A proven corporate and early stage executive with more than 25 years of experience in the information security and technology industries, James Mobley is currently Neohapsis’ President & Chief Executive Officer. Under his leadership, Neohapsis has grown from a small Midwestern security consultancy to become an international mobile and cloud security services company.
Prior to Neohapsis, James was President and CEO of @stake, Inc., an industry leading international security consulting and products company acquired by Symantec (SYMC) Corporation in 2004. Other prior experience include President and CEO of Intrusic Corporation, an early stage pioneer in internal threat intelligence; executive leadership roles including Vice President of Compaq’s (HP) USD 1 billion North America Professional Services sales organization, Vice President & General Manager of Digital Equipment’s (HP) USD 400 million Central Region and Business Unit Executive of IBM's USD 200 million Healthcare and Service Providers business unit.
In an exclusive interview, James shares with InformationWeek, his thoughts on various aspects of cyber security.
1. James, tell us about Neohapsis. What is the company’s customer proposition?
Neohapsis is one of the most respected pure play cyber security consulting firms in the industry. Our team has a track record of success within startups and global enterprises. This means our clients will experience the speed, innovation and nimble nature of a startup, but with the operational rigor of a global company. Through our unique consulting and automated delivery approach, we combine expertise gained over thousands of engagements, with proven methodologies and our unique crowdsourcing capability to deliver the most accurate and relevant findings of any boutique consultancy in the industry. As a result, we have successfully helped many of the world’s largest and fastest growing companies assess and protect against the risk of cyber security attacks. Our success is validated by some of the highest client satisfaction ratings in the industry.
2. How is Neohapsis different than other security consulting companies?
The combination of four things separate us. First, our team is comprised of risk and cyber experts. This gives us the ability to align security programs with business strategy while also crawling through the most sophisticated attack scenarios. Secondly, we have advanced technology, which leverages an internal crowdsourcing approach and codifies our experiences and methodologies. This enables increasingly accurate recommendations on what should be protected and how. Third, because we work with many of the leading enterprises around the globe, our team’s expertise is innovative and multidimensional, which means that we assess and address problems from all angles of an attacker’s thought processes. And finally, we are committed to staying one step ahead in this fast moving environment. To do so, we are consistently performing advanced research within our labs on the Internet of Things (IoT), mobile and cloud, as well as perform advanced attack analysis and vulnerability research. Each of these characteristics by themselves would be admirable; however the combination of all these things results in a consultancy that is uniquely qualified to deliver outstanding results.
3. Given your emphasis on business solutions not just purely technical security solutions, who is your “buyer?”
Our buyers are the individuals who have the highest responsibility for securing the assets and the ongoing technological operation of the enterprise. This is typically the CIO, CSO, CISO, and VP of Risk.
4. James, security seems to be all over the news again. Can you tell us about the ebbs and flows in the world of security?
The ebbs and flows of security have simply moved in parallel with technology business models. In the mainframe era, there were few discussions about security. In the client server era, processing became distributed and so did the attack surface, thus client and server side attacks scenarios. With the Internet came a flood of network-based attacks and application layer attacks, which fueled an entire industry of technologies and solutions. In a ubiquitous mobile, social, cloud and IoT environment, all of what we have previously seen continues to exist, but the prevailing operating model has resulted in the majority of the devices sitting in the hands of people who are least qualified to protect them, as well as an infrastructure that is typically controlled and managed by third parties. This will lead to more stringent security policies and controls, as well as more demands from boards on the adherence to these controls.
5. How do you see physical, network, and cyber security connecting? Is there a play here for entrepreneurs wanting to connect these areas?
There is definitely a convergence that has taken place and will continue to do so. In fact, it is difficult to separate network security from cyber. Our physical world has already evolved into the Internet of Things and has already given us many examples of the challenges that await us. Baby monitors, automotive systems, home automation and medical devices are but a few of the IP connected things that have been shown to be vulnerable to attacks. Unlike an enterprise attack which tends to be impersonal, the Internet of Things will increasingly give cyber-attacks a very personal image. The opportunities for entrepreneurs are endless because when things become personal, the sense of urgency to find viable solutions will accelerate.
6. James, you have a storied background in the security space. What has changed over the last 15 years in this space?
The opportunities that I have had in this industry, and any success that has been experienced, are entirely due to the brilliant team of people with whom I have had the privilege of working. In regard to what has changed…Mobile, social, cloud and the Internet of Things have changed the attack surface by an order of magnitude. The necessity of these technologies and their use in the modern business model has significantly increased complexity, which is always an enemy of effective security. Many of the same discipline and process gaps that we saw in the year 2000, we still see today. But probably the most concerning change is that attacks from a decade ago were mostly nuisance attacks that created some embarrassment and some inconvenience. Today’s attacks are increasingly targeted and well planned for the specific purpose of achieving an economic or political objective. When the stakes are higher, so is the effort…on both sides. So while we continue to fight the good fight, the reality is that our focus needs not to be on increasing our stamina nearly as much as expanding our fighting arsenal.
7. What is your advice to IT Pros today regarding security. How serious are the issues?
My advice is to not over complicate the challenge. We are in a race to protect multiple assets from an enemy that only needs to find one way in. A well-funded enemy is a nearly impossible adversary to defend against. The key is to manage the risk. Know what data needs to be protected and know who should and should not have access to it. Adhere to proven processes and implement the core technologies throughout the stack to enable confidentiality, integrity and availability of the data. And from an organizational standpoint, do whatever possible to create a security intelligent and security aware organization from top to bottom.
8. Are IT departments today fairly prepared with regards to security?
Most IT departments have made significant progress. The appropriate controls are understood, as well as the value at risk. The primary issue today is typically one of a rapidly changing IT operating model, prioritization and resources. Working knowledge is being threatened by the changes that mobility and cloud have brought to the IT landscape. As a result, technological priorities are running in parallel with business priorities. In other words, IT is in a race to understand a changing environment; at the very moment that environment is central to competitive strategy and evolving business models. This all results in resource and bandwidth issues, which means that some things that need to be completed are placed on the backburner. And this is why skilled consultancies are in such hot demand.
9. James, can you tell us what we can expect from Neohapsis in the immediate future?
I expect continued success because we have a great team and great clients. Our focus is on addressing our clients’ most pressing needs. We will continue to build a team that has the skills required to deliver exceptional service to our clients. We will continue to spend time and energy on advanced research so that we can stay on the leading edge of protection strategies. And finally, we will innovate in terms of how we deliver. Our industry is battling a skills shortage and, as such, there is a need for new approaches that allow advisory security consultants more flexibility, scale and collaborative capability when delivering engagements.