Consultancy IRM might look small on paper, but its chief executive has big plans. And he reckons the vendors' time is up.
Talking to Charles White, I can't help but think of Barry Levinson's 1987 comedy Tin Men, in which Danny DeVito and Richard Dreyfuss play a couple of feuding hucksters who flog aluminium siding to gullible homeowners. In most cases their customers are helped into buying cladding they don't need by some dubious, if funny, sales techniques. Not that the chief executive and co-founder of Information Risk Management (IRM) is in any way suggesting that the vendor community uses sales ideas akin to those of the celluloid tin men, but he does dismiss many of the solutions on offer as "bits of tin".
He's not alone - there is a growing feeling in the industry that the tin is becoming relatively unimportant, and in some cases completely unnecessary - but White is more forthright in his view. His direct approach befits his physicality. His shortish frame has the solidity of a rugby hooker and matches his head-on confidence. He powers into the IRM boardroom to meet me, strident business casual, delighted to see the abundance of sandwiches and fruit his staff have arranged.
Since 1998, White, along with his business partner David Cazalet, has been building IRM into a vendor-independent risk management consultancy, now some 45-strong with offices in London, Hong Kong and Philadelphia. He has a history in technical consultancy and what he describes as an "entrepreneurial background". He worked in the software department of Links Technology for nearly ten years and then left to set up his own business, which he claims was the first switchless reseller within the telecom market in the UK.
So White has been around, seen a lot and is entitled to his opinions, and his independence is important to him. It's not so much that he's bored with technology; he just feels it's time to move on. White doesn't like the term information security much, let alone IT security. He prefers words such as risk and management, as you might have guessed from the name of his company.
"Information security implies guys in lab coats down in the basement somewhere, playing with incredibly expensive lights in a flashing cabinet," he says. "Information risk suggests looking at the whole gamut of information and the dangers it is exposed to," he explains.
So one place where you won't see him is the annual beanfeast known as InfoSec, where hundreds of vendors gather to sell pretty much what they sold last year. White is adamant that, for him at least, it's time to look beyond all this. "I question what value this show has. We don't exhibit there, because I'm not sure we would engage with the right people. The great and the good will go to meet people and have a look round but they pretty much know what's out there," he says. "I respect the vendors, but it's just flogging lots more tin and lots more - whatever."
He adds that the market for products is much greater than for the consultancy side. This may be stating the obvious, but there are signs that the balance is beginning to shift. "People are not looking to deploy some clever piece of technology to be the answer to all their problems (anymore)," says White. "They realise they have to tie together what they've currently got in a better, more constructive way."
He points to the payment card industry standard (PCI) as an example. In White's eyes, if you're a tier-one merchant, you will have to conduct a complete audit from start to finish. And that, he insists, doesn't come out of a shiny box.
And, like many others, he doesn't see the situation improving in the near future; innovation is not a word overly associated with the IT security vendor business. "I don't see people within IT departments doing much product evaluation, as they used to do," he says. "I see people actually getting on with the job and making the whole thing sing better. There's still an awful lot of duplication within the big organisations of data going from A to B, and then to point C, and sometimes having to be input again."
It's not just the aversion to tin and those who flog it; White goes on to explain that people are tired of getting technical reports because these don't mean anything to the board. He says that his experience, and that of his clients, shows the message is finally getting through.
"We are very lucky that within our client base, and we are perhaps at the top of the food chain, most of the CIOs or CISOs we come into contact with are pretty enlightened people. Where those guys are given credence at board level, they're being listened to, they understand the environment they're in and, more importantly, they're coming at information risk from a business perspective," he adds.
You get the impression that White has no time for geekspeak, or the elitism and breed-apart mentality so drearily maintained by IT people up and down the land. He is scathing about their business abilities and believes that, to date, very few CISOs are on the right wavelength. "It's a case of 'actually, can you translate that into business speak because that's what the serious people understand'. They want a degree of business impact analysis and understanding. Being able to show some clever SQL vulnerability is not terribly exciting."
He claims that there is a general change away from information security being part of the IT department's remit towards aligning it with the business mainstream. "We've been in this market for seven years, and I see a real shift. In the heyday (of IT security) it was very much about penetration testing and being able to demonstrate that XYZ vulnerability existed, and people were in awe. You used to see hacking demos at every exhibition because people still couldn't believe how clever it was - it was like a black art. And people paid good money for it."
In White's eyes, much of the IT security business is made up of a large number of "very, very small companies with pretty good technical people, which are doing great technical work". Then comes the killer line: "And they may have half a dozen accounts."
