In The Boardroom™ With...
Mr. Patrick Dennis
President and Chief Executive Officer
Guidance Software
SecuritySolutionsWatch.com: Thank you for joining us today, Patrick. Before discussing Guidance Software products & services in greater detail, please tell us about your background.
Patrick Dennis: I have been the President and CEO of Guidance Software since May of 2015. Prior to that, I spent more than a decade with EMC Corporation in various executive capacities in the cloud, services and core technologies businesses. I had a wide range of responsibilities at EMC, including time in go-to-market, technology acquisitions, business strategy and restructuring operations. I also spent time with Oracle as a sales executive in North America. Those who follow me on Twitter at (@_Patrick_Dennis) will see I also have a keen interest in economics and Formula 1 racing.
SecuritySolutionsWatch.com: One will read about Guidance Software that, “At Guidance, we exist to turn chaos and the unknown into order and the known–so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure.” Please give us an overview of the solutions Guidance delivers.
Patrick Dennis: We are proud of our Forensic Security suite of solutions. We believe that this particular mix of products and services is not offered by anyone else in the world at this time. The Forensic Security suite is made up of three products using a common core client which offers more system visibility than anyone else in security. The three products are: EnCase® EndPoint Investigator, which brings our best in class forensic investigation software to commercial enterprises; EnCase® EndPoint Security, an endpoint detection and response product that helps customers improve rapid detection and response by 90 percent in many cases; and our new EnForce™ Risk Manager software, which is the first product in the world that brings collection and remediation capabilities to a product focused on helping customers reduce the attack surface area of PII (personally identifiable information), PCI (payment card industry) and other confidential information. Organizations can take a proactive approach to information governance, ensuring that sensitive data is identified, classified and remediated. This not only helps mitigate potential damage from breaches, but it also improves compliance with global data protection mandates.
SecuritySolutionsWatch.com: Are there any particular new solutions that you would like to talk about?
Patrick Dennis: The entire Forensic Security suite is differentiated, but I would like to highlight our newest product EnForce. We observed the intersection of global privacy regulations, changing customer e-discovery requirements, and shifting information governance technology markets in the middle of 2015. At this intersection, we found the emerging need to find and act on PII, PCI and other confidential information across an enterprise. That need was being driven by two distinct forces.
First, security professionals determined that the attack surface area cannot be reduced in terms of devices or nodes. Rather, to reduce the attack surface area, one has to find critical information and remove it from places it doesn’t belong.
The second driving force is the global regulatory environment. Around the world, regulators are increasing the fines and damages associated with compromised customer information. The EU took a leadership role with the Freedom of Information Act, which requires a company to remove all of a customer’s information upon request. Although this seems straightforward, those of us in the technology business know it is nearly impossible. We decided to take on the impossible task, and in early February, announced EnForce Risk Manager to address these needs. Guidance engineered the new product based on our leading collection and remediation capabilities, and added new workflows, interfaces and collection enhancements targeted specifically at confidential information. I am personally excited about how it can help enterprises significantly mitigate potential damage from breaches and how closely it maps to the requirements of the European Union (EU) regulations. We have received extremely positive feedback from customers in Europe and from multinational corporations around the world.
SecuritySolutionsWatch.com: We understand that 74 of the Fortune 100 and hundreds of agencies worldwide use Guidance – this is, indeed, quite impressive! Are there any success stories or “wins” you would like to highlight?
Patrick Dennis: We have many examples to share which illustrate not only the benefits Guidance Software’s products and services bring to our clients, but also the cross over security has to many vertical markets, not just healthcare and finance. Security is a now a larger, horizontal business problem and reaches into industries such as manufacturing and mining.
Fortune 500 International Bank
This financial services client was concerned that a possible well-publicized worm had infected their systems, placing billions of dollars in daily transactions in jeopardy. They deployed EnCase Endpoint Security to run a complete, network-wide scan to expose any instance of the worm hiding in the environment. An automated assessment revealed several machines with unknown processes which upon further inspection confirmed an instance of the worm. The bank’s InfoSec team leveraged this instance of the worm as a source for enterprise-wide similar file analysis using EnCase Endpoint Security to detect and remediate.
Global Automobile Manufacturer
Suffering from an average of 50 security breaches per year, this automobile manufacturer used EnCase Endpoint Security to prioritize, investigate, and remediate incidents. Financial and productivity impact of about 100 days of server downtime per incident, including servers used to process auto loans and payments. With 360-degree visibility, the client saw improvements across the board, including:
- 89% reduction in time to validate and triage threats
- 90% reduction in time to remediate security breaches
- 98% reduction in server downtime per year
- 680% return on investment with a payback period
of 2.6 months
- Savings of over $2.4 millions in incident-related costs
SecuritySolutionsWatch.com: What is your perspective, Patrick, regarding digital risk and the wave of cyber attacks in today’s IoT environment - are we more vulnerable today and is your new cloud strategy, and relationship with Amazon, part of the solution here?
Patrick Dennis: Let’s start by quantifying some aspects of this question. First, I believe digital risk is a much bigger problem than the average executive thinks. A recent body of work from McKinsey & Company estimates cybercrime costs between .5 and one trillion dollars annually. What may be more impactful is that organizations will realize nearly three trillion dollars in opportunity lost by 2020. That means digital risk isn’t just a cost problem; it is slowing the rate at which executives are willing to digitize their business. That, in turn, reduces their level of competitiveness at a time where technology is disrupting all markets. I see this as related to the IoT part of your questions since many organizations are using the Internet of things as part of their digitization strategy. I also believe that any of the 30-50 billion devices forecasted by 2020 can be hacked if they attach to the Internet, and by definition they all do!
