After years working at the then Defence Signals Directorate (DSD), Datacom TSS founder and managing director, Richard Byfield had concerns that the Australian business community was not getting the right advice from the IT security community.
He began looking at ways to fill what he saw as a gap in the market that the defence community could address, corporate security.
“This all came about as a result of the attacks against the mining sector back in 2008, that is when our views were starting to form that the corporate sector could benefit from some of this sensitive but unclassified intel,” he explained.
In 2011, Byfield approached the board of Datacom with a proposition, to establish an outcomes-based security practice which would leverage the skills of individuals from the DSD and private sector to provide services to the Australian business community.
“We thought we could make more of a difference outside of DSD to the security of this country than we could inside at the time because there was plenty of good people in there,” Byfield said.
“In the first year the team had all these ideas about how we could offer these services at a good price point. We wanted it to be affordable, practical and implementable because we didn’t think security had to be expensive, as it typically is."
Byfield said at that time, visibility, understanding and appreciation of the threat posed by cyber-criminals and other threat actors was considerably less than it is today.
The challenge for TSS in the early days was getting decision makers to recognise the potential harm these threats might cause.
“The privilege we had working within government was being exposed to the sort of risks you do not usually see in the private sector," he said.
"That is one of the biggest pain point for business, they have difficulty quantifying and prioritising business risk that needs to be managed.
"I was fortunate, we won a couple of large clients early on based on our pedigree. Once we had delivered on a few engagements, they referred us to other businesses."
Byfield further explained that, while TSS were not talking to board members directly in the early stages of the business, the organisation was talking to individuals within the organisation that ‘had the ear’ of these decision makers.
An on-going concern
Byfield said that the problem of recognition of risk persists to this day, though not to the same extent, and is due to the way organisations manage their risk through compliance and audits.
“Compliance and audit is of a limited value from a security perspective. If you take away 50 per cent of your budget on anti-virus, which is of limited value, you are going to deprive that organisation of a better outcome.
“Investing equally in people, process and a technology focussed solutions will achieve return on investment and improve security posture five to ten fold," he stated.
"Some of the more savvy organisations out there are looking for outcome-based security providers such as TSS because we have that insight to strike the right balance."
TSS provides what it calls a Security Posture Snapshot, where it works with different departments within a business to assess threat holistically based on the assets of value it controls or has access to and what is likely to be of value to an adversary.
From this, it can determine the threats the organisation is likely to face and by who, so that it can give them a roadmap to improve security from the context in which that business operates.
Byfield said from that point, it becomes easier to provide strategic advice in layman's terms for a board of directors so that they can understand what steps need to be taken to reduce or manage their risk.
“The big difference there is the threat,” he explained. “Most security vendors will say that the biggest concern is the advanced persistent threats (APTs), but these are not the biggest threat to all enterprises.
"Some may not have any intellectual property and would be targeted not for the value in their own organisation, but for the relationship they have with, and access to, a third party," he said.
IT Security technology can increase risk
Byfield said one of the main challenges, from a security perspective, is the methods and technologies most companies rely on to protect against security risk.
“Compliance and audit is of limited value from a security perspective,” he explained.
“Intrusion detection systems (IDS), intrusion protection systems (IPS) and antivirus (AV) are in the bottom half of the ASD top 35, yet most organisations spend up to 70 per cent of their budget on these three technologies."
Byfield said that while in some cases these technologies are purchased to meet a regulatory requirements, companies are spending excessive amounts on these sorts of technologies which do not increase their security posture. Companies which invest in people and process driven security are far more effective, according to Byfield.
The issue of talent
Byfield also said that the people and process approach is dependant on talent and this is a challenge across the security industry at present.
“Over the last 12-18 months there has been an influx of CVs that look impressive, but once we get them into a room and conduct our standard technical evaluation, many don’t even know the fundamentals of networking," he added.
"It has become much harder today to pre-filter prospective talent and some of the applicants are expecting ridiculous salaries because they have added 'cyber' to their resume."
TSS now offers Managed Security Services via the Cyber Security and Incident Response Centre it has built in Canberra.
Byfield said this allows organisations to focus on their core business while TSS ensures they achieve the required security outcome from personnel that live and breathe security every day.
“We strive to attract and retain the smartest talent in the industry and then make that talent available to our clientele.”