Interview with Richard Boyer, Vice President of Program Management of NetFrameworks

Richard Boyer is Vice President of Program Management of NetFrameworks. Rich heads the security training, security planning tools, and secure content management business practices and supports NetFrameworks work in public key infrastructure, identity management, and Certificate Authority (CA) integration.

Introduce NetFrameworks.

NetFrameworks is a privately held full service technology consulting based in the Washington DC. The company has been in business since 1998 and its co-founders each have more than 20 years of experience in the technology industry. The company plans and deploys security best practices and security training for enterprise and government clients.

When was the company started?

NetFrameworks was created from the 1998 merger of two previous organizations, a security engineering and development firm and a security planning and implementation corporation. With this combination, NetFrameworks became an organization greater than the sum of the parts, with the expertise able to engage a client at any point in the security life cycle, providing significant value and expertise.

How did it evolve?

Originally NetFrameworks was narrowly focused on the core technologies we brought-on from our predecessor organizations. However as time as progressed the company has increased its scope and is today intimately involved in all digital security technologies and services. As a result, today we might be simultaneously assisting a start up in refining the user interface of a new authentication device, building a highly secure portal for a branch of the government, and working on penetration testing on an streaming media service. Additionally, NetFrameworks is now able to allocate more resources to helping the security community at-large. For example, on our site CriticalSecurity.com, we publish newsletters and provide important resources for anyone involved in mission critical security planning.

What security services and products does NetFrameworks offer?

NetFrameworks specializes in comprehensive security planning, penetration testing, vulnerability analysis, incident response, audits, risk management, PKI, Identity management, authentication frameworks, and security-related software development. NetFrameworks plans and deploys security best practices and training for corporate and government clients.

What challenges do you face in the marketplace?

The biggest challenge in the marketplace is getting organizations to understand that security is not just about putting locks on doors. Security is about planning and process, and constantly watching and reevaluating your situation. Too many businesses slap a firewall in place and think they are “secure”. This is dangerous because organizations get lax by assuming a good door lock is all they need and they never check to see if the window is standing wide open. Once an organization realizes that security is a process, a business problem, and a risk management challenge that must be managed and not ignored, they see the potential impact to their organization and understand the range of vulnerabilities staring them in the face. Our marketplace represents those clients that, often with our up-front help, come to see this reality- the reality that security is not a feature or a product.

What do you see as your advantages?

We see ourselves having several advantages. The first is of course our people. Our company is made up of many of the “who’s who” of security implementation and design. Second, we understand that security is not about throwing money at a problem, it is a three-way balance of cost against risk against usability. And lastly we are not standing on our past successes. Security is a moving target and we are always running the technology footrace to keep up.

Who are your typical clients?

Our clients tend to fall into three categories. The first category is the organization which is either looking to build security technologies or to deploy that technology. These tend to be organizations that are developing the technologies of the future and lack the expertise or engineering to complete that vision. They come to us to get that development moved from paper to prototype or production. The second type of organization is one that has come to realize that security is no longer an acceptable afterthought. These are the companies that are looking to improve their own security or mitigate the risk in the case of an incident or more importantly develop a strategy to bring security into the mindset of the people, processes and places of their business. The final type of client is organizations that tend to think on the far ends of the security scale. These clients are interested in protecting themselves to the utmost degree and are interested in making sure that no one (internal or external) can get past any barriers. They also tend to be the clients most interested in knowing the tools and techniques of security penetration to make sure they are insulated against those threats.

What are the biggest security problems you see your clients concerned about?

Our client’s security problems are all about resource protection. Too many organizations simply are not able to effectively plan security into their culture. As a result, NetFrameworks CTO Eric Greenberg recently published a book, “Mission Critical Security Planner: When Hackers Won’t Take No For an Answer“, which is designed as a planning guide to help organizations embed security planning into the mindset of an organization. Security planners want to make sure that they have done everything reasonable to keep themselves and their clients shielded from security mistakes. Ultimately it comes down to keeping intellectual, electronic, physical, relationship and human resources intact and secure while having the business touch a larger and larger paying customer base. NetFrameworks developed and deployed the PKI software and systems used for one of the largest online trading networks in the world. What are some of the difficulties you encountered?

The struggle with PKI to this day is about ease of use. Our deployment of this trading network was not only a struggle of technology but also one of human interface. When you deploy a system of this size and scope, success is not measured by technological ingenuity but by actual usage. The system was only a success if it is was secure and trading happened between all of the systems users. In the end we discovered that clever programming is no substitute for training, support and simplification. In the end, having several thousand traders understand how to obtain, authenticate, authorize and terminate certificates was the hallmark of the system’s success.

In your opinion, how important is identity management?

I believe that identity management will play an increasingly important role in society as time goes on. Identity is becoming more than just who you are, but is what defines you in an increasingly anonymous world. When we started moving money between individuals electronically (credit cards, bank cards, etc), identity went through an ideological shift. Identify was no longer defined as a local community’s knowledge of an individual, but the vouchsafe given a trusted third party. Because of this, suddenly we could interact at a commercial level with someone half way around the world, but in doing so we reduced our identity from middle-aged father of three to a number and expiration date. As a result we are left with the challenge of protecting our investment in those third parties. And as a result increasingly our management of our identity becomes ever more important.

What developments does NetFrameworks envisage in 2003?

This year we see a couple of things starting to come to the forefront. First of all, we continue to see identity theft (personal and corporate) to continue to rise. Secondly we see that security planning will become a much larger agenda item on the corporate radarscopes. Increased corporate security liability and losses will spur increased class action lawsuits, forcing companies to recognize the importance of security. And lastly we think that the corporate and government IT infrastructure within organizations and the usage, management, and security of the data contained within that infrastructure is going to come under much closer scrutiny as the year progresses. Organizations will increasingly realize that it’s simply too expensive and too risky to make security an afterthought. It’s better to plan it.