Home Articles Interview with James Rees of Razor Thorn Security

Interview with James Rees of Razor Thorn Security


CTC: James, tell us a bit about your background and about Razor Thorn Security?

I have been in information security and IT now for over 15 years, much of that time I have been a consultant for various consulting companies, though every so often I have worked for single companies directly. To date I have worked in pretty much every sector out there at some point or another as well as worked with many of the fortune 100 companies in the world.

Razor Thorn Security was born in 2007, I primarily in the early days used it for freelance work but it became a company in its own right in 2010 and ever since it has been growing steadily into one of the best information security companies in Europe, both the guys I employ as well as myself are very proud of what we have done.

The First Rule of Business; Protect your investment. — Etiquette of the Banker 1775

Today we provide a varied list of consultancy services to a number of high profile clients; some of them cloud security organisations. In all cases we are there to protect the businesses most critical assets and ensure that an organisation can understand and react to threats to its wellbeing. The best way to describe what we do in one sentence is: The First Rule of Business; Protect your investment, (Etiquette of the Banker 1775).

CTC: what is Information security and why should we do it?

Information security is greatly misunderstood, many business people and more than a few IT people think that it is some form of witchcraft to do with IT. In all honesty you could not be more wrong; my definition of information Security is thus:

The management and proactive planning for the protection of business critical assets, be they logical, physical or digital based from risk and threats that could adversely affect those critical functions.

The other important thing to point out, especially to those companies that provide some form of service to either the public or some sort of managed service is that customers will expect at least an excellent level of security from their providers. This is something that you better get correct early on because if you do not then you are opening up your organisation to all kinds of threats to its brand, revenue streams and its operation. Too many organisations only pay lip service to the security of their organisation and those same companies usually at some point wind up getting burned badly for it, and these days it’s commonly very publically done through the media.

CTC: Information Security, sounds like a nice to have IT thing doesn’t it?

IT is a large part of information security, but only because it is the singular asset in our modern business world that allows an organisation to operate efficiently and effectively. Information security when done correctly also covers a whole list of important aspects such as:

  • Governance and Compliance (PCI DSS, ISO27001, SOX, etc)
  • Process and procedure (Information security policies, etc)
  • Logical Security (Data Management, incident response, business development, etc)
  • Physical Security (CCTV, Access Control, etc)
  • IT Security (Antivirus, Firewalls, server/desktop, etc)
  • Business Continuity / Disaster recovery

Many of these have a great deal of IT involved in them but they are also extremely complex business considerations in each that also need to be considered. One of the things that inexperienced information security people get wrong is putting in overzealous technological and policy/procedural controls that hamper a business from operating efficiently and effectively. It has been a big problem and has led people to mistrust information security professionals due to bad experiences in the past.

At Razor Thorn Security we always look at adequate security based on the business needs rather than the technology of the moment. The business must always come first, but that is not to say however it cannot have good and effective security…

Our clients love the approach and we have a number of long term and excellent relations built because of this.

CTC: What about compliance such as ISO27001 / PCI DSS what is the hype about?

Compliance is currently the key to getting into the major contracts as a service provider. Especially in the cloud arena, there are a few undertaking this at the moment and doing very well out of it but there is a fair bit of room for more.

In the current business markets with the cloud you would be hard pressed to get the larger potential clients to sign up to your service without being able to prove you are compliant to one or both of those compliance requirements, Companies looking to move to the cloud are very concerned about the security of their systems when moving to a third party and they want proof that your systems are as secure as possible before they are willing to agree. Too many service providers pay lip service to information security or think it’s only restricted to the IT side of the business, the unfortunate truth that service providers tend to find is that when they are challenged to show their levels of security they can’t, which means the potential customers commonly lose faith in the fact that service providers can supply them what they want.

PCI DSS is the big boy here… Mark my words, there is an extensive opportunity to companies that are accredited…
PCI DSS is the big boy here, if you want to get into a market where your potential customers take card payments its most likely this is the area of their business they will want to move to the cloud with because of the cost of the overheads of maintaining the security requirements. Mark my words, there is an extensive opportunity to companies that are accredited and can prove it…

CTC: Tell us what your average day entails?

I have a very busy company but when I am not on a client site and in the office I usually get to work at about 07:00 – 07:30 and spend the first few quiet hours writing articles. I write a lot, it’s my passion next to information security itself so combining the two is an excellent use of my time. I have done a lot of work on Cyber warfare, Cyber security, compliance etc. but I am also developing papers on the application of information security in emerging technological fields such as biotechnology, nanotechnology as well as a number of other future technologies as these will be an important part of our lives in the next twenty years.

At 09:00 / 09:30 until 14:00 I tend to work on clients, be it advisories for our consultants out in the field who need some assistance or working on client offerings. I find I always work best between the morning and early afternoon when creating content.

In the afternoon between 14:00 and 18:00 I tend to take conference calls, talk to existing and new clients about service offerings, etc. The afternoon is my favourite time for doing this.

Evenings I relax, spend time with my wife and watch horror or/and sci fi films, as well as getting regularly get savaged by my wife’s pet rabbit who hates me with a passion for some rabbit reason…

CTC: What is your view on Cloud Computing and where do you see the marketplace heading?

This is a tough one, Cloud computing is the most recent paradigm shift in the application of technology in the business world and a very important change in the way that we have managed our technology from recent years.

More and more businesses are looking to save on their costs and reduce overheads by shifting key infrastructure and services over to cloud models. In the next few years we will head down a similar direction to our American cousins and a lot of public and private organisations will move to the cloud.

Company’s adoption of cloud technology will depend on three key factors:

  • Cost
  • Security
  • Reliability

The only problem I see currently is that few European cloud vendors can prove to prospective clients that they are both secure and reliable.

…few European cloud vendors can prove to prospective clients that they are both secure and reliable.

Customers are rightfully being very careful in moving to the cloud, in effect they are putting all their faith in a technology delivered, maintained and secured by a third party, so they will be very cautious.

From talking to most of the key cloud players in the business I can see that realisation from cloud suppliers that information security is a key selling point has begun to occur, but in many cases they are looking at it from an IT perspective rather than a business perspective. This in my opinion needs to change fast if European cloud suppliers want to ramp up their sales.

There are a lot of suppliers out there but very few that take security seriously. In my opinion if you want a good solid long term business that will survive to be a key player in the cloud industry then you NEED to start understanding REAL information security, and you need to do it quickly.

The one thing I can see right now with 100% clarity is that at some point in the next year or so one of the larger cloud vendors will have a catastrophic security event that will destroy their brand and reputation. It will be a wakeup call for the survivors; the question is however, who will it be?

CTC: A question we always ask, what is your definition of Cloud Computing?

Argh, this is something I hear people debating over a great deal. My definition of cloud computing is thus:

“Any Service(s) delivered to an entity from a collective computing resource over a network connection (including the internet)”

CTC: If you could change one thing in the world, what would it be?

Develop both cold fusion and hydrogen fuel cells, we have a rubbish energy system at the moment dependant on a mineral slime.