In a recent interview with SafetyDetectives, James Rees, the Managing Director of Razorthorn Security, provided insights into the company’s unique approach to cybersecurity consultancy and its evolution in response to the changing landscape. Established 17 years ago during a period of upheaval in the information security field, Razorthorn Security prioritizes customer satisfaction, fostering a customer-centric approach that has contributed to a high client retention rate. Rees highlighted the significance of cultural considerations, a defense-in-depth approach, strategic implementation, and risk management integration in crafting a robust cybersecurity strategy for businesses. He emphasized the importance of AI as a companion to information security professionals, foreseeing its role in informing and assisting rather than replacing human decision-making. Rees also addressed significant cybersecurity challenges, including budget constraints, evolving cybercriminal tactics, and the impact of technological advancements, particularly AI. As the industry navigates this landscape, he stressed the need for a thoughtful and flexible decision-making process to stay ahead in the ongoing technological battle against cyber adversaries.
Thank you for your time today, can you introduce yourself and Razorthorn Security?
I’m James Rees, the Managing Director of Razorthorn Security. We’re an organization that specializes in security consultancy across various aspects of information security. This includes security architecture, compliance – such as ISO 27001 and PCI DSS, where we operate as a QSA company – essentially forming the core of what we do.
Aside from our consultancy work, we conduct significant penetration testing for both large and medium-sized organizations. We also have a branch that assists companies needing guidance, introductions to different solutions, and connections with vendors.
The final component, set to go live at the end of January, is our continuous pentesting platform. This represents a new approach to penetration testing, a solution that has been increasingly sought after by many engaging with us at this moment.
Can you explain Razorthorn Security’s approach to cybersecurity consultancy and how it differs from other firms?
Razorthorn Security, established 17 years ago amid the last credit crunch, was conceived during a period of significant upheaval in the information security landscape. Facing the common industry trend of information security professionals being laid off due to a lack of incidents, I was inspired by a dissatisfaction with conventional consultancy practices, and envisioned a customer-centric approach.
Originating from a British perspective, Razorthorn Security’s philosophy centers around prioritizing customer satisfaction. We believe that by delivering exceptional service, customers will not only return but become recurring clients as their satisfaction deepens over time.
Over the years, Razorthorn Security has evolved organically, navigating the complexities of the ever-changing cybersecurity landscape. Our emphasis on customer satisfaction has translated into a high client retention rate, even as we maintained a deliberately compact size for several years. Recent market shifts, particularly accelerated by the lockdowns, have seen a surge in demand for cybersecurity services.
The transition to remote work and the shift from on-premise to cloud-based solutions have underscored the critical importance of security. This transformation has been further spurred by the activities of cybercriminals exploiting vulnerabilities in organizations yet to update their security measures for remote and third-party solutions.
Razorthorn Security found itself in a fortuitous position during these changes. Engaging in podcasting and video content creation during the lockdown, we were able to share our insights at a time when many were uncertain about the future. The RazorWire podcast, featuring various industry guests, not only kept the dialogue alive during a quiet period but also attracted new business to our doorstep.
Our success during this time is attributed to being in the right place at the right time, offering valuable content, and having a dedicated team. Razorthorn Security has some of the finest pen testers, consultants and sales professionals in the industry, complemented by a talented operational team working behind the scenes. The combination of our unique perspective on security and the expertise of our team has resonated positively with clients and contributed to our growth and reputation in the industry.
What are the key components of a robust cybersecurity strategy for businesses?
- Top-Down Organizational Analysis: Undertake a holistic assessment of the organization, understanding its unique DNA, assets, working methodologies, revenue streams, and internal politics.
- Cultural Considerations: Prioritize understanding company culture, recognizing its importance in the acceptance of security implementations. Cultural alignment is crucial when introducing changes to established work practices.
- Defense in Depth Approach: Utilize a helicopter approach to gain a comprehensive view of the organization. This facilitates the identification of defensive layers, promoting efficient and cost-effective security measures.
- Strategic Implementation: While security is essential, avoid impractical approaches that may hinder organizational functionality. Collaborate with business leaders, including the C-suite and shareholders, to ensure security strategies align with business goals.
- Risk Management Integration: Implement a risk management procedure to identify and understand organizational risks. Work collaboratively with business stakeholders, ensuring transparency about security posture, as seen in recent incidents like the SEC vs. SolarWinds case.
