Matthews founded the company with partner John Devine to address the need he saw in the market for network security. Prior to his business partnerships with Devine, he was a consultant to the investment banking group at Merrill Lynch, developed mortgage-backed securities software at First Boston, coordinated and operated computer graphics lab at HBO/Time Warner and in the late 1970s served as a programmer and designer for the VM operating system at IBM. Matthews came to Dubai on February 24th to discuss his company, and the state of information security.
How did Rapid get its start?
Rapid7 began when my CTO, Tas Giakouminakis, walked into my office and tried to quit. This was as the CTO of another company I founded. I told him, no, that he couldn’t resign and we sat down with a blank piece of paper to work out what our next best steps were. We decided to go into information securities at that time, because it was a growing sector and we saw a great deal of potential.
How can we start to manage more services and data in the cloud, how can we address potentially higher security risks?
I actually think cloud is a very positive thing. In the industry today I think there is a perception that the cloud is somehow inherently less secure, but I don’t believe that to be true. I would contend that it actually provides you with higher security. Particularly in the SMB market, it may be more beneficial for data to be kept in a cloud service and managed by a cloud service vendor that would be able to provide a much higher level of security. If you have your own system, you also have the danger of your own system being compromised.
In terms of end-user behaviour, what policies should businesses adopt to prevent human error from compromising security?
The best practice is not one that requires businesses to spend a great deal of money – there should be regular updates to any products, and it needs to be demonstrated to users why credentials are necessary and how to keep them secure. Many of these problems come into play because businesses have password protection mechanisms that require the user to change passwords too frequently – which results in the users writing the password down and compromising security that way. There are various ways that you can keep a security protocol in your business and make sure that people understand that data is valuable.
The last year has been a bit rocky in terms of information security, with leaks and breaches dominating the headlines. What have we learned from the last year’s events?
What we have learned – and what we at Rapid 7 learned long ago – is that everyone is vulnerable. There is no industry or company size that is shielded from an attack. The question now is not when you will be attacked, but what you will do when you are attacked, and how much you will know about the attack when it is underway.
What security trends are you keeping your eye on for the coming year?
When I speak to customers, I am hearing that one of their top concerns is breach in progress. It is as if you have burglers in your house, but you cannot determine where they are and what they are doing – it is a panic button. We have a product which provides breach protection and investigation management. It allows users to zoom in and home in on the areas that are being affected during a breech. It gives you the ability to determine where a breech has occurred.
What new products and services does Rapid 7 have on offer this year that may change the threat landscape?
Security strategy and security strategy services are areas where we are finding a lot of acceptance. Whereas information security may have been pushed down to a lower level in the past, these days it is being brought to the board room. This doesn’t mean that every board member is going to understand every detail of security. What it does mean is that they are interested in insuring that there is a strategy to ensure that there is a risk adverse protocol in place.