Hello, and welcome to DataEndure’s February TECH Talk. I am Kirstin Burke, joined as always by Shahin Pirooz, DataEndure’s Chief Technology Officer. And we are absolutely delighted today to welcome Tamar June, who is the CEO of AssurX. And she has a very compelling story. She is in a very – organization is the very high profile market. They are helping organizations with their compliance and regulatory issues. And we want to talk to her today just about what she’s facing as the provider of these services, what she’s seeing her customers go through, and really to give us some insights from a market point of view, how security looks to her and what she’s doing to fortify her posture, both for business and for customers. So Tamar, welcome!
Hi, how are you?
Excellent. We’re delighted to have you. And I guess how we might start out is tell us a little bit about AssurX, tell us a little bit about you and what your company does for folks.
Okay. Well, I’m part of the founding team at AssurX. We incorporated in March of 2000 and launched our first product that was a web-based enterprise quality management system. And from there, we also introduced our cloud based offering. Back then in 2000, people were really not that familiar with renting software, and that’s how we referred to it back then. So we launched our first product in March of 2000 and it really did very well. We had both on-prem, as well as hosted customers.
From there, we grew substantially and the majority of our customer base is highly regulated. They are either regulated by the FDA or they are regulated by NERC and FERC for energy and utilities. So the FDA, we’ve got food, life sciences, customers such as biotech, pharmaceutical, and medical device, as well as food. And then in the energy and utilities, we have oil and gas, but the majority of them are transmission and distribution. These are very highly regulated industries. And our product has expanded from not just quality management, but we have expanded into regulatory compliance as well. So that’s basically the overall business.
So with that regulatory compliance comes with it a certain expectation of your infrastructure meeting those same types of regulatory compliance and the same kinds of pressure that your customers are, I’m sure?
Well, yes. And that’s the thing. It has gotten much more – how shall I say it, complicated in the past few years, because cyber security is in the headlines just about every day. You hear about hacking, you hear about just service attacks and whatnot. So we have taken a much more stringent approach because our customers and prospects have demanded that we have certain security policies, procedures, and tools in place. Otherwise, you’re not even considered to be a vendor.
So we went from a managed hosting provider to our own cloud. Our own cloud is much more secure. It is a private cloud. It is hosted at Switch. And then in addition to the physical and data center security that Switch provides, we needed to go to the next level. And that’s where we brought in DataEndure to help us secure the rest of the missing pieces.
And then, you guys are in a unique situation where the rest of us caught up to you finally, but you guys have been distributed from almost the beginning, since 2000, in terms of the placement of your people and your employees. The world effectively, in this last year because of COVID, shifted to a model of a hundred percent distributed as well and they’ve got faced with some of the challenges. So you didn’t have the immediate challenges everybody else did with figuring out how to get everybody connected to the infrastructure, and VPN requirements and all that. But can you talk a moment about how have you been able to take that data center security and extend it out to your end users in their home offices or wherever it is they’re working?
Right. Luckily, we did not have a cultural shock from going into an office, and then all of a sudden, everybody being remotely located. We have always been a remote workforce from almost day one. Even though we have a corporate office, however, the majority of our employees are spread over 12 different states in the whole country. And obviously, they need to have security policies and procedures that we have in place already. We have security training that we do with our own employees, but then you also need the security tools as well. That’s where endpoint security, and laptop security, cell phone security, all of that comes into play and it’s very, very important.
You were one of our first customers on what we lovingly call the FourFecta, which kind of was a slip of the tongue at one point. And I think it might’ve been on the tech talk and it stuck. And the FourFecta is really designed around this notion of a distributed workforce and being able to deliver the same level of security controls to those people in the field that somebody in a headquarters location would. And the attributes of that are the advanced phishing protection, which on top of the security awareness training you’re doing is preventing the attacks from ever getting to the user through email that is.
And the next layer was the EDR platform, which is if the attack should get – I’m sorry, I lied. The next layer is D3, which is our DMS defense, which is if the link should get to the user and they click on it, we should be able to block them at a DNS layer from getting to a known bad location. And the next layer beyond that is our end point solution, which is now to the point you made earlier about endpoint tools and security, we should be able to stop the attack once it hits that end point.
