Interview: Nissim Bar-El
Comsec's founder and CEO is bullish about his chances of turning the Israeli consultancy into the world's biggest infosec player.
Comsec is not yet the biggest name in information security, but it has every intention of becoming so. It was founded in 1986, claiming to actually invent the terminology of information security at the same time. It was a different world then: no internet, no networks, no open systems. The PC itself was only five years old.
Today, Comsec Consulting provides its services internationally through six offices in Tokyo, London, Amsterdam, Istanbul, Warsaw and Tel Aviv. Its clients include some of the world's biggest and best known companies including AIG, Virgin mobile, Citibank and Tesco.
The driving force behind Comsec is the charismatic and voluble Nissim Bar-El. A self-styled "Mr Security", he is the company's founder and current CEO.
I met him during one of his regular trips to London in the faux classical surroundings of 1 Lombard Street, a packed City restaurant that rattled with the chatter of well-dressed and, presumably well-heeled, financial movers and shakers. An environment that Nissim seems very comfortable in.
So what makes Comsec different? Bar-El is not the shy, retiring type, so his answer is unreserved. "We decided from the beginning that we would operate as an independent firm not related to any vendor," he says. "We were always at the cutting edge of technology and published the first articles about the internet when no one knew about it. We also published the first methodology for information security in the new world of connected networks. And every year we have invested between 15 and 20 per cent of our turnover in the research and development of information security."
This independence and commitment to innovation, it soon becomes clear, is not just based on a determined self-belief, but also on a conviction that information security is less about vendors and technology, and more about intelligence and pushing the case for security to be integrated into business. For example, Comsec has a permanent place on the information security committee of the International Chamber of Commerce (ICC). "And (being on the committee) is no easy task", he points out. "It costs a lot of money, resources, and travelling time - four times a year just for meetings at the ICC in Paris."
Then there's the UN-sponsored World Summit on the Information Society, to which Comsec also lends its intellectual know-how for the sections on security.
Undoubtedly there's a global outlook and ambition that characterises Bar-El's answers. Is it an Israeli thing, I wonder, coming from a nation at the epicentre of the world's most combustible region. A small country, never really secure in its own backyard yet, paradoxically, with an extraordinary influence on world affairs. So does the political situation in Israel give Comsec an edge, whether they like it or not?
"Security is a way of life in Israel, unfortunately," says Bar-El. "I wasn't sure I was going to mention it. In two ways it's an advantage, but in another it's a major disadvantage. It's good because the knowledge is there - look at all the Israeli companies: Aladdin, Check Point, Finjan etc. Just by being there we are exposed to all the latest products.
"The second advantage is that we are implementing information security as a real and basic need of a nation. So we push it to its limits," he explains.
Then there is the obvious downside. "The main disadvantage is being an Israeli company. In some parts of the world, as an independent consultant, some will still look at us as the long arm of Israel. So of course, Israel has diplomatic issues with Arab countries, and with Islamic countries, which means we can't work there," he adds.
But, Bar-El points out, as Comsec has grown globally, it can now supply non-Israeli consultants from its subsidiaries in the UK, Japan or the Netherlands. "We have an office in Tel Aviv, so we take all the advantages and try overcome the disadvantages" he says.
Even without Middle East politics, Comsec's consulting model differs a little from some of its US or European rivals. While some are acknowledging that security can be used to gain an edge, Bar-El more radically views it as the main business driver, just as IT was in the 1980s and 90s.
"We now see more and more clients, who say: 'yes, we know we have to secure ourselves.' But taking a comprehensive approach to securing an organisation is about more than just keeping bad guys out of the organisation," Bar-El insists. "It's a question of how we can offer better services to the good guys and ensure the bad guys won't disturb us doing that.
"Many of our consultants come from technology, from compliance, risk management, from all kinds of qualifications, as engineers, computer science. But each will be trained in the industry sector they will be working in, for example banking or insurance. This way they understand the business need of the customer."
Comsec's approach took some time to bed in. "This is something we started six years ago, and people didn't get it. 'How come you are sending your computer engineers on a course in trading bonds and the Stock Exchange,' we were asked," Bar-El recalls.
As an example of the effectiveness of this way of working, he mentions a large insurance company with branches across Europe and Asia, which was told by Comsec that it could supply a much better service with the same investment.
"They asked: 'But would we still be secure?' We said: 'You just have to invest it in a different way and, instead of putting in all kinds of barriers, maybe you can secure your application and then open it to the whole world.'
"This way of thinking is becoming more common, but still no more than 25 per cent of our customers use it at the moment. Most of them are still looking at security as a kind of barrier, and just keeping the bad guys out. The UK is a bit more advanced than others, however," says Bar-El.
