When Brian Honan started his information security consultancy thirteen years ago, most of his conversations were with those in charge of IT and/or IT security within an organization. The focus of these discussions was usually on the technical aspects of security, while the policy and governance side was seen as a compliance headache.
“At the time, you were lucky if you managed to speak to anyone at the CXO level, unless it was the CFO trying to get you to give a discount,” he told Help Net Security.
“But now that many businesses realize how dependent they are on IT and the Internet, they understand that security is a business issue that they need to manage accordingly. Hence, most of our conversations with clients are now with their senior management team, their audit committees, and/or their boards, as they look for us to guide them in how to manage this significant risk to their business.”
An “accidental” career in information security
Like many industry veterans who are near his age, Honan fell into information security more out of chance than by following a pre-determined career path.
He started his working life as a clerk in an insurance company, where an opportunity arose in the IT department for someone to support a WANG mini system and those new things called PCs and Local Area Networks. Over time, as PCs took a more prominent role in the organization, his role evolved into ensuring the reliability and security of the computer networks.
Then a virus struck the company’s systems, and the challenge of dealing with that first outbreak piqued his interest in the security field.
“I was extremely lucky to have worked with some fantastic people, who willingly shared with me the experience and expertise they gathered by spending decades securing mainframe systems. I applied the lessons they learned to the brave new personal computing world and, naturally, had to develop ways to keep the evolving information technology secure.”
Striking out on his own
Founding BH Consulting and keeping it rolling was a rollercoaster ride: the nervousness of the first solo steps, the excitement of the first engagements and cheques, the disappointment of not winning over potential clients, the humdrum side of running a business.
But the company survived – both those early roller coaster years and the financial crisis that hit Ireland hard in 2008 – and thrived. It currently numbers ten full time employees (eight of them are infosec specialists), three part-time infosec professionals, five associates working on client projects – and they are still on the lookout for more junior and senior consultants.
“When I started BH Consulting a mentor said to me: ‘Brian, to be successful you need to find a niche in the market, but you also need to make sure that there is a market in that niche’,” he explained the logic behind the company’s evolution.
“I’d like to think that over the years BH Consulting has built a reputation as a partner that can be trusted to deliver to the clients’ requirements, whether they are small firms or enterprise clients. We often get to see the business challenges they face or are about to face and, after identifying their areas of concern, we look at how we can help alleviate those concerns. If enough clients have the same type of challenges, we see if we can develop a service to address that challenge so that we can offer it to all our clients.”
Life as a CEO
Trust is also the one thing that a CEO in the cybersecurity field can’t do without, Honan noted.
You need to be able to trust the information you rely on, the systems you depend on to protect that information, and the people you work with. Building that trust takes time, and once achieved, maintaining it requires continuous work.
Another important lesson he has learned is that one should always be willing to learn and listen to others.
“There are so many people in our industry who are willing to help others improve their knowledge and that is what makes working in this field so enjoyable. So don’t be afraid to reach out to others to ask for help, don’t be afraid to offer your insights and expertise to others so they can learn,” he urged.
He has also found blogging, attending and speaking at conferences, and Twitter to be great ways to learn more, expand his network, and help spread the ethos of BH Consulting and how they like to work.
“My biggest goal as we grow is to maintain our reputation for quality and trust, and to ensure that BH Consulting remains a place that people enjoy working in. I firmly believe that if you invest in your staff and look after them, then they in turn will look after your customers. Without skilled, motivated, and happy staff we won’t have happy clients, so my goal is to continue to build on the great team that we have.”
The information security industry
The big draw of information security is that work is never boring. It can be frustrating, thankless, it can even sometimes seem hopeless, but it is never boring: technology is evolving, new risks are introduced, and challenges are never-ending.
“Working in the information security field also enables you, in a small but significant way, to improve the lives of others,” Honan pointed out.
“Every system we secure, every virus we block, every attack we prevent, every user we teach to stay safe online, every policy maker we educate on how to better protect our society – these are all ways we make the Internet and the world a better place for others.”
This wish to help others lead Honan to found IRISS, Ireland’s first Computer Emergency Response Team, in 2008. He also became a Special Advisor on Internet Security to Europol’s European Cybercrime Centre (EC3) in 2013.
Despite all his years in the information security field, he managed to remain an optimist. But there is one thing about which he has grown cynical: new, flashy technologies and silver bullet solutions.
“Experience has shown, over and over again, that it’s not attack sophistication that gets attackers in, but the fact that the basic defences are not implemented properly. So, our approach with our clients is to focus on the basics and get them right. Once that’s out of the way, we look at what gaps they have and identify what solutions may help plug those gaps.”