Amrit Williams, BigFix CTO, discusses the benefits of peer based research with Jack Phillips, co-founder of IANS, the Institute for Applied Network Security.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Jack Phillips, who is the Co-Founder and CEO of IANS, the Institute for Applied Network Security. Jack, thanks for joining me today.

Jack Phillips: You are welcome.

Amrit Williams: Jack, as I was mentioning to you earlier, I have got a lot of friends in common with the faculty over at IANS, and I have had probably about a half dozen of them come to me independently and say, Amrit, you have been in security for a while, you should probably get involved with this group IANS, and I thought to myself, well, what is this IANS thing? Most of these guys happen to be on the East Coast, in the Boston area.

Then I was out in a conference in Boston and I ran into a couple of more folks that I know from IANS and several of customers of the company I work for. They sat me around at a table and they all explained to me how important IANS was. And I have got to tell you, I was looking at them thinking, this is kind of weird, I feel like I am being surround by a cult and they are going to ask me for my firstborn pretty soon.

But I did take the time to listen to them, and we did get some involvement with IANS, and we have been very impressed. But I wanted to ask you about, what was the problem that IANS was trying to solve that drew all these people together?

Jack Phillips: Well, it’s a great question, and the faculty truly is our secret sauce, it’s one of the ingredients that we really rely on and are proud of, in terms of how we execute on our business. So it’s a group of about 25 strong, now, across the country, who are of varying backgrounds, but the commonality is that they are deep domain experts in information security. They have been in this space for a long time. They are well-respected. Some are practitioners, some are consultants, some are authors. But it’s just a great group, and often I call them the Intel chip inside of our chassis, because they really are the brain trust of what we do.

So about eight years ago, a business partner and I, we are entrepreneurs, we are not technologists, we are not security specialists. We have a knack for looking at and finding job functions that are poorly served from an information angle. We happened into information security through actually our original faculty member, who is Becky Bace, who goes way back in the space, has been both in the government side, as well as now on the venture capital side.

Ultimately, really just backed into an opportunity when she said, information security professionals, it’s an emerging job function, it’s on its way up. It is coalescing. It’s coming together at some point in the future; again, this was pre-9/11, we will have a chief information security officer. It’s not there yet.

So as an entrepreneur team, we looked and said, wow, that’s a great opportunity. So we had done a lot of research in what I call a peer-based research approach. And essentially what we did to build the business was we took a technique; we call it peer-based research, and applied it into an emerging job area, and an emerging functional area, which you know very well, which was information security.

We did it in a very, we think, unique and deliberate way, which was essentially what often many of our customers say is, you are the anti-Gartner-Gartner, you are from the bottom-up. In other words, you are aggregating peer insights and peer views from the bottom-up, from the masses, as opposed to the analysts’ sourced insights that we are used to, as a community we are used to consuming and buying, and frankly, nowadays being somewhat captive to.

So that was the original vision for the business eight years ago. Two months into it, we held our first two-day Information Security Forum, in August of 2001, here in Boston. We had about 40 people, and we had about six vendor companies underwrite the event. We got through that event. Becky was our sole faculty member, and we got through it, and we said, we have something. People said, that was great. I learned more from my peers, and you guys facilitated discussions, but I learned more from my peers and I learned in a lot of time leading and listening to analysts. So we knew we were on to something.

Amrit Williams: That’s very interesting too, because the insight to recognize that there was this gap, that was already there, but was going to become even greater, and also the insight to recognize that the professionals within information security would become more important and would need this type of information. So that’s very unique. I don’t think a lot of people really grasp that. I think that probably lends to your background and your thoughts as an entrepreneur.

When you talk about this concept of peer review, can you give some thoughts around the way that you hold a forum, the way that you communicate information out. Is there a review process? What is a role that the faculty members play in ensuring that information is distributed? Because one of the things I have noticed in information security is people don’t agree. When you have in a collected group of 25 faculty members; and I know many of them, I know they don’t agree. So is it really to facilitate the peer discussions, and how do you accommodate these varying views and ensure that you are still providing a service to those that want to participate and take advantage of what you guys are offering?

