Security Profile

Mark Kadrich. CEO of The Security Consortium. Author of End Point Security. His resume includes Symantec, Sygate and brands like AltView and Conxion. You may read more about Mark.

Mark is a person who cares for security. Not the pushing of boxes, but for the process that security is. He is also a very fun guy, and extremely knowledgeable.

Please tell us about TSC, Mark.

“TSC provides companies with testing, research, counsel and leadership services where we provide a means to balance security against business objectives. Our Pre-assessment service for PCI-DSS is a great example. It is a tool-box to identify issues early on.

We have seen in the past several cases where a company was certified as PCI-DSS compliant, and after a breach, Visa simply said ‘sorry guys, you were no longer compliant at the time of the breach’”

Mark gets animated. His voice carries the warmth of a father who cares very much for his kids. As he goes on, paying attention is very easy.

“The challenge with all standards is the fact that you get certified at a point in time. You take a shot, a benchmark of the reality, and that is what gets certified. But in business, things move quickly, and very quickly, that benchmark is left behind. Still your certification is attached to that very benchmark.

Just consider patches and updates. Imagine your certification, your PCI-DSS compliance, is stamped January 10th. Three days later, you have to update the firmware on your firewall. Or you update your servers because Microsoft has provided new updates. What happens?”

Marks take a deep breath.

“I’ll tell you what happens. You are no longer compliant! Your certification was for the snapshot, the benchmark you made January 10th. But once you’ve updated your firmware or serves, that snapshot is no longer accurate; as a result, your systems are no longer compliant to that benchmark. “

He is silent. For a fraction of a second.

“As long as you stay under the radar, you are fine. As long as you get no breaches, no one really cares. But the moment you get a breach, the very moment you need to show off to the world that you did everything you could do to prevent the breach, that is when the truth dawns upon you. You realize that you are no longer compliant. And Visa blames you, your customers blame you, and you get fined. Just imagine the costs!”

Huge numbers fly by my eyes. The unfairness of standing alone when you need the support the most ponders me. And Mark is not done yet:

“Imagine if you spend a small percentage of what you originally spent to get compliant for a pre-assessment test. You would be able to align your security to your business objectives. You would be able to identify the technology to support you and your mission. You could step up the ladder, and use the technology as a tool, an enabler, not as a slave master dictating how you should run your business.

I am a process control geek. And process is our focus at TSC. We believe that implementing the right security process is the way to achieve the best security. Technology is used to support the process, not the other way around.

Aligning the process with the business objects is the core. “

As Mark takes a short break, I imagine the challenges this approach would meet at some of the companies I visit. They truly believe that technology alone is the security saviour. And most of the time, they discover too late that technology are merely tools to enhance their internal works.

“Yes, it is a challenge. Change is always a challenge, as resistance to change exists in any organization. And often you can see that organizations put all their beliefs in the technology alone, for example by using end-to-end encryption between two locations. It makes it harder to eavesdrop, but it also enables a hacker to hide in the encrypted tunnel.”

Mark is very focused on the fact that you cannot rely on a standard alone. It must be adopted and implemented into the organization by focusing on the business objectives of that very organization. The whole purpose of the standard is to provide a framework to build processes with.

After an hour discussion, laughing and learning, I have to end the call. I get a distinct feeling that I will continue to talk and learn from Mark Kadrich. And I expect to see a lot more from him in the future. 

One of the first times I came about Andy was when I made a mistake. A huge one. And although the mistake was not about Andy, he reacted like a mad dog and told me exactly what he thought of me. In his own words:

“You are one cold hearted fellow.”

He got my attention right away! Then, since only a short time after that, he told me:

“Kai, I think you are confused.”

And these two episodes shows very well who Andy is; straight to the point; fearless if he thinks you are wrong, dishonest or evil; stands up for his friends and the weak. Andy speaks his mind, and I just love that!

In our later discussions and comments, it is pretty clear that Andy and I are much closer in our view of the world than at first glance. And the very fact that Andy accepted this Profiling of him tells a bit of him (no, not only that he is attracted to attention!).