If you like the sound of this approach and are tempted to send off a CV to Tel Aviv, there is something you should know. Don't bother if part of your experience was gained on the dark side. "We don't employ ex-hackers. A criminal is a criminal, is a criminal, and we never know when they will change again," says Bar-El, abruptly.
However, consultancy would seem the place to be if El-Bar's dire predictions for the vendor community come true. He is convinced that most of the vendor community will be absorbed by the largest IT players - IBM, HP, Oracle and Microsoft. And that's that.
"What is coming into the market is a new concept, in which the large IT organisations will include all aspects of IT infrastructure, of which security is a part," he predicts. "Two years ago when I was claiming that in my presentations, I didn't have too many examples. I used to explain that this is the only way that Microsoft can continue to act as a monopoly. And then IBM acquired ISS - a company that supplies a single niche product in intrusion and detection, but still IBM invested a few billion dollars. I think the events of the past year have proved me right. We are happy with this consolidation, because it will require independent consulting firms to work in full competition with IBM and Microsoft."
But it could be a risky strategy for some, he thinks. "There are dangers for those vendors that look to get bigger through acquisitions. Symantec bought Veritas, but what value did it add to Symantec? A $40 billion business bought a $20 billion company, and the market cap of Symantec today is still $40 billion, so where did the $20 billion go?"
So does Bar-El feel Comsec is in a position to take advantage of all the current movement in the vendor community? As ever, the answer is firmly in the positive and includes aggressive expansion plans and a mysterious acquisition in the UK, a market Comsec sees as vital to its own plans and in terms of moving information security forward.
El-Bar says that Comsec will invest "hugely" throughout 2007 and 2008, in new markets and regions not yet on the Comsec radar. Much of this money will go into the UK, a country he visits virtually every month to meet new and existing clients. Of course much of the attraction of our shores lies in it being Europe's most important financial centre, but it is also seen as a springboard into the rest of mainland Europe and beyond.
"We have a plan that has already been approved by our board of directors, to spread our presence to other places in the world, and strengthen our presence in technical and organisational aspects," he says, somewhat vaguely.
"The UK is an important market for information security, because it is central for the global economy. It is a kind of bridge between the US and the Continent in one sense, and increasingly between the English-speaking countries in Asia, such as Singapore and Hong Kong. That's why we regard our operation here in the UK as the most significant one." he adds.
Good news for the UK, but what of Comsec itself? How does Bar-El feel it will develop? When I joke that he is still a young man, he seems ready to believe it, as if he had only just started on his quest to become the biggest information security consultancy in the world.
The model for this is not another security company, but the McKinsey group, founded in 1926 and famous for turning lame duck companies into star performers. The choice fits with the theme present throughout our conversation; a man driven by business techniques rather than applied technology. Just like James O McKinsey, Bar-El wants his clients to get bigger, so his own business will grow. How long it takes is less important.
"If we can make it in five years time that's great. If we make it in ten years time that's also a good achievement," he says. "But more importantly, we need to educate the market that the services of consultancies truly enhance the profitability of an organisation."
It's time for the bill and for Bar-El and his party to leave for a meeting with a client. Before we step into the November London day, he signs off with a flourish: "Make no mistake, technology is one issue, but consultancy in information security must be about taking care of your client's business. Properly."
NISSIM BAR-EL - The CV
1949 Born in Israel
1970-73 Head of research and development department, Motorola
1976-1982 BA in Business Management and Economics, MBA; Bar-Ilan University, Israel
1978-1986 Chairman and CEO, Electronic Security Systems/International Future Technologies
1986 to date Founder and CEO, Comsec Consulting
Other roles - Member of various information security committees, including the Israeli police force, Banking Association and Ministry of Justice
The obvious answer as to why Israel produces a high number of information security companies is that it is a country that values security more than most and thus benefits from technical innovation.
But that's only half the story. Through deliberate government economic policy, Israel has the most highly developed IT industry in the region - in comparison, its immediate neighbours are decades behind. According to the Israeli foreign ministry, the country's fastest growth rates (around 8 per cent annually in recent years) are to be found in the high-tech sectors, and 4.8 per cent of the country's GDP is spent in the sector.
The statistics are impressive: high-tech exports have risen from £1.5 billion in 1991 to £9.5 billion in 2005. While the UK frets about the decline of science in schools and colleges, a healthy 27 per cent of Israel's students enrol in science and engineering courses at university.
Israel has also forged active technical alliances with many western countries, including Britain, Germany and the US. The country now has a growing number of tech firms listed on Wall Street and is rapidly emerging as a regional economic superpower, as well as a military one. It lies at 36 in the ranking of global economies according to the Word Bank, a rise of 12 places since 1984.
The determination of successive governments and its people mean that there is much more to Israel than simply defending its existence.