And then finally, it’s the security operation center, which is the final layer of defense. And that suite of four technologies together or capabilities together really is delivering a complete security model protecting your endpoint. It has really created this umbrella of protection around not just your data center facility with the SOC, but extended that out to the end point with advanced phishing, DNS defense, and EDR capabilities.
The FourFecta was relatively new for us. We launched it last year, and you guys were, like I said, one of our first customers on that service. Have you seen any improvements or otherwise in operating from your end users? Are you seeing a reduction in noise or any of that from all that?
Yes, actually we are. We went on the Switch data center about a little over a year ago. We didn’t go live with our customers for a couple of months. But ever since we brought you guys on board, I have seen a significant drop in the phishing emails, and other things that people try to pull on you through email, especially email. We had a lot of problems in the past with that, and it was just becoming overkill. It has become negligible as far as the number of ones that do squeak through. But now, everybody is pretty much trained and aware of those circumstances.
The other thing I want to point out, which I forgot to in the last conversation, was that the SOC offering was very important to us because we needed to have 24/7, 365 eyes on the glass type of coverage. And that is something that is very, very important because that is one of the things that we get asked over and over again, “If you don’t have it, you’re not even considered to be a vendor.”
And the affordability factor was also very important because if you’re going to hire an entire crew of people to handle that responsibility in a very short period of time, it was not practical for us to do that. It’s much better to have DataEndure take on that role because it’s almost an extension of our own team. So I just wanted to point that out.
Thank you for that. If you were to give some advice to our audience who’s here listening about some of your experiences, and you’ve been doing this for over 20 years with AssurX and evolved from that quality business, if you will, to now a compliance-based business. What are some of the things you would give guidance to the listeners in terms of the world has changed, it’s shifted, here’s things you should consider?
Yes. Cyber security. If you are a software as a service provider, or in fact, any type of business that does any kind of proprietary type information that’s being transmitted over the internet or being stored remotely, whether it’s a managed service or a private cloud, cyber security is probably your number one thing that you need to worry about 24/7. And that is one area that you do not skimp on. Spend the money, do it right, because you don’t want to take on that risk. You don’t want to take on that risk.
Because if you are not up to par on that cybersecurity area and you do get an attack, or you do get data stolen, well, I mean, that could pretty much shut your business down. It could shut down the businesses that you’re hosting, the businesses that you’re taking care of. There goes your reputation. There goes your business. That is just one area that you do not take lightly and take it very seriously.
We tend to agree, but we’re slightly biased. So thank you for sharing that. It’s always better to hear it from a peer than it is from a partner/vendor.
Well, and I think if you look at folks that maybe haven’t had a breach or that might have bought a couple of tools and think, “Okay, we’re good,” there isn’t that impetus or pressure to feel like, well, maybe I should do more. And I think there are folks out there possibly that have done some things and might feel like they’re protected or feel like they’re okay. And unfortunately, it’s not until something happens, a worst case happens that it’s like, “Oh gosh, I didn’t know that I had that gap,” or “Oh gosh, I didn’t know that this tool wasn’t doing what I thought it was going to do.”
And so I think being able to constantly inspect that what you’ve put in place is actually doing what you are expecting it to do, and that over time configurations change, different things happen. Cybersecurity, the adversaries out there are not staying the same. They’re out there constantly looking for new ways to get in. And if you’re not also constantly looking at your infrastructure and making sure that nothing’s changed, you’re at risk.
And I’m just curious, from your perspective, I know one of the things DataEndure does for you is checking your vulnerabilities and doing a security controls assessment on a monthly basis. Has there been any output from that that has benefited you guys, has raised some alerts or said, “Hey, maybe we ought to look more closely at this area”?
We do vulnerability testing with DataEndure. That is correct. For penetration testing and whatnot, because we have to. Not only do our customers require it, but our prospects also require it. They want to know if we are doing that on a regular basis. So that’s also a very important part when you’re going for ISO certification or some other type of security requirement that the prospect or the customer may put on you. It is getting tougher and tougher.
