Waiting for the next big data breach to hit is probably not the best way to test how protected a company’s information is.
With more businesses storing and using sensitive data, security is a top concern—especially when the government establishes rules on the matter that businesses must adhere to. Financial institutions, companies that handle medical records, and other business might look to independent “cyber risk” management companies such as Coalfire Systems to spot potential weak spots, or insurers such as Marsh who also provide those services.
It is a busy time for Coalfire, headquartered in Louisville, CO, with office locations that include New York, Seattle, Boston, Dallas, and San Diego. In addition to working with clients, Coalfire has been handling an unforeseen change from within.
In June, Rick Dakin, the founding CEO, passed away while out on a hike. Soon after, Coalfire named Larry Jones as his successor. Jones had been chairman of the company since 2012, and brings with him prior experience as CEO, which included helming businesses such as Activant Solutions, MessageMedia, and Neodata Services.
He spoke with me about the mercurial way cyber security must adapt to stop bad guys and data leaks, and what stepping back into a direct leadership role, after the loss of a colleague, has meant for him.
Xconomy: With cyber security more top-of-mind these days, what is Coalfire doing to address the growing need?
Larry Jones: We’re an advisory firm that goes into large and small enterprises and helps them answer two basic questions. First, is the IT environment compliant with all the regulations that may be applicable to the business? A hospital has to be HIPAA (Health Insurance Portability and Accountability Act) compliant. A merchant has to protect credit card data. A cloud provider may have to be federal compliant if they are taking on federal business. The second question we ask, is the IT environment safe from being hacked—is the intellectual property behind the firewall safe?
We’ll come in and do an assessment; some clients are very sophisticated, some clients are very naïve. The next piece of business we do is compliance assessment; we’ll go in like auditors and go down the checklist of HIPAA compliance, PCI (Payment Card Industry) compliance, ISO (International Organization for Standardization), or whatever it may be.
The third piece of business we do is a lot of technical testing, including a penetration test trying to break in at their request. We’ll test the IT infrastructure or a given product, such as credit card readers and medical devices. The goal is to make sure the data in that software or hardware is not exposed to the outside world.
We also provide software tools to our customers and internal consultants to analyze their environments. It will do vulnerability testing; it provides self-help tools for your own compliance assessments.
X: What is the primary client base that you work with? Larger entities that have lots of data? Small startups that are just starting to get their hands on sensitive information?
LJ: They are pretty diverse. Coalfire is around 14 years old. In the early days, we dealt mostly with smaller to midsize companies—merchants, smaller regional banks, and startups. Those clients tend to be a little less sophisticated and need the more basic services. More recently, we’ve been serving larger enterprises, in the technology and cloud space. Microsoft, Oracle, and HP. We also work with payment providers and healthcare systems. We help them address large scale threats.
X: Cyber security threats are always evolving; what are you preparing for down the road, in a world where mobile devices can be gateways to sensitive data?
LJ: There are three really big trends that are starting to come forward. First, the bad guys are getting meaner, more prolific, and international. The threat level is
