In this exclusive interview, we spoke with Mark Stamford, CEO of OccamSec to learn more about enterprise cybersecurity technologies, Radius vendor assessment, and more about their company offerings.
OccamSec is an information security company that provides penetration services. Founded in 2010, OccamSec has evolved into becoming a leading cybersecurity technology provider for enterprises.
Here are Mark's response to our questions:
Table of Contents
1. Question: Your company performs lots of penetration tests, what can you say about the cybersecurity state of most online systems you’ve tested?
Mark Stamford: The general state has improved. Security technologies continue to improve, as has the understanding of risk and security. There are a range of accepted “best practices” which if followed will deter the average hacker. The gaps that remain after that are really the ones that continue to be tricky to fix because they are tricky to find. A lot of our work is in this space – what are the technical issues that are going to cost me my company/job/etc..? and how do we fix them.
The bigger issue is how organizations approach security. For all the articles we read about companies implementing security technologies there are many more who are still considering how best to proceed, and even if they need to. Case in point I was on a panel around cybersecurity, one of the audience asked: “why do we need computers?” I am going to assume their security is not so great..
2. Question: With Radius 2.0 recently released, what was the primary motive behind its initial launch and development?
Mark Stamford: There are two reasons, the first is we work with a lot of companies, almost universally, third party risk management tools annoy people. We figured we should try and make a better one.
The second is we believe that assessing the cybersecurity risk of an organization requires you to consider vendors you use. Each one is a potential hole into your network 20 years ago I used a data feed company to breach another, vendors are only more prevalent since then.
Radius enables us to provide a solution to solve our clients' problems, and better assess how exposed they are.
3. Question: What are the core values you look after for individuals who wish to join your team?
Mark Stamford: OccamSec is a team, so the ability to play well with others is critical. For a long time, any new potential team member had to jump on a call with the whole company, if anyone got a bad vibe, or knew the candidate and that they wouldn’t fit, we would not proceed with them. We have eased up on that a little, but we still try to expose candidates to as much of the team as we can and make sure they are going to be a good fit.
We need people who are able to think and apply their knowledge to solving problems. Every project we do is different, from penetration testing a medical device, to physically breaching an oil facility, and everything in between. Enjoying solving problems, and realizing that the solution is different each time is key. Also realizing that you need to continuously learn to be good at your job. Technology, and security, are constantly changing, to be good at this you have to want to keep up.
Finally, we don’t do the corporate thing, we have no dress codes, no fixed office hours, you can talk about what you want, and we minimize office politics. Acceptance of that culture and the ability to thrive in it is vital.
4. Question: What counter-measures would you recommend to online entrepreneurs to minimize the risk of cyber-attacks?
Mark Stamford: First, try to not read too much coming out of the information security industry. So much is based around FUD (fear, uncertainty, and doubt). Instead think about what your business does, what you want to achieve, and how you want to achieve it. Spend some time considering how it could go wrong – what is your worst day? Then talk to someone in InfoSec and determine what the threats are, where you are vulnerable then fix them.
Too often we see tools being deployed as some kind of silver bullet. That never works, so save your money and start with some questions.
At a technical level, make sure you patch your software, this is the single easiest (and cheapest) way to lower your chance of having a problem.
5. Question: As a New York-based company, how is the presence of OccamSec in other continents? Are you planning on extending your reach anytime soon?
Mark Stamford: Our HQ is in NYC and then we have team members across the US. We also have a team in London and Dubai. With the UK leaving the EU we’re looking at spinning up a team in mainland Europe. There’s been some discussion around Australia, although it is very early.
One good thing about our work is we can employ people regardless of where they are, all you need is an internet connection.
6. Question: What have been your significant achievement(s) in 2020 so far?
Mark Stamford: Navigating the current pandemic and ensuring our staff is ok. While business goals are important, without our team we would not exist. I am proud of the way the team has been through this and the support they have provided each other.