"That keeps them satisfied," he adds, "but what the bigger corporate businesses are demanding is to go much deeper than that: they want to understand risk from the perspective of the IT estate, not that piece of kit here or that particular application there."
White claims to have a roster of clients that includes all UK mobile phone operators and major banks. Behind the talk one suspects that White is extremely ambitious. And in his sights are the big four management services organisations, no less.
He bridles at my suggestion that IRM is a small consultancy. Is he serious? Yes, despite his team of just 45 he thinks IRM is bigger, because it doesn't waste its resources. Here's his logic: "A man goes to PricewaterhouseCoopers (PwC) and asks: 'Why has the M&A report leaked out and cost me £100 million?' It's at this point that the PwCs of this world suffer; they can't do the granularity and turn it into a report the board members can understand. We have different people to do that," White says. "Our skill is being able to take an issue from the business level through to the executive management level, through to IT, right down to the deep and dirty network scans, the maps and the rule base; even the code. We can do that," he continues.
And, according to White, IRM is capable of much more, including protecting its clients against the biggest threats to continuity. He gives an example of exercises IRM has run with clients in Hong Kong to put in place core plans in the case of avian flu. "Business continuity is just another layer within information risk. The area of work we do with clients at the moment is in business impact analysis. We look across an estate and at systems that matter," he explains.
"Too often, big organisations have done business impact analysis-type scenarios where the questioning hasn't quite been right. And, as a result, what they've got back is that everything in the estate is really, really important. Well, that's hopeless." He illustrates the point with a project IRM did for BAA. There was no way, with so many systems, that the airport operator could go into granularity with each one, he says. So instead BAA went through a very clearly documented, prescriptive business impact analysis process to hone down which ones mattered.
So if he's looking for a new level of creative thought and intelligence from his clients, what does he expect from the people he hires? They must be something special, given the emphasis on the shift to the business end. For the first time, White is less positive. He pauses before answering. "We have an awful issue recruiting people here," he concedes. "There are not very many people who can transcend technical and business spheres.
"And we need people who at least can show an inkling that they've got the ability to do that. Technical people are fine if you put them in a room with another technical person from a client. But we don't really want to be engaging at that level; we want to be engaging further up."
To prove the point, the company has a full-time human resources manager, whose main job is to find the right people. White admits the difficulty in finding the right staff will frustrate his drive to grow quickly. (In case you're wondering, you will still need a degree in information security.)
It's clear that White is quick to point out the trends and shifts occurring in information security, but he is also smart enough to exploit them. For example, take the push for everyone to take responsibility - anyone who deals with information needs to realise that they have a duty to protect it; most obviously when it comes to consumer credit data.
"The onus of identity theft, quite rightly, is moving away from the credit card companies and down to the merchants. You store it, you look after it; you don't look after it, you'll be fined. And for once in the life of information security somebody, somewhere is saying, do it, or you'll pay - and we're talking millions," he says. "And that's fantastic, because now it's no longer a case of a big company losing your credit card, keeping it quiet, and hoping it goes away. Without question it'll get into the press. I welcome that. And it's the ones that have never really taken much interest in information security that will be caught," White concludes, with some relish.
DeVito and Dreyfuss eventually found themselves out of luck, out of favour and out of pocket. Pushed to the wall they had to change or adapt. If White is right, the tin men of IT security may have to do the same.
1964-85 Born in Leamington Spa. White gained a degree in hospitality management and was a graduate management trainee at Trust House Forte 1985-94 General manager, services consultancy, Lynx Technology 1994-99 Managing director, Future Datacom 1999 to date Co-founder and chief executive, Information Risk Management
Other interests Member of the Information Systems Audit and Control Association
SHRINKING WORLD - WHITE ON CONSOLIDATION
There will be a degree of consolidation within the consultancy market. IRM can probably purport to be the largest independent information security consultancy in the UK. But at 45 to 50 people, we're not that big, and by implication all our competitors are significantly smaller than us. So where you've got a lot of very small players like that, it makes sense that there will be a degree of consolidation.
On the other hand, clients like to be able to rotate consultants. They like to call in company A to look at the design and then company B for the post-implementation. And they'll rotate them happily through that. So there still needs to be space in the market for two to four companies.
But I don't know how that will manifest itself. There are a lot of good, young guys who have come out of GCHQ, IBM or another consulting company and are making a reasonably good living out of doing security consultancy. But as the stakes go up, as the likes of PCI start dictating that if you're going to do audits, you will have to accept unlimited liability, then it may change.
When the bigger clients start demanding high indemnity insurance it raises the barrier of entry to an awful lot of companies. When they can't make any money out of this anymore, that's when consolidation will happen.