Nick Ellsmore and Rob McAdam are guys you would term as competitors, (to Securus Global) and also just competitors in all they do. As CEOs of SIFT and Pure Hacking respectively, they have a good insight into the IT Security industry in Australia. I thought it would be good to get Nick and Rob onto Beast or Buddha for a chat. (You can’t accuse me of using BorB as purely a marketing tool for SG).

DD: We’re over the Christmas period now, how’s business?

NE: Busier than it has ever been. Driven by a banking & finance industry rolling out some very large scale projects, a broad set of organisations requiring assistance with PCI-DSS, and a number of organisations going through a periodic refresh of security policies and strategies, there is a lot on.

RM: Each year, Pure Hacking grows in all forms of business and we seriously love it. Every year, new opportunities arise and we can’t imagine doing anything else.

DD: The last couple of years has seen a bit of a shift in terms of growth in awareness of IT security. What’s been your take on this?

NE: Certainly we are seeing that awareness of IT security is on an increasing trend, and the significantly increased media coverage is evidence of that. However, one of the most enlightening discussions I had last year was around this issue, and the fact that we really should be beyond “awareness” by now, and getting closer to “understanding”. Unfortunately I think achieving a broad understanding of IT security in the context of an individual’s role in an organisation is a bridge that will take a lot longer to cross.

RM: 6 years ago when Pure Hacking started, its main client base was finance. I believe finance used and continue to use the service because it had a legislative reason. Now, the service is used by all forms of business and at all levels of government which is directly related to the awareness of IT Security. Big business rather than small to medium enterprises use Pure Hacking’s services. The adoption of disclosure laws for electronic breaches will certainly raise awareness.

DD: Proactive security or Reactive security – is the latter still dominating in terms of business’ strategies in your opinion?

NE: The underlying assumption of this question is that businesses have a strategy in this area, and this isn’t always the case. The dominating strategy continues to be one of addressing security on the basis of necessity – whether driven by regulatory compliance, internal policy compliance, or in response to a security incident. Organisations who have a genuine IT security strategy and are taking a proactive approach – and they do exist – are achieving significantly better returns on their investment.

RM: 4 years ago, Pure Hacking commenced a proactive penetration testing service and the growth in that service demonstrates that the proactive market is growing. The proactive service operates daily. The core of the work performed deals with clients testing their systems before they go live, or part of an annual assessment so I would say that proactive is becoming the order of the day. Reactive clients are ones I’d class as just being attacked and an incident response as the service is appropriate. In the first quarter of 2008, we have performed 6 years worth of incident response engagements. The level of successful attacks is like none we have seen before.

DD: What areas of IT security in particular are hot at the moment in your opinion and are there important areas that are still being neglected by business?

NE: Hottest are application security, PCI-DSS and security ‘roadmap’ development. Being neglected are application security, PCI-DSS and security ‘roadmap’ development. It largely depends on the organisation.

RM: Incident response, Application Security & training.

DD: With crystal ball in hand, what areas do you think will be hot in 2008 for our organisations?

NE: Application security testing will continue to be at the top of the charts. Security strategy implementation support is also moving up the list, as organisations look to determine how they can effectively and efficiently allocate resources to achieve the greatest security benefit.

RM: Application security and the proactive protection of those systems. I’d like to say internal security, but internal security is seen as ‘well there’s nothing we can do about it’. Education and time will fix this though.

DD: One my big frustrations is this tender (RFP) and/or 3 quote requirement (as you’ve probably seen in some recent posts and something I replied to in MIS Magazine online). Some decision makers just don’t have the expertise to compare different offerings. What are your thoughts on this?

NE: This really seems to depend on the process maturity of the organisation. For organisations who have the expertise to compare, getting multiple RFP responses or quotes can be a very effective way to confirm scope and costs. However, there are certainly also organisations who are pursuing the process just for the process’ sake.

RM: When assessing a service, the expertise is often not there, hence the reason why we’re brought in. I see the RFP process as a necessary part of a client’s business – expensive in everyone’s time, but it is what it is. I sympathise with the folks assessing the RFP responses, especially when they already know who’s getting the job and they need three quotes. In effect, they have to deal with two other businesses and imply that potential work is there, when in reality – it’s not. It may hurt some people’s values, hence my sympathy.

DD: I’d put up SIFT, Pure Hacking and Securus Global up against anyone out there in our market. Does it frustrate you at times that some organisations still have the bigger [company] is better mentality when choosing a services provider?

NE: I think that the key in vendor selection always has to be ‘fit for purpose’. Ultimately, if a client is selecting a larger firm because their professional opinion is that it will get more traction for them internally, then I can entirely understand that. The frustration arises when the larger firm is chosen effectively by default for a specialist area of work where they don’t have the depth or focus of skills that a specialist firm such as all of ours, can provide.

RM: It’s quite rare because for Pure Hacking it happens in reverse (i.e. the client’s moved on from a bigger company because of some unfulfilled need).

DD: A couple of years ago, I was talking to the CEO of a small Australian business that was making major inroads into global markets. Their product was hot and the world was starting to know about it, yet the local press couldn’t care less. Do you think the local guys get the attention and accolades they deserve?

NE: In the same way that many of our clients engage us because they need an external opinion to get greater attention internally, I think Australia often has the tendency to look towards international firms on the assumption that they are somehow more ‘expert’ than locally grown talent which I believe is not the case. That said, there are specific journalists and specific productions (eg; the Online Banking Review) that do very well in engaging with specialists from the local industry.

RM: I’ve not experienced the local guys failing to get the media’s attention. I’ve been told that in Australia we are more risk averse to investing in new products compared to other countries.

DD: How do you keep abreast of the latest in IT security news and research? What sites and blogs are on your reading list?

NE: Internally, we have a ‘media watch’ that is produced by one of our analysts every morning and distributed to the team, to provide an indication of what is happening in the market locally and internationally. In addition to that, most of the information I get now is through informal channels – engaging within Australia and internationally with our clients, with government and non-government IT security stakeholders, and others who are working in this space. There is an amazing community out there of passionate people who are working hard to solve some of the key IT security challenges.

RM: We work heavily with the open source community and specifically ISECOM for years. The network established from that does tend to fill up the email inbox though. Every Pure Hacking tester has their own area of speciality and those interests groups have their own networks. I’ve never counted it but there would be a network of at least 4000-5000 people that we’d keep in contact with. Out of those, you have your main contacts or favourites, and that would be about 300 people we deal with regularly.

DD: AusCert or Ruxcon/Kiwicon type of conference – where should CIOs and CSOs be heading to ?

NE: Realistically, from my experience there are reasonably few CIOs or CSOs at either. Certainly more CSOs, but CIOs are quite thin on the ground. The more important question is what is feeding back to the CIOs or CSOs of the companies who are sending people to the events. This ties back to the awareness vs understanding discussion above – are people attending the conferences really taking ownership and driving change in the way they approach security, or are they just interested observers? Particularly in the ‘business stream’ of IT/information security conferences, the same topics seem to have been delivered for about four or five years now which suggests that we’re not making a huge degree of progress; or fresh thought on the topic is required.

RM: At these events, I saw many peer organisations, and the occasional CSO. To be perfectly frank, I don’t think that many CIO’s would dedicate a week out for a security conference because time has become the most precious issue. I find many technicians at these events, and they directly represent their employers. Where should the CIO’s head to? –

DD: Thanks guys!