A Q&A with security specialist Signify’s CEO, Dave Abraham. Gary Flood asks the questions.
Q. Before we begin – I have to tell you I have a big problem with IT security as a market.
A. OK, what?
Q. How come I have been writing about the need for more security in organisations for the past 20 years but civil servants at the MoD still keep leaving all our state secrets on the Tube? Patently there’s a disconnect between what we tell ourselves re security and what’s actually going on out there that makes me suspicious of all you vendors.
A. I can see why you say that. I’d argue that we have a different approach that addresses a lot of why things like that happen.
Q. I’m sure you do! Please explain.
A. The sort of phenomena you are drawing attention to is really all about behaviour that end users find more natural than what we tend to ask them to do around security. In other words, we give them multiple, complex passwords, we do many things that make their lives that little bit less easy, so they tend to relax out of the processes we mandate and that’s when things can go wrong. The trick is to only ever do things that are transparent, very very easy to do, don’t make the guy’s life more complicated.
Q. So you produce…?
A. We provide a hosted two-factor authentication service for companies to authenticate remote access by staff to the corporate network.
Q. Two-factor! You’re joking. Isn’t that much, much more complex and fiddly than passwords and what have you?
A. Well, the vast majority of the Times Top 100 now do two-factor, so I’d have to say the market suggests not. It’s now very, very common for even things like Internet banks to provide tokens or devices to one-time passcodes sent by SMS to identify people.
Q. Yet we still see so many slip-ups – I do wonder if even these two-factor using companies aren’t paying lip-service to security.
A. I should immediately point out, by the way, that while we do work with some very big companies – our largest client has 15,000 employees – we do also work with much smaller organisations too, down to one client which only has five staff.
But to address your question, I think what companies like Signify are doing is taking now very proven, top-end technology from people like RSA and wrapping enough of a service layer around it to start finally giving business people what they want re IT security. It also has to be borne in mind that a lot of these companies have to make this work, as they tend to be dealing with very high-value information that they need to show to shareholders, partners and the regulators they are taking the right steps to protect.
Q. So let’s hear about customers – if you can; that’s often a challenge for security providers?
A. We do have some public case studies, so happy to take that on. We have engagements ongoing with major law firms like Lovells, the Norwich and Peterborough Building Society and the London Borough of Southwark. We also work with a range of hedge funds.
Q. You mentioned this service layer on top of the encryption that two-factor works on. Example?
A. If you are a lawyer, charging hundreds of pounds an hour, and can’t work because you can’t access the system from on the road, you can’t wok until you can get back in – which is not only it wasteful in terms of your and the client’s time, it’s embarrassing. One way to solve it is to get on the end of the queue at the support desk and spend possibly hours getting set back up.
Another – what we do – is to access a 24×7 Web help desk that will get you back up and running in five minutes or so with temporary emergency passwords. That’s just one example of how you need to make security a lot more convenient for people to use – the technology has to be sound but as easy to use and not get in the way of people doing what they need to.
Q. It does make sense. I suppose the acid test for this claim is your company’s performance. Are people buying the idea?
A. We are just celebrating our tenth anniversary, which I think is a positive sign to that effect. When we started ten years ago, of course, we were an ASP, not a Cloud company, and it did take a while to get the message out. But now everyone sees hosted as a good idea and we have won 230 clients all told, mostly UK but some overseas, and have around 60,000 end users using the Signify system now. We are also profitable, with no debt or VC interest, and have been for about for years now.
Q. To sum up then – what is your message to the CIO?
A. Security will only real work when you deliver it as a really positive experience for the user. That way we’re both winners – IT and the business.
