Ira Goldstein. PHOTO: Cybercrime Magazine.

Herjavec Group SVP On How Cybersecurity Drives Business Value And ROI

International cybersecurity company experiences exponential growth and eyes Operational Technology as the next frontier.

– Georgia Reid

Northport, N.Y. – Dec. 10, 2018

Cybercrime Magazine recently visited the Corporate Headquarters of Herjavec Group in Toronto, Ontario, to connect with the executive leadership team of one of the world’s fastest growing pure-play cybersecurity companies. Herjavec Group is a leading global cybersecurity advisory firm and Managed Security Services Provider (MSSP) with offices across the United States, Canada, and the United Kingdom, and is currently number one on the 2018 Cybersecurity 500 list

 After a tour of the office and a controlled glimpse of their Security Operations Center, we sat down with Ira Goldstein, SVP of Corporate Development, for an interview about how he leads the company’s growth strategy.  Goldstein states that whether you call Herjavec Group an IT security company or a cybersecurity company, they represent more than this for their growing customer base.  They are essentially a business security company.  He says clients want to know how Herjavec Group is adding value and saving them money in the long term. Goldstein states, “If we’re not driving that conversation with our customers as to how our service helps them deliver business value, then we’re being left behind.”

Some of the hottest areas of service for Herjavec Group this year have been Identity Management, Cloud Services, Privileged Access Management, and API models.  They also have a rapid response team. And, according to Goldstein, Operational Technology is the next frontier for the company.

Read below for some highlights from this exclusive interview, and be sure to watch the video for the full conversation:

GR: So tell us a little bit about your background in cybersecurity and your experience with Herjavec Group. I know you’ve been here for quite some time now.

IG: This is my tenth year with the Herjavec Group.  I started with the company when it was early in the journey of where we are today, which is a Managed Security Services Provider that delivers the entire lifecycle of security services. I came into cybersecurity from another industry.  I studied economics and political science and I was really fascinated by technology but had no classical training. I’m from Toronto and really looked around at what interesting companies there were in Toronto, what people were doing in technology, and I found this thirty person reseller of security technologies that had a real passion for focusing on security and helping large companies advance their security posture.  I somehow convinced Robert Herjavec to let me in and I guess the rest is history. I have worn a variety of different hats in the company and today lead up the corporate development team. 

GR: How many employees are there now at Herjavec Group?

IG: We’re approximately 300 people at the company. When I started in 2009 that was around 30 so it’s 10x from then. The majority of our staff are security engineering staff or consulting staff … people that are in front of clients delivering services. I think that’s really a big part of the culture of the company all the way up to Robert … whether it’s the board, the CISO, or the director or manager, we’re all operators at this company.

GR: How does Herjavec Group approach customer success when you’re talking to clients? What does it mean to you to be a customer’s trusted advisor?

IG: For us, everyone is in the business to make our customers successful. How we ensure customer success really starts with my team because my team does solution architecture. I think the success of a good security project or program is often defined by how well you architect the solution, how well you get those requirements from the customer and help guide them as to what the requirements should be, and then obviously delivering on those requirements is key. We are showing leadership to the customer and saying this is how we’re going to measure our joint success, this is the role we both have in getting there, and then of course delivering on that together.

GR: My next question for you is about something else that’s changing quite a bit, which is compliance and regulations when it comes to data privacy protection and things like that. So how is compliance driving your services practice?

IG: So compliance has always been a driver for us … sometimes it’s good and sometimes it’s bad. And what I mean by that is compliance can be good because it can force people to do things that they otherwise wouldn’t do from a security preparedness point of view. I think we saw this with PCI. You know PCI is still a big driver of business for us. We are PCI auditors; we provide PCI scanning. Despite how mature or how far along we are on the PCI journey, there are so many companies who are struggling with it, especially as they move up the tiers to a higher tier provider. And so, in that case, I think compliance can be good for customers because it can drive them to take certain steps they may not have otherwise invested in. Compliance, on the other hand, can be bad, because it gives people a false sense of security or accomplishment. We learned from Target, they had PCI auditing and yet they still got hacked. So to be PCI compliant doesn’t mean you are more secure. We’re seeing now that the driver from a compliance perspective today is really more so around privacy than it is anything else, and it’s still a driver of business for us. We have a big privacy consulting business that focuses on GDPR and other regional regulations. Different companies and customers have their opinions on these regulations but I think ultimately what the regulators in Europe are trying to do ahead of many other people is to get ahead of this privacy issue we have at large and put a framework around it.

GR: What are some of the hottest area of service that you’re seeing right now?

IG: Identity continues to be very hot. Identity is kind of the age-old problem that is becoming a new problem because the perimeter is falling away. The proliferation of cloud services, zero trust model API, is taking over the world. When APIs are connecting to each other, those are released service accounts, and someone needs to manage that identity. The demand for identity is very strong and what we’re trying to do is approach it a bit differently from others and say “identity is a key part of security operations.” And then from a specific niche security point of view, Operational Technology is the next frontier for us. So some people see this as the Internet of Things market and that’s somewhat what it is. I consider the Internet of Things to be consumer devices that are becoming connected to the Internet, whereas Operational Technology as those systems that are running the manufacturing and mining infrastructures of the world, critical infrastructure, that previously may not have been connected to the Internet. They were segregated in traditional network segmentation. But now some of those devices are becoming connected. People are bringing the internet to the shop floor. CISOs are starting to be given the mandate to control both corporate and industrial security, and they want data from both of them correlated. And what that is leading to is new threats in these OT environments.

GR: Tell me a little bit about your “content development strategy.”

IG: Content Development is one of the key tenets of managed security services from our perspective because doing a good security operation is going to be contingent on what content you have in your detection tool chest. That is going to drive the outcomes to your SOC. We say let’s look at a threat framework and the key type of attack categories that are important for you to measure and catch if they take place.  We call that our HG threat framework. It is a list of attack categories that we set up use cases for, and just get a baseline of security going for our customers. We are confident that we can monitor key threats in their environment and that they’re confident that they have a baseline approach to security. That is step one. Step two, and really in parallel, is business specific use cases. So, if we’re managing a financial, there may be a swift specific use case, or there may be an e-commerce application specific use case if you’re a retailer. Then, we have level three and four above that. Level three comes once you’ve established that baseline framework and you’ve done some business-specific use cases. Then,  we dive back into the library of alerts that are the tools in your chest, and we say what are some custom correlations we can do. Something a bit more special, something a bit more nuanced that will tell us if some more of the edge cases are happening.

Georgia Reid