What are some examples of those common holes you find?

Quite often, it's something as simple as patching a server. It's amazing how often people don't have a grasp of their inventory, by which I mean not just their physical devices but even the applications that they run...and just knowing the data and having a clear grasp of what their data consists of...For the most part I see the simple stuff being left undone, or not being done sufficiently.

Why do people leave that open?

First of all, it's funding, but a lot of these things are not inherently expensive to do. I think a lot of it is because there is an emphasis...to be compliant. You can be compliant without being secure. You can check off all the boxes and you can be in compliance with what the law expects you to do, but it doesn’t mean you're secure.

How does the federal market compare to the commercial market?

I'm less familiar with the commercial market because my whole career has been in the federal market, but as I see it the biggest difference is the impact and how the different organizations respond to an intrusion, which is inevitable no matter where you are...The companies' concern is naturally with the bottom line and the dollar cost of the impact. The government might recognize the severity of the impact, but there is not a dollar cost. Everybody recognizes there was a big impact due to the loss of data that Edward Snowden carried out, but I haven't heard of anyone trying to do a financial analysis of that, which would be the first order of business if you were in commercial. It's a different orientation... With the Sony hack by North Korea, now we're starting to see attackers hit both commercial and government without discrimination. I think we may start to see some collaboration with government industry with how to fend off these kinds of attacks that might be of benefit to both areas.

Do we need more collaboration between public and private sectors around security?

Everyone, government and private industry, are moving to the cloud because there's a lot of cost efficiencies there. The term I like to use is there's no silver bullet to fix these problems, but there might be some silver buck shots. Much of the orientation of security in the past has been around the authorization boundary of the security perimeter...But, as technology changes it becomes much more difficult to define that perimeter...It's more about defining what you're data is and what you're actually protecting as opposed to where it is.

How does that affect a company like DLT and how you take solutions to market?

What we try to do is we look vendors, we look at their solutions, we look at how they are anticipating security trends, which are always in sync or always heavily influenced by general trends like cloud...and endpoint security. How does this affect the product lines and strategies that our OEMs are developing and setting forth? Are they moving in the right direction as we see it? Are they responding to their customer's needs? Right now, we have foot on two platoons. One is getting the basics in order...but also let's make sure that we anticipate the more sophisticated needs that are popping up as a result of these vast changes in technology: big data, cloud, bring your own device, that sort of thing. We like to look at companies that are aware of these kinds of things and will be ahead of the curve...In other words, [at DLT we are] positioning ourselves to meet the security needs of the marketplace and to make the marketplace aware of what they need.

What big challenges do you see in the security market right now?

First of all, I don't want to hammer it home too much but just the basics, just changing the culture so people address the basics and get the fundamentals in order. That's a cultural change...You're trying to mitigate bad human behavior of people attacking you with good human behavior by implementing new technologies properly. To me, that's the biggest issue is just changing the culture and the attitude to get people to say we can do this and we should do this. Compliance is not enough. I would think that's the biggest challenge...I think it would also be useful for a lot of organizations to take a look at actionable metrics the effectiveness of their security programs so they can show they are doing a good job...It's hard to do that without hardcore metrics. Those numbers are around, but someone needs to identify what they are and find a way to present them to senior management so they can free up the money.

This sounds like a lot on your plate, do you see it as more of an opportunity or a challenge?

Both. There's an opportunity to promulgate security in a big way and to sell a lot of these products that will be genuinely useful. The challenge, of course, is to convince them that it will be useful and to convince the powers that be of their necessity and their effectiveness. That's where metrics come in to show that they're effective both before procurement and after procurement. That's where you buy credibility for your program and your security tools.