He is able to walk the talk.

Andy’s blog was also noted as one of the most influential security blogs 2007 by IT-security. And true to himself, Andy is incredibly humble about it all (I know I would kick and scream and yell high and long if I was on such a list). But, equally true to him – he was the first commenter on the post – so I am not the only one running a searchbot for my name!

Unlike some of the previous Security Profiles, Andy is not able to identify the time he opened his eyes to security;

“I'm not sure I can pinpoint any one event. It just happened over time. As I learned more about computers and networks I saw things that people did that put the company at risk. It was also a time when the big name viruses were running rampant.

It amazed me how they worked and why they were successful on some systems and networks and why others kept them at bay. I started reading more about security and it really grabbed my interest. So I started focusing my career in that direction.”

Andy has a technological background like many security people I know. And he is focused on user awareness and training;

“Information Security is about much more than just technology and even about more than protecting your data and network. It is about changing the way people think. A program that focuses on technology will fail, just as one that focuses solely on people will fail. It takes a well balanced combination of focus on both.“

And have you found that balance yet?

“We know that technology will work to a certain level and then we can either ignore people and throw more technology at the problem; or we can strive to teach people how to be safe. When we are successful at training our employees then everybody wins. They work safer and smarter and when they go home they also live safer and smarter. “

Do you have any examples of how to approach this?

“We have to get across to them that security is about more than surfing the web and checking email in a safe manner. It's about who they interact with online, on the phone and in person. It's about learning when and where to talk about business related matters. On the phone while riding on a crowded bus isn't the time to do so.”

Business and management focus

On is LinkedIn profile, you can read that Andy is a CISSP. He is pursuing a CISM, and would like a PMP. It is safe to assume that Andy is not only the IT-security geek, but also a managerial guy. His interest in Project management gives that away pretty fast.

Andy, what is the impact security has on business?

“Security touches EVERY part of a business. If done properly it can really be an enabler but if done improperly it can cause major problems.

Since it does affect everything it's hard to narrow down the Key impacts. They vary from business to business and industry to industry. What is key is finding out what is needed and what works for your particular situation.

It is time to kick in the challenges! So let us hear what Andy considers challenges in the security sector!

• The first challenge is knowing what to do with security.
  Too many companies look at security as being the "necessary evil". They have security staff because it is required but they don't know how to really use them. They lack a plan for how to integrate security into the overall business plan. So therefore they throw technology at a problem without really considering the impact. Will it work as planned? Will it cause more problems than it solves? Will it be something that we have the time and expertise to maintain? What else do we currently have in use that may serve the same purpose? All of these need to be answered when looking at a security problem.
• The second challenge is developing a good User Awareness Program.
  Most of the ones out there are dull and boring. They also are "cookie cutter" one size fits all solutions. They don't take into account different learning styles and they don't give you good relevant information in a format that you can use throughout the year. Getting something every quarter isn't enough. It needs to come out at least monthly and it needs to be able to be delivered in a variety of formats. PDF, MP3, Video, email, etc...
• The third problem qualified security staff.
  There are too many people who really don't know what they are doing. They look for "best practices" and then that is what they do. Another of my pet peeves is the whole concept of best practices. Again, what works for you may not work for me. Companies need to hire and/or train their staff so that they understand security and how to make security work in their environment. You may be a great Cisco firewall engineer but if you don't know how to think outside of the sample configs that Cisco provides then you aren't the one I want managing my firewall.

Andy started blogging because he wanted to have a place to express his thoughts and opinions on security.

“Hopefully someone else will gain something from what I have to say.”

Andy, there is a hole bunch of people out there – including myself – who gain quite a lot from what you are saying!

Thank you for the profile!

Andy’s blog

Rob Newby is in a therapeutic mood, and is writing a 7 part story of how he came to IS. First part is ready! 

Read all about the juicy details you did not get in Rob Newby's Security Profile!