- C-suite Engagement: Emphasize the importance of ongoing security and adaptability to changing times. Seek support and understanding from the C-suite to ensure a continuous commitment to security, given the evolving nature of businesses.
- Collaboration and Communication: Break down barriers between information security professionals and business leaders. Stress the collaborative nature of security efforts, working together to protect the organization from external threats and internal challenges.
- Providing Options: Information security professionals should present options rather than dictating singular solutions. Offer a range of possibilities, allowing organizations to make informed decisions about their security measures.
- Flexible Decision-Making: Encourage a thoughtful and flexible decision-making process, akin to choosing a car. Highlight that security options should be considered and evaluated before settling on a final strategy, ensuring a tailored approach to each organization’s needs.
What are the most significant cybersecurity challenges businesses face today?
The landscape of cybersecurity has a number of challenges. Here are some of the most significant ones they face:
1. Budget Constraints:
One of the foremost challenges is the allocation of budgets for information security. Often, businesses find their information security efforts underfunded. Implementing robust governance, risk, and compliance (GRC) tools, essential for managing security effectively, can be a costly endeavor. Businesses must objectively evaluate their security budgets to ensure they can deploy comprehensive solutions without compromising on other essential requirements.
2. Cybercriminal Tactics and Pace:
The pace and ferocity with which cybercriminals target organizations is alarming. Various tactics, from traditional ransomware attacks to more insidious strategies, pose significant threats. Cybercriminals are not only encrypting data for ransom but also resorting to tactics like threatening public exposure of sensitive information or targeting individuals associated with the organization. Businesses need to stay vigilant and adapt to the evolving tactics of cyber adversaries.
3. Technological Advancements and AI Impact:
The rapid evolution of technology, particularly the advent of Artificial Intelligence (AI), introduces both opportunities and challenges. While AI promises to enhance efficiency and data analysis, it also poses risks as cybercriminals leverage similar tools. The concern extends to the potential misuse of AI in cyber attacks. The industry is at a crossroads, navigating the fine line between harnessing the benefits of AI and safeguarding against its potential malicious applications.
How will AI and machine learning impact cybersecurity in the next few years?
I see it as being a companion to the information security role. There has been discussion that people are concerned that it will take infosec jobs. I don’t think it will. Because ultimately, you’ve got to have a level of control when you’re talking about security, and people aren’t necessarily willing to turn that over to an AI just yet.
AI are dumb, they may disseminate information very quickly, but they’re not sentient, or able to free think. There’s always that little fear. What happens if we do hand over to something that isn’t human?
I think what will happen is you’ll find a lot of companion tools will be made up of an AI that will inform the information security professional what is going on, to allow that information security professional to better detect, determine and make a decision on what needs to occur.
One of the big aspects that I think a lot of people miss outside the infosec field is that one security event within an organization isn’t always the whole story. It sometimes takes a number of different events or situations to occur within an organization to tell you really what’s going on.
For example, let’s look at a salesperson looking to leave the business. You don’t know they’re going to leave until they hand in their notice. Before that happens, they try to get as much information out of the CRM they can. I’m not saying everyone does this, but if they’re moving to a new similar kind of job, it’s quite common. They want to their contacts and to download as much data as possible.
Salespeople access CRM databases all the time, that’s part of their job. However, they may be accessing it at different times of the day when nobody else is accessing it, taking screengrabs, or downloading copies of documentation of client work that’s been done, or client names and addresses and so on. Now, if you’ve got an AI detecting unusual activity of that nature, it can alert you in close to real time, instead of finding out about it after it’s too late.
That’s the power of AI for us as infosec people. It’s going to be fantastic technology, but it’s got to be done right. I think that’s the key thing here. There’s a lot of vendors out there who are building AI to do all kinds of crazy wonderful things. The real usage of AI is to have something that could learn the environment. Just goes back to what I said earlier on with one of your former questions. Infosec people need to learn the environment to secure it, and AI will need to do the same. But it could do it on a deeper level than a human can, and faster as well.
But there’s a flip side to this. This is where it gets to back to the bad guys. The bad guys are going to be doing the same thing. In similar kinds of ways. So the faster we get at reacting, the faster they get attacking. It’s a constant battle that we’re waging. And it’s a technological battle at this moment in time. Whoever can generate this technology first is going to make some really significant gains.