Although technology has increased our quality of life, as your question states, it has also increased our vulnerability. If we do not address the security and privacy concerns, society could slide backwards. Everyone at Guidance believes that we have a societal responsibility to contribute to making the world a safer and more secure place.
The cloud announcement we made in early February was in part connected to IoT and in part driven by cloud native application growth. If you think about our core business, we deploy software on endpoints. They take many forms: laptops, servers, ATM machines, POS systems, and now more than ever, cloud-based virtual machines. We want to make sure that our customers can use the same Forensic Security software to protect their cloud-based virtual machines as the physical machines in the data center.
We think this is the right thing to do because the growth in endpoints is coming from cloud virtual machines and the associated applications. Fortune 500 enterprises must digitize the business to compete, and they are turning to faster software development methodologies like agile cloud technology. This means more modern applications will be built on platforms like Amazon, using software like Cloud Foundry, to develop applications that are native to the cloud. These applications require as much, if not more, security as they scale out to thousands of machines and millions of users.
Phase one is about reducing the complexity and time to install our software onto an Amazon infrastructure. In future phases of the project, we will do even more to make our software support modern, cloud native applications across industry standard public and private clouds.
Guidance can play a meaningful role in any corporation’s security and cloud strategy as we are completely focused on reducing digital risk.
SecuritySolutionsWatch.com: Do public policy makers, law enforcement or federal agencies play a role with organizations in this space?
Patrick Dennis: Yes. First it is important to realize digital risk is a global problem. Yet, law enforcement and federal agencies are often limited in scope to a particular country, which means that laws usually govern issues that are also not global in scope. As such, commercial organizations need to work with these groups to pursue prosecuting cyber crimes. However, the consequences for commercial organizations collaborating with these groups can often open the organization to lawsuits, public relations consequences or worse. We need positive incentives to encourage collaboration between the public and private sector to fight cyber crime. Guidance has a long-standing relationship with law enforcement and government agencies around the world. We know how important it is for these public sector professionals ally with commercial organizations to make meaningful progress against cyber criminals.
I have been spending some time with Ed McAndrew, a former cybercrime prosecutor in the U.S. Attorney’s office, discussing the topic of working with law enforcement on cyber crime. While we come from different backgrounds, we have had similar experiences with these types of matters. We agree that it is difficult to establish these types of collaborations, and for commercial enterprises to prosecute these types of cases if they choose to. Many of our policy makers simply do not have the requisite technology skills to help govern today’s digital economy. The pace of change is so fast both technologically and within the world-wide regulatory framework, it’s difficult to keep up. Nonetheless, if society chooses not to tackle these challenges, we will continue to enable our adversaries. We need ways to align incentives to drive public and private sector collaboration. Those of us in the industry must find ways to educate policy makers to help improve the cybercrime regulatory environment.
SecuritySolutionsWatch.com: Do you have any specific advice to the Boardroom about security and cybercrime?
Patrick Dennis: In many ways the last question and this one are linked. The board of directors is responsible for protecting its organization’s people, technology assets and shareholder value against risks. Furthermore, they are certainly engaged when there is a company crisis, which is how cyber crime and breaches are often treated. Much like the policy makers I described earlier, many boards lack the knowledge, awareness and confidence to offer security oversight for the business. I have seen many audit committee risk registers that have either no mention of digital risk or have a one entry that broadly describes the potential impact. These are both insufficient for most of today’s businesses that rely so heavily on technological innovation and are primarily digital.
Boards need to open a stronger, more consistent line of communication between the security team and the most senior executives. It is important that the security organization educates the board and top management on digital risk. Opening this dialogue allows business leaders make the necessary trade-offs to grow and protect the business. The additional transparency also helps the board’s governing function.
Next, a board of directors should ask to see the overall security program. This program should include a combination of people, process and technology focused on reducing digital risk. This is a good time to make sure there is a balance between the focus on preventing incidents, and the need to respond to them. Boards should consider if the security posture of the company is appropriate given the exposure to digital risks, based on the weighting of the other risk factors. This should be a gauge in terms of the business and how the outside audit firm would assess the company’s security posture.
The starting point has to be linking the business growth strategy to the digital strategy, and the digital strategy has to include a way to keep the company secure. If the board and top management keep those things in mind, they will stay on the right path. If they agree on the tradeoff between growth and risk, the board can avoid surprises. Finally, if there is a comprehensive security program in place, the company is better positioned to collaborate with public sector counterparts when an event occurs. These are all rapidly evolving topics that boards should take seriously now.
SecuritySolutionsWatch.com: We read with great interest that the Enfuse Conference is coming up May 23-26 in Las Vegas. Who should attend and can you give us a sneak peak regarding some of the upcoming highlights at this years’ event?
Patrick Dennis: At EnFuse, we aim to bring together the most important constituents in an organization that play a role in reducing digital risk. It’s not our conference, it’s our users’ conference. It’s the only place in the world where real forensic investigators and IT security professionals, law enforcement with public policy makers intersect. We’re privileged that nearly 2,000 attend our event every year. This year, we are looking forward to having Computer Scientist Dr. Jennifer Golbeck, director emeritus of the Human-Computer Interaction Lab and director of the Social Intelligence Lab at the University of Maryland, deliver the industry keynote. Over the course of three days, I expect interest in social, mobile, analytics and cloud to be hot topics.
|