Mark Kadrich

Mark Kadrich. CEO of The Security Consortium. Author of End Point Security. His resume includes Symantec, Sygate and brands like AltView and Conxion. You may read more about Mark.

Mark is a person who cares for security. Not the pushing of boxes, but for the process that security is. He is also a very fun guy, and extremely knowledgeable.

Please tell us about TSC, Mark.

“TSC provides companies with testing, research, counsel and leadership services where we provide a means to balance security against business objectives. Our Pre-assessment service for PCI-DSS is a great example. It is a tool-box to identify issues early on.

We have seen in the past several cases where a company was certified as PCI-DSS compliant, and after a breach, Visa simply said ‘sorry guys, you were no longer compliant at the time of the breach’”

Mark gets animated. His voice carries the warmth of a father who cares very much for his kids. As he goes on, paying attention is very easy.

“The challenge with all standards is the fact that you get certified at a point in time. You take a shot, a benchmark of the reality, and that is what gets certified. But in business, things move quickly, and very quickly, that benchmark is left behind. Still your certification is attached to that very benchmark.

Just consider patches and updates. Imagine your certification, your PCI-DSS compliance, is stamped January 10th. Three days later, you have to update the firmware on your firewall. Or you update your servers because Microsoft has provided new updates. What happens?”

Marks take a deep breath.

“I’ll tell you what happens. You are no longer compliant! Your certification was for the snapshot, the benchmark you made January 10th. But once you’ve updated your firmware or serves, that snapshot is no longer accurate; as a result, your systems are no longer compliant to that benchmark. “

He is silent. For a fraction of a second.

“As long as you stay under the radar, you are fine. As long as you get no breaches, no one really cares. But the moment you get a breach, the very moment you need to show off to the world that you did everything you could do to prevent the breach, that is when the truth dawns upon you. You realize that you are no longer compliant. And Visa blames you, your customers blame you, and you get fined. Just imagine the costs!”

Huge numbers fly by my eyes. The unfairness of standing alone when you need the support the most ponders me. And Mark is not done yet:

“Imagine if you spend a small percentage of what you originally spent to get compliant for a pre-assessment test. You would be able to align your security to your business objectives. You would be able to identify the technology to support you and your mission. You could step up the ladder, and use the technology as a tool, an enabler, not as a slave master dictating how you should run your business.

I am a process control geek. And process is our focus at TSC. We believe that implementing the right security process is the way to achieve the best security. Technology is used to support the process, not the other way around.

Aligning the process with the business objects is the core. “

As Mark takes a short break, I imagine the challenges this approach would meet at some of the companies I visit. They truly believe that technology alone is the security saviour. And most of the time, they discover too late that technology are merely tools to enhance their internal works.

“Yes, it is a challenge. Change is always a challenge, as resistance to change exists in any organization. And often you can see that organizations put all their beliefs in the technology alone, for example by using end-to-end encryption between two locations. It makes it harder to eavesdrop, but it also enables a hacker to hide in the encrypted tunnel.”

Mark is very focused on the fact that you cannot rely on a standard alone. It must be adopted and implemented into the organization by focusing on the business objectives of that very organization. The whole purpose of the standard is to provide a framework to build processes with.

After an hour discussion, laughing and learning, I have to end the call. I get a distinct feeling that I will continue to talk and learn from Mark Kadrich. And I expect to see a lot more from him in the future. 

I had a very nice chat with Mark Kadrich last week. Mark is the CEO of The Security Consortium, a company that focus on reducing costs of their clients by pre-assessment services.

Any project manager you meet – be it security, ICT, civil engineering or any other form of project management – she will tell you that the more you have prepared in advance, the lower the risk and costs of the project.

As an example, let us look at building a road. The pre assessment is the initial phases, where you look at alternative routes, and calculate the costs, the excavation necessary, and so forth. In our example, the cost is 10M$.
Later, when building the road, unstable masses are discovered, adding a cost of 100M$ to the already restrained budget. By spending 100% more money and time in the pre-assessment phase – thus increasing the 10M$ to 20M$, the unstable masses would have been discovered earlier. And discovering the unstable masses early on would open up a whole array of choices – moving the road, using different techniques, building a bridge, or perhaps even cancel the project.

The same applies to security. Often, you find yourself running around, putting out fires, instead of focusing on preventive measures.

Mark Kadrich and The Security Consortium to the rescue! The interview will be posted Friday 22th May – please come back then!