Alex van Someren, CEO and co-founder of crypto hardware vendor nCipher, drops in on the Techworld office in what he describes as his ‘fully-caffeinated’ mode. Buoyant, confident, and full of ideas and reflections on his many years in the computer industry (he’s 39), it’s just a pity that the van Someren state of mind can’t be bottled and sold. He answers questions with a good-natured forbearance but in truth he’s probably heard it all before from countless interviews in the past. Still, he appears to relish being put on the spot. There can’t be a technology CEO in the whole of the UK so keen to explain what he and his company stands for.
So we begin with the theme of the moment. Security has gone from being a worry of the justifiably paranoid – the military, financial services bods, the government – to being an issue that now confronts everyone. From the humble desktop computer user in the back room to a sysadmin working for any large company, everyone is now a target for computer terrorism. The bad guys may be 16-year- olds in a shack in Bulgaria, but they may also be trusted staff in your company thinking about selling batches of credit card numbers and personal details to the highest bidder.
If the threat is within your network does that mean that the best security policy is just to get rid of staff who have exploitable knowledge?
Alex van Someren: That’s not logically valid. If you halve the number of people, you double the power of the remaining people. But you can’t afford to vest more and more power in fewer and fewer people. The right solution is to spread the risk. Now you [might require] that two sysadmins type in a password or sign purchase orders before allowing certain things to happen. Previously, you might have had five different sysadmins and each one of them had total power. The correct way to deal with the power concentration effect is to introduce redundancy. I come from the financial services end of the industry and it has been accepted for years that you have to have more than one person to open the safe in the morning. The really developed security environments – the military, government and banking – have all understood multi-party control. What we’re seeing is those concepts trickling down.
Techworld: Security feels like a strong theme right now. I would have thought that security shows would attract more interest.
I thought the InfoSEC show was exceptionally encouraging but the contrast with preceding security shows in the US was stark. The difference is that the market has always been different in Europe. There is always a timing difference about what is important to people in different markets. People’s spending cycles are different. Outside the US, People don’t allow world affairs to impact their behaviour. People in the US were profoundly affected by the war. That affected the conference circuit. My Q1 number was still 20 percent up on the previous quarter.
Security is incredibly expensive. Other areas of computing have become commoditised but this hasn’t happened in security yet.
You have a point. The generalised computing market is fully commoditised, indeed mercilessly cutthroat. In the security market, there just hasn’t been the maturity of the product to the point where it is easy to say ‘it’s just this thing I have to make, now all I have to do is make them cheaper.’ I think that is because the goalposts keep moving. What you are trying to achieve isn’t static. In the security environment, the threat model keeps changing. You have to deal with a constant elaboration of threats.
How does encryption hardware figure in all this?
It’s the same old story. What makes security hard isn’t the technology, it’s the people factor. It’s not ‘what algorithm do I use?’ but ‘how do I make sure the person on the other end of the connection has the key before the message he’s trying to decode gets there?’ That problem is much harder than just putting together the mathematics that makes encryption uncrackable. So why is security so expensive? What is being innovated in security is an attempt to improve the manageability and deployability of technologies that aren’t themselves changing all that much.
What about the accusation that security is oversold. What do you think about that dynamic?
I’m very dissatisfied with the idea of selling products because you make people scared that something bad will happen if they don’t buy them. I’m more interested in selling products where I can add some value. The nub of it now is ‘show me the return on investment’. I have to focus on reducing cost and risk. The media tends to focus on the ‘hackers will steal your credit card’ angle. In practice, it’s more likely that authorised employees with the right passwords will lift a whole tape with 25,000 credit cards number on it. Mitigating the risk of that theft is important. So is dealing with the reputational risks to a business - what will the PR impact be if that commercially sensitive information is accessed?
Do you think the security industry will consolidate?
It is hard to see a reason to see why security is different [from any other]. It is unlikely that security is so different that it would justify not having the same outcome. The security industry is very fragmented. There are a billion things you need to do to protect your infrastructure. And you have to buy them from a lot of different vendors. It ought to be that the generalised stuff starts to become commoditised.
What is it that drives your products? The story of this year can’t be the same as last.
It’s about a series of layers. We started out with a product that just made cryptography go faster, then we added the functionality that protects the keys used by that crypto, then we added a layer that actually allows part of the application software to live inside our box. Now it can do the job more securely than that piece of software running on the host computer. It does more and maintains the price-performance curve.
But is there a law of diminishing returns?
Is the customer going to run out of problems that need to be solved? What people might ask for next is for a way of bringing together the management of devices in an organisation. The challenge is to make it simpler to maintain and upgrade. The trend is emerging where audit will start to encompass IT systems overtly – today it does it covertly.