to my interest in 2018 was the emerging field of searchable encryption, which was attracting attention in academia for its enormous potential in protecting data. While encryption is a powerful way to control access to sensitive data, standard encryption isn’t used very often in databases. That’s because traditionally encrypted data isn’t searchable and so queries (say using SQL) no longer work properly.

I was so intrigued by this technology that I undertook some extra study in the form of Stanford’s graduate course in cryptography. I felt I’d found a topic I could become obsessed with.

However, as it turns out, getting searchable encryption to work with existing database technology is very challenging. It took me over two years to develop a prototype but when I showed it to some investors and tech friends of mine, there was a lot of excitement. I started receiving investment offers so I decided to quit my job and go full-time on the business!

What problem are you trying to solve?

People often think of data breaches as being because a hacker has broken into a network or system. The reality is that over 90% of breaches occur because an employee has been scammed or their password was compromised. Because over 70% of employees have access to data they should not see, it’s very easy for attackers to get access to it. Not only does data access need to be locked down more effectively, but security teams need ways to identify when seemingly legitimate activity is actually happening via a compromised account.

Can you talk us through your journey so far? What’s a major milestone you’ve reached?

We’re solving some challenging technical problems at CipherStash and so I knew from the start we’d need to raise capital. After a couple of small “friends-and-family” rounds, I was able to hire two experienced technology leaders, James Sadler and Lindsay Holmwood, to help me flesh out the prototype. Together we raised a USD $2.5m round of investment in 2021, which allowed us to expand the team and go from a prototype to a production-ready product.

We launched officially earlier this year, landing our first four customers. Since then we’ve raised a total of over USD $6m and have just hired our first few sales and marketing people. I’m excited to see the years of hard work starting to pay off!

Who are your main competitors and what distinguishes your startup from them?

Data protection solutions have come in many different forms over the years. There are several incumbent providers but these don’t provide the levels of protection required to meet modern threats. One of the biggest issues is that traditional data protection products can only lock things down at a system or application level. When data is available everywhere, protecting it with that approach is like herding cats.

CipherStash protects the data itself instead of just the application or system it’s stored in. That means that if someone exports data to a spreadsheet on their laptop, it’s still protected. It’s a whole new way of thinking about data protection.

A few startups are working on other forms of encryption. One interesting example is a technology called homomorphic encryption. Instead of focusing on search, homomorphic encryption allows any arbitrary computation to be performed on encrypted data — it’s wild! The problem is that the technology is still many thousands of times slower than traditional encryption, making it unusable for most applications. By contrast, our technology just focuses on search but it is extremely fast and can scale to petabytes of data.

How has the startup scene in Sydney helped or challenged your own startup’s development?

The tech startup scene in Australia has blossomed over the past decade. We’ve had multiple unicorns like Atlassian, Canva, Safety Culture and Go1. I think the global investor community sees big opportunities here now and raising capital is nothing like what it was when I started.

I think the remote working trends of Covid-19 have helped us enormously as well. Apart from having to do some late-night or early-morning calls, it has been quite easy to have conversations with investors and customers all over the world.

What’s the biggest mistake you’ve made and how did you overcome it?

It’s a bit of a cliché but not going with my gut. I’ve ignored it a couple of times over the past two years and it has come back to bite me. I’ve adopted the mantra of, “If it’s not a hell yes, it’s probably a no!”

Where do you hope your startup will be in ten years?

I really do believe that CipherStash can be a transformative company and in ten years I think we’ll be a fundamental component in the data stacks of companies around the world. My ambition is for CipherStash to be listed on the NASDAQ.

What advice would you give yourself if you could go back in time?

Looking back at my failed startups I now know that it wasn’t just my lack of experience that led to their demise. It was also because I wasn’t passionate about the problems we were solving! Working on a problem that you are literally obsessed with is critical in giving you enough momentum to go the distance. I really feel this with CipherStash.

More interviews with tech startups

We thank Dan for joining us in our TakeOff series. Here are some other interviews we’ve published so far:

• Katherine Wells, CEO of Serenity: “We need to follow our passions wherever they pull us”
• Taha Zemmouri, Eden AI: “It’s very difficult to project that far ahead in an AI world where developments occur in weeks, not years.”
• Ron Gidron, CEO of xtype: “The cliché’s true. Get ready to be met with scepticism, disbelief, and disappointment”