Interview with Marc Vaillant, CEO of Criston

Since the start of his career, Marc Vaillant has always worked in the high-tech sector, holding positions in companies of various sizes.

Before joining Criston, he was Chief Executive Officer at MobileWay and Vice-president of marketing at iCelerate.

What do you see as the biggest security threats today?

In IT security, the biggest “threat” has always been the end user. While IT security teams are fighting everyday to keep the data safe by isolating the network with latest security technology, end user will be the one that will “forget” an opened window! Today, users have become more and more powerful and their development skills are growing.

The increasing complexity of the client systems they require, as a result of their global distribution and heterogeneity, is in itself more dangerous than any single threat.

In the past, it was possible to protect client systems manually, on an ad-hoc basis. But now, with their considerable size and scope and the need to make more frequent upgrades for operational or security requirements, any client systems that is not proactively and consistently monitored and managed is in danger.

How important is patch analysis in the overall security architecture?

Contrary to antivirus that defends the systems when an attack occurs, patch management allows a proactive security policy: cover the breach before the attack happens.

This being said, the cost of patching is very high, and therefore IT managers should not adopt a “deploy all patches on all systems” approach. Proper analysis is needed to determine which patch is required on what system, and this is what Vulnerability Management brings.

What is, in your opinion, the biggest challenge in protecting sensitive information at the enterprise level?

The biggest challenge is to control “ALL” the flow of incoming/outgoing data from the IT system without blocking end-user productivity. The threats comes from remote access or data corruption vulnerabilities, and third party devices that are pluged to the network (nomad laptop, USB key etc.), and it is sometimes difficult to know which flow is regular business and which is not.

In your opinion, can one really calculate security ROI?

Security ROI is obviously difficult to calculate since it relates to how much one stands to lose rather than how much one will gain. IT disasters costs are easy to measure after a security breach, but the real trick is to balance the IT security investments against the risk exposure.

To evaluate the security level against the threats, you need to evaluate the risks against the IT security investment, and consider more than the sole licence cost of this investment: does it require IT staff training? How long is the deployment time? How many man-hours does it require to be implemented? Does it include paid-for functionalities that you cannot use? Does it require additional application re-configuring? Often, our clients tell us that their first problem is not to evaluate the cost, but their exact need versus their infrastructure.

Based on the feedback you get from your clients, are there more internal or external security breaches?

External security breaches can be easily covered with a well configured firewall. Internal breaches represent more and more risk, as they can be exploited from worms, spywares, viruses that are inserted into the company through e-mails, USB keys, Wi-Fi, laptops etc. Moreover, targeted attacks are increasingly common, and most often exploit internal breaches.

As we all know 99% of all successful external attacks take advantage of known vulnerabilities, misconfigured and poorly administrated systems & processes. What is less known, according to the Gartner Group, is that Organizations that implement an effective vulnerability management program will experience an 80% reduction in successful attacks (0.8% probability – Gartner September 2006).

Where do you see the current security threats your products are guarding against in 5 years from now? What kind of evolution do you expect?

Software will always contain vulnerabilities, and hackers will always do their best to exploit them. But the danger will come from the reduced time between the discovery of vulnerability and the first exploit. This will require tight integration of vulnerability management and remediation solutions, as well as on-demand scanning of systems for network access control.

What are Criston’s strengths in the market? How are you building on these advantages?

For the last ten years, our expertise has been both in the Infrastructure and Security fileds. Therefore, we are a key driver of the convergence of these two areas. Today, we are the only provider delivering the following four critical services, either in one single fully integrated solution, or individually through individual modules of the complete solution: scanning missing patches, deploying patches, scanning configuration issues and fixing configuration issues.

Customers using our products can answer truly business-critical questions relating to their infrastructure and its security, such as: do I know my Infrastructure? How do I check device health before connection? How do I support mobile workers? How fast do I react to vulnerability disclosure? How do I deploy security policies? How do I secure your USB ports? and many more! Because we have developed our solutions upon one single intelligent agent technology, answering these questions and solving the issues can be done on one single console, with one single database. For our clients, this reduces deployment and costs complexity and increases the manageability of the entire solution