Jack Phillips: It’s a super question. The answer is carefully. We do it carefully. As you know, this is a great space in that it is — there are so many answers to the pressing questions that we face. There are a lot of different paths, and you commonly hear professionals — similar job titles in different industries answering a particular question in diametrically opposed ways.

Frankly, again, from an entrepreneurial standpoint, we are really almost information arms dealers in this war, and we love when the war continues to rage and the debate continues to rage.

So the short answer is that, I think what professionals are looking for out in the marketplace is direction, not answers. They are looking for a narrowing of the options, in a sense, a set of decision criteria, decision support that narrows their options. It doesn’t answer the question for them, but that says, most of your peers are approaching this problem in two ways or from two different angles, and here’s some support on those two different angles.

Now, with that in mind, go back internally and decide how you want to proceed. If you continue to need our assistance, and our faculty actually, after helping to tease out what are the primary directions that users are taking, commonly they then will come in, when asked for an opinion, and say, here’s what I think.

So increasingly in the last few years our business model has matured to more recommendations, more course of action recommendations than we have  traditionally done in the past.

But a classic culmination of a lot of activities is the document we produce on a particular topic, which is called a point of view document. That point of view, number one, articulates a few of the different approaches that we have observed. And number two, it does go out on a whim and say, okay, if you are this size and you are in this industry, our recommendation is that you take that approach. So that’s how the model has matured.

I guess the best metaphor is that, we try to build this mosaic of a lot of different pieces of information for our subscribers, for our members, put all that up, kind of on a single sheet of paper, and let them look at that mosaic, and then step back in order to see, okay, I see a path toward an answer for myself.

Again, we supplement a lot of other things that high-performing security teams use to make decisions, we are a supplement, we are not a replacement for, again, for analyst-based research. But that’s essentially the approach which is — to your earlier question, we hold live events all around the country of varying lengths: two days, one day, three hours. We hold phone-based conversations, usually about one hour. We hold online discussions.

The faculty’s role is, again, to act as a moderator, but really an intellectual backstop. So they do have a responsibility to call the truth if somebody varies off of fact, but essentially, we pay them on a strict percentage basis. Their job is to contribute or to speak no more than about 20% of any given conversation, and 80% is meant to come from the participants. They are trained in how to do that. That’s really, I think, the value that we bring to security professionals and vendor companies in terms of delivering insights.

Amrit Williams: You said something that I thought was very well-stated, and I think this is — earlier on you had mentioned the anti-Gartner. I don’t know if you know this, but I am a former Gartner analyst, and I am very familiar with that side of the business. But I think what you said that I really tuned into was when you said it’s not so much that we are trying to provide recommendations, as in, do this and the outcome will be this, and this is what you need to do, which I think a lot of analyst firms fall into that trap. This is how you are supposed to do endpoint protection, this is how you are supposed to evaluate firewalls. They miss the fact that when they speak at that macro level, it’s very difficult for the individual companies to internalize and personalize what they need specific to them.

But when you said, what we are trying to do is provide them and narrow their options and provide them some direction, so that they can make the choices that are specific to their environment, that is something that I see clearly lacking in information security. You have got a lot of people coming out and say, do X, or I think Y is right, or this is why Z doesn’t work, but they don’t often back that up with the rationale that’s specific to an organization. So I really appreciated the way that you stated that.

Folks looking to get more information on IANS, the IANS website is ianetsec.com or .org?

Jack Phillips: It’s actually ianetsec.com.

Amrit Williams: Okay. Thank you very much. Jack, thank you for joining me today. It was a pleasure speaking with you, and I wish you guys the best. I will talk to you soon.

Jack Phillips: Thank you.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.