After winning Security Solution of the Year at the recent European IT & Software Excellence Awards in London, Northdoor is on firm footing going into 2022. Here, chief commercial officer AJ Thompson talks about securing effective partnerships, enabling a better approach to security and adapting to the ever-changing threat landscape.
What does this award mean for you and Northdoor, and what is it an indication of in the industry?
It’s a recognition that we’re on the right track. The biggest risk clients have is not necessarily their own actions but from those of their suppliers. Being vigilant about supply chains is critical. More than half the breaches last year came from them, and it all kicked off around GDPR. Working with the Salvation Army has shown us that there are people who assess these things properly and it can have significant improvements in their security space and in their recognition for doing the right thing for the business.
Touching on that, how is the Salvation Army seeing benefits after implementing your RiskXchange solution?
They knew they had a problem. They’re a big name and reputational damages from possibly not looking after donations properly could be significant, so they needed something to automate their processes to give them up-to-date information with a low-touch approach. Traditionally, you send around a questionnaire to assess the supply chain about security status, most of which go in the bin because it’s incredibly time consuming. But they saw a good snapshot, which allowed them to assess whether they should be working with certain companies.
Are suppliers generally accepting of the realities that their security is vulnerable?
No one likes being told their baby’s ugly. It depends on how you approach it. Most organisations are aware they’re not in a perfect position and most cases we find aren’t horrific, but once in a while you find one that is shocking. At first, the response is denial, then unfairness, but most companies are reasonable and understanding. It’s amazing how easy it is to fix most of the problems.
Is that initial disbelief also a reaction to not wanting to incur additional costs?
Yes, but most of the things we’re talking about aren’t that significant. Very few issues are systemic. It’s just human error of not installing something correctly, so they’re relatively easy to fix. But problems can be significant. RiskXchange, for instance, takes an outsider’s view of your supplier’s domain. We search for items such as breached email addresses, mismatched SSL certs and open ports from servers where someone’s put something in place without having the right security, and we know this all in real time so you get a good impression and can gauge the relative risk.
What do you see are the main barriers to cloud migration and adopting a new approach to security?
It’s always cost. People don’t necessarily see the value until it’s a problem. The attitude is slowly changing, though, despite a lot of people being completely aware of having to change something but simply don’t. But again, it’s not generally a massive expense to the organisation.
What are the main priorities combating third-party cybersecurity risk heading into 2022?
If you ask people about their security, you’re not going to get the most unbiased response. What’s been noticeable is that prior to GDPR, we had a lot of questionnaires from suppliers but haven’t heard a thing since. People immediately do something at the beginning, but there’s very little follow up. So people are depending on the accuracy, honesty and feedback from their supply chain from probably over two years ago. They have to take it seriously, but just see it as another piece of legislation. It’s about having an honest assessment of your supply chain, that it’s up to date and you have the bare bones of a solution to cover yourself for ransomware.