Coalfire’s Larry Jones Talks Future Cyber Threats and Taking Charge

Waiting for the next big data breach to hit is probably not the best way to test how protected a company’s information is.

With more businesses storing and using sensitive data, security is a top concern—especially when the government establishes rules on the matter that businesses must adhere to. Financial institutions, companies that handle medical records, and other business might look to independent “cyber risk” management companies such as Coalfire Systems to spot potential weak spots, or insurers such as Marsh who also provide those services.

It is a busy time for Coalfire, headquartered in Louisville, CO, with office locations that include New York, Seattle, Boston, Dallas, and San Diego. In addition to working with clients, Coalfire has been handling an unforeseen change from within.

In June, Rick Dakin, the founding CEO, passed away while out on a hike. Soon after, Coalfire named Larry Jones as his successor. Jones had been chairman of the company since 2012, and brings with him prior experience as CEO, which included helming businesses such as Activant Solutions, MessageMedia, and Neodata Services.

He spoke with me about the mercurial way cyber security must adapt to stop bad guys and data leaks, and what stepping back into a direct leadership role, after the loss of a colleague, has meant for him.

Xconomy: With cyber security more top-of-mind these days, what is Coalfire doing to address the growing need?

Larry Jones: We’re an advisory firm that goes into large and small enterprises and helps them answer two basic questions. First, is the IT environment compliant with all the regulations that may be applicable to the business? A hospital has to be HIPAA (Health Insurance Portability and Accountability Act) compliant. A merchant has to protect credit card data. A cloud provider may have to be federal compliant if they are taking on federal business. The second question we ask, is the IT environment safe from being hacked—is the intellectual property behind the firewall safe?

We’ll come in and do an assessment; some clients are very sophisticated, some clients are very naïve. The next piece of business we do is compliance assessment; we’ll go in like auditors and go down the checklist of HIPAA compliance, PCI (Payment Card Industry) compliance, ISO (International Organization for Standardization), or whatever it may be.

The third piece of business we do is a lot of technical testing, including a penetration test trying to break in at their request. We’ll test the IT infrastructure or a given product, such as credit card readers and medical devices. The goal is to make sure the data in that software or hardware is not exposed to the outside world.

We also provide software tools to our customers and internal consultants to analyze their environments. It will do vulnerability testing; it provides self-help tools for your own compliance assessments.

X: What is the primary client base that you work with? Larger entities that have lots of data? Small startups that are just starting to get their hands on sensitive information?

LJ: They are pretty diverse. Coalfire is around 14 years old. In the early days, we dealt mostly with smaller to midsize companies—merchants, smaller regional banks, and startups. Those clients tend to be a little less sophisticated and need the more basic services. More recently, we’ve been serving larger enterprises, in the technology and cloud space. Microsoft, Oracle, and HP. We also work with payment providers and healthcare systems. We help them address large scale threats.

X: Cyber security threats are always evolving; what are you preparing for down the road, in a world where mobile devices can be gateways to sensitive data?

LJ: There are three really big trends that are starting to come forward. First, the bad guys are getting meaner, more prolific, and international. The threat level is constantly rising. Five or ten years ago, people weren’t really worrying about this stuff. They are now very top of mind and they are building sophisticated systems to address this.

The speed of technology change is rapidly accelerating. There’s new payment systems, new virtual systems, new cloud technology. Every time a new technology comes along, we help build new security into them. The access points to a breach get bigger.

The reality is large corporations can be safe within their four walls but if they connect to billing systems, that information is flowing out to a vendor. The idea of vendor management and security beyond your four walls is starting to become more of an issue. Your data is flying around the ecosystem of the supply chain you have.

X: What operations does Coalfire maintain in New York?

LJ: About six years ago, we started distributing our operations in nine different offices; New York is one of our bigger ones. Each office has sales and technology delivery teams who go to our clients.

X: Are there any particular industries that use your service the most now, or which you expect will need cyber security assessments going forward?

LJ: The credit card industries, payment providers, and merchants started worrying about data and compliance eight or ten years ago, so we have a lot of clients in that industry. Healthcare, they are just now starting to get worried about protecting their patient data. Some of the emerging areas are energy, oil and gas, and facilities. The adoption of high-end cyber security programs has been relatively soft. Until either regulation, or a major breach, comes along, industries tend to not get serious about cyber security because it’s expensive. We can help them understand and navigate where to put their money to protect critical assets; you’re never 100 percent safe.

X: Are we looking at a potential future where we deal with more frequent breaches, including through connected devices?

LJ: The opportunities for breaches is going to increase; there’s no doubt in any of our minds. The good news is as the world gets more sophisticated, it builds more security into the initial products. Fifteen years ago fraud was about credit cards; a lot of fraud protection became everyday in the banking world.

Now there’s a payment system built in the latest iPhone with fingerprint security and encryption. There are ways to build products that are safer, but the more products there are that connect to the Internet of things makes it more challenging.

X: You were chairman before taking on the CEO role after Dakin passed away. What has the process been like, and why did you become CEO rather than search for someone outside the company?

LJ: Rick’s passing was a very traumatic event for the organization. He was one of three founders, and had been CEO since the inception. His energy will be missed. The company spent four to six weeks coming to grips with his passing.

I had been very active over the past 18 months, almost as a co-CEO, so the transition was a pretty obvious decision for the board and the transition was relatively smooth despite the emotion.

I’ve been a serial CEO. This is my seventh company, all technology-related. The company is moving from a venture culture to a more grown-up culture, where the process, sophistication, and leadership become very important. I’m more of a larger-company guy. Rick and I worked side-by-side because I brought scalability skills to the table. As the company scales from 300 people, growing 50 percent a year, I think I can bring some of those things to the forefront.

Trending on Xconomy