Monday, 2 June 2014

CEO in the Spotlight: Interview with Ian Whiting

by PenTest Team

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. 

In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 60 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems.

Hello Ian, please tell us few words about Titania.

Titania was founded with the aim of developing easy to use security auditing software that performs a detailed analysis of systems that otherwise would require specialist knowledge. The software that we have released to date has assisted both government and leading businesses in better securing their networks. In the process, Titania has gained critical acclaim from leading industry analysts and several awards.

Since opening our first office in December 2010, Titania has experienced considerable growth. We now supply our products directly, and through a network of global partners, to organizations in over 50 countries worldwide. Our customers tend to be those that are security conscious, in sectors such as finance, defence, telecommunications, auditing and manufacturing.

What is it like leading a company like Titania and what are some of the challenges you face?

There are of course many technical and development challenges to running a business like Titania that specializes in cyber security auditing. However, as soon as we started trading our largest problem was responding to our customers’ requests to purchase the software and keep up with the demand for new features and functionality. In fact our largest challenge to date has been to manage the growth of the company. 

We are always looking to keep ahead of the competition and we have decided on a plan to achieve that goal through the technical capabilities of our products rather than through our company's marketing arm. So although we sometimes have a difficult time communicating our message, our products speak for themselves.

Do you offer any professional services?

We do not provide any professional services at present, though we are always continuing to review that situation. So we may add professional services at a later stage, both directly and through our network of global partners.

Users of our software do not require training services as one of our development goals was always to make our products as easy to use as possible. I believe we have succeeded in that goal. I have personally seen non-technical people produce detailed and complex security audit reports using our software with no previous experience with the tool. This being said, we are not resting on our laurels and we continue to look at ways to further improve user interaction with our products.

How often do you refresh (update) your products to meet the latest security challenges and threats?

Our products are continually being updated and are evolving to meet the requirements of our customers and the new issues that emerge in the industry. Typically each of our products has a short release cycle with updates being made available monthly.

Can you mention some of your top-selling products?

Nipper Studio is our company’s flagship product. It takes the manual process of reviewing how network switches, routers and firewalls have been configured and automates it. This is not done using the intrusive method of scanning a network device, which would not give you the full picture of how the device has been setup, but by analysing their native configuration.

The reports that are produced by Nipper Studio can contain security audit findings, compliance reporting, configuration reporting and more. The reports produced are equally detailed and specific, they were designed with technology that writes the report just like a human would. This is in contrast to traditional computer report writing technology that simply joins pre-written paragraphs of text together and rarely accurately describes how something specific has been configured.

Our most recent product, Paws Studio, is a Windows and Linux compliance product for servers, workstations and cloud-based systems. It was developed based on very specific security requirements of our customers who work in highly secure environments, with very sensitive information. They needed a solution that could be run without installing software on the audited system. Therefore we built Paws Studio to be able to run over the network, on the local system or offline with no connection to the audited system.

Although we have pre-configured Paws Studio with a number of different compliance check lists, you can define your own compliance checklist within the product. We have developed a Policy Editor that enables you to either modify one of the pre-defined compliance lists or create one of your own from scratch.

All of our products have been designed to be integrated with bespoke and third-party systems, including continuous monitoring setups. They can easily be integrated using a scriptable interface and you can export the report data in a variety of different formats. We also release our products with multi-platform support covering Microsoft Windows, Apple Mac OS X, Red Hat Linux, Ubuntu, Fedora and so on.

Our customers are very important to us and their needs play a key role in the development of all of our products. We base a lot of our development plans around their feedback and requests.

Where do you see network security heading in next few years? What are some of your predictions?

I see that security compliance is going to play an ever larger role within the industry than it does today. It is great to see progress towards an ever improving security baseline, but it also saddens me to see many organizations depending solely on compliance as the means to being secure. It is why I believe it is important that the security industry, in addition to enhancing security compliance lists, highlights the fact that being compliant does not mean you are secure. Unfortunately I can see there will continue to be security breaches in organizations who manage security risks with compliance instead of striving to ensure a truly
secure environment. You can almost picture the victim company’s statement now. It would read something along the lines of: “The company had met their compliance standards and we are now reviewing our current operating practices to ensure how best future breaches could be avoided”. 

Nipper Studio is fairly popular in the network security industry; can you give us some historical background on that product?

I have a background as a penetration tester and regularly performed manual assessments of various network devices. A proper assessment of a network device is not a five minute task, each aspect of how a device can be configured needs to be properly analysed and any potential security risks highlighted. Anyone who is simply reviewing firewall rules is not doing a thorough job. It is also a task that requires a high level of knowledge about the device being reviewed. It seemed by me that this is exactly the type of task that is suitable for automation.


***** It is worth noting that although penetration testers are typically both highly skilled and adaptable, they cannot be expected to have in-depth knowledge of every system they come across. The same is also true of the network administrators who manage those systems, they may not have the in-depth security background required to identify potential weaknesses in their systems. Nipper Studio is exactly the type of solution that could help each side. Giving penetration testers, device specific assistance and helping network administrators identify potential security weaknesses. *****

Although Nipper Studio originally started life simply identifying a limited number of security weaknesses with Cisco configurations, it soon grew by adding support for more devices, identifying more security weaknesses and eventually writing the security audit report for you.

At Titania, how do you strive to achieve top-quality software? What kind of quality control do the products go through?

This is a very challenging aspect of developing a product such as Nipper Studio. The number of moving variables involved with the development process is huge. We support a large number of different devices, the manufacturers of which are constantly updating and revising their platforms. Plus the vulnerabilities in each platform are forever evolving.

We maintain a growing test environment that includes the different devices that we support, plan to support and some others that may never get added to Nipper Studio. These are all used during the development and testing process, together with different firmware versions. To help manage the development plan for this we employ a development and tracking system that enables us to manage all these variables together with improvements suggested by our customers. Each developer and tester knows from our tracking system what tasks they need to be working on next.

Nipper Studio supports various Cisco devices and some people may be under the impression it only supports Cisco devices. What would you like to say about that?

Nipper Studio does support a wide range of Cisco devices, it was originally developed with only Cisco support and it is used by Cisco. So it is easy to understand how historically Nipper Studio could be mistaken for supporting only Cisco devices. However, the latest versions of Nipper Studio support over 100 different devices from different manufacturers and are used internally by a growing number of those manufacturers. Even a network that predominantly uses devices made by a single manufacturer will undoubtedly have a number of network devices made by someone else. We are often approached by customers asking for us to add support for unusual systems and devices. The network devices that we see deployed in data centers has evolved over time with increasing deployments of some devices and the reduction in others. We have developed a plugin-based architecture for Nipper Studio to help us adapt to those changes, enabling us to quickly develop, test and deploy support for new devices.

Very often clients complain that they are not offered good product/customer support. How do you ensure good customer support?

It was important for us to achieve our ISO 9001 accreditation as it helps us to ensure that every customer receives the same high standard of support from the point that they first engage with the company to when they receive the product and the subsequent support process that follows. We believe that every customer deserves great customer service and technical support and we offer these services free of charge to every one of our customers. Our ISO 9001 conformance not only ensures that all of our staff deliver the highest level of support but also promotes continuous improvement throughout the company. We achieve this through collecting and reviewing customer feedback and auditing our customer care processes.

Thank you for the interview


No comments:

Post a Comment

Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.