Ian, tell us a little bit about yourself, and how you came to be the CEO of ZX Security.

It’s always a tough question to answer, but I prefer to start with who I am, rather than how I got there. I was recently interviewed by RNZ to promote Big Buddy, an initiative which is all about connecting young boys who may lack a paternal presence in their life with a male role model to help them grow and learn. So, I guess that’s where I’d start – helping people is what drives me and what keeps me going.

Everyone needs a mixture of ingredients in order to succeed and live a happy life. A few of mine are family support, grit, integrity, passion and a never ending rage to master – not just for myself but for others too. Originally, I knew the Founder & CTO, Simon