I’ve seen cyber security liability insurance requirements double in just the past year from our customers and prospects. Because, again, you see and hear the headlines. And then the most recent one I can think of was the SolarWinds, which everybody in this country, in the world probably, already heard about. So yes, you cannot feel comfortable. You have to constantly be on alert.
Agreed. So Kirstin, you mentioned something that brought this to mind for me. You mentioned folks that haven’t had an impact, haven’t had any issues, and knock on wood, Tamar, we got engaged before you guys had any incidents, and we intend to keep it that way. But we do have – a good majority of our customers have come to us in the middle of a incident response where we’re going in and helping them respond to an incident. And then once we’re done with that work, they typically join as a customer of our security operations.
And I’ve often said – I’m speaking to prospects. When I was a young architect, I was responsible for setting up this infrastructure for a very large, 100,000-employee company. And I spent about six months building it. One of my tasks was to get the backups working on this infrastructure that I had built. And it happened to have six months worth of software development that I had on the infrastructure as well. Well, the system crashed. Man, I never got around to getting the backups working and I lost six months of software development for myself and my team of six people.
And so, that was the first time in my career, and that was almost 30 years ago now, but that was the first time in my career that I experienced loss, and something that I had thought of as a nice to have, backups, became something that was so critical and lost six months of work for me, because I didn’t take the time to make the right investment of time and get it working. And I think security is that – we believe in digital resilience, which is a combination of infrastructure resilience and cyber resilience, and both of those together are required in today’s world to keep a company operating because we’ve become so digital and rely so heavily on the digital media and marketplace. You, in particular, have your entire application platform is digital. Your customers consume it over the internet. And so it becomes key.
And I think for those who have, knock on wood, not experienced a loss or an outage like this, or have been compromised, it’s no longer a matter of if, it’s a matter of when, so protect yourself by – Tamar’s advice was absolutely spot on. You can’t skimp on the controls to protect your environment.
That is true. So you had mentioned, Tamar, that you all were looking at moving forward with ISO certification, that that’s kind of the next advancement for you or the next project for you just in terms of building out credibility for your organization. How is that going to affect or does it affect any of the security or data requirements that all of you are going to need to manage?
Well, the good thing is we’ve already done what the requirements have asked us to do. And we got started on it early last year. And so, it’s made the job a lot easier. We got started on the ISO certification last year and it’s progressing nicely.
Any closing thoughts for the audience, Tamar?
Well, like I said before, cyber security should be on the very top of your list, not just in the top five. It should be number one on your list of priorities. Spend the money, do it right, because the consequences could be 10 to a hundred times worse.
Thank you, Tamar.
I think at that point, if you take your comment to the next level, it’s the decision do I build it myself? Do I bring in a partner to try to help me? Right? So if I make it number one, how do I then make everything that I need to happen happen?
The cyber security thing is a complicated – it’s not something that you try and attempt on your own. You’re better off bringing in the experts to help you customize the situation to your needs and requirements. The nice thing about DataEndure is you’ve got so many different vendors and they’re all under this big umbrella. And it is up to you guys to determine what is the best solution for us. What are the needs, define our requirements, and then you basically provided the tools that we needed to get the optimum result.
So to try and do it on your own, is it possible? Sure. But it’s very time consuming. It’s very costly. You need the expertise and you need a lot of time. For us, we didn’t have a lot of time. We needed to put those controls in place very quickly. And the one thing that works really well for us is the level of customer service that we’re getting. Because when we have an inquiry situation, whether it’s an emergency or something new, I mean, the response is immediate. You don’t have to wait a week or two to get an answer. In this industry you don’t have a lot of time, you need a response right away.
Thank you for that, Tamar. Obviously, we love hearing that our customers are benefiting from our service and support. So great feedback, and we enjoy having AssurX as a customer as much as it sounds like you’re enjoying being one. So, good all around. With that, we will close our February TECH Talk. Tamar, thank you again so much for joining us.
Shahin and I do these every month and the times that we have folks like you join where you can share your experience and what’s going on in the market are our most well attended and most interesting. So thank you very much for joining. With that, we will close out and see you next month. Thank you.