Interview By Alan Zeichick
“If you give your security team the work they hate to do day in and day out, you won’t be able to retain that team.” Eoin Keary should know. As founder, director and CTO of edgescan, a fast-growing managed security service provider (MSSP), his company frees up enterprise security teams to focus on the more strategic, more interesting, more business-critical aspects of InfoSec while his team deals with the stuff they know and do best; deal with the monotony of full-stack vulnerability management.
It’s a perfect match, Keary says: By using an MSSP, customers can focus on business-critical issues, save money, have better security—and not have to replace expensive, highly trained employees who quit after a few months out of boredom. “We are experts in vulnerability management, have built the technology and can deliver very efficiently”, Keary says.
BCC Risk Advisory Ltd, edgescan’s parent company, based in Dublin, Ireland, was formed in 2011 with “me and a laptop,” explains Keary, who expects his company to end the 2016 fiscal year at seven figure revenues and a growth trajectory of circa 400% compared to 2015. Its secret cyberweapon is a cloud-based SaaS called edgescan. edgescan™ detects security weaknesses across the customer’s full stack of technology assets, from servers to networks, from websites to apps to mobile devices. It also provides continuous asset profiling and virtual patching coupled with expert support.
edgescan constantly assesses clients’ systems on a continuous basis. “We have a lot of intelligence and automation in the platform to determine what needs to be addressed,” explains Keary.
The firm’s not-so-secret cyberweapon is the MSSP’s professional staff, who split their time between improving edgescan and working directly with customers.
edgescan’s approach to combining automation, pattern matching and expertise helps clients focus on vulnerabilities that matter, and mitigate issues which pose real risk.
It’s essential to continuously monitor customer systems, insists Keary, because nothing stands still. “A point-in-time security assessment doesn’t make sense any more. We need to track changes constantly because software is being deployed constantly. That’s especially true in the cloud, where servers and software are being spun up and torn down every few minutes. Keeping track of that flux is nearly impossible,” and that’s where having an MSSP involved is essential.
The hard work has paid off for Keary and team: The young company is a "Notable Vendor" in the most recent Gartner Magic Quadrant for Managed Security Services and also a "Sample Vendor" in the Gartner Application Security Hype Cycle 2015. Both very notable achievements in a very competitive market landscape.
Their growth has come largely through hard work and making customers happy, notes Keary. “When we started up, we had a few small customers using our service, and we had good references and loads of loyalty. Picking up new clients is akin to the snowball effect in the positive sense because people talk in industry verticals. We found that having reference clients, people who like your service and will tell other people, is the most powerful type of marketing a company can have.”
edgescan now has a track record of getting the job done as well as – or better – than much larger MSSPs, says Keary. “As a startup, we have stories where we’ve been in trials against 800-pound gorillas like HP and IBM, and we’ve beaten them.” We displaced all of the Gartner MQ leaders at least once”, says Keary.
The edgescan (Software-as-a-Service) SaaS-based solution does the “heavy lifting”, performing scans and evaluations of clients’ networks, software, systems and devices. This is where the big difference comes for those looking for a more advanced vulnerability management solution; the results of those scans are passed to human analysts, who determine if the discoveries constitute real issues. Those experts are trained, incented and challenged to stay on top of the game, explains Keary. “How do we stay on top of the threat landscape? We encourage staff to get involved in research. We get involved in OWASP, including the local Dublin chapter.” The company even helps put new hires through college, and helps pay for bachelor and masters’ degrees.
The analysts also move back and forth in their job roles, every few months, between working directly with customers and helping to improve edgescan functionality. It works, says Keary.
Speaking of family: His friends’ and relatives’ security posture is what keeps Eoin Keary up at night. “As a security pro, I have an edge over the ‘normal’ person; if I look at my family members, they want security to be invisible, and they don’t understand it. The casualties will be the people on the street. So many people get hit by scams, phishing, and calling you and asking for the password to access your computer remotely. A lot of people may fall for that. In terms of non-security, non-IT people; they are doomed.”
Business can’t afford to—and shouldn’t, in all honesty—claim ignorance. Cybersecurity needs to be part of their business plan, and they need to make investments in order to protect their business from disruption and to protect their customers’ information from compromise.
For many businesses, engaging an MSSP is the right answer for handling the day-to-day security, concludes Keary. “Managed service providers remove the repetitive tasks. Use us; use an MSSP to do that work because that’s what our experts do and what we are good at doing. We let your experts focus on the things specific to your industry and company. That’s why we’ve had success in this competitive market.”
About Alan Zeichick
Alan Zeichick is Principal Analyst at Camden Associates. A former mainframe systems analyst, Alan has been in the technology industry since the early 1980s, and focuses on software development, networking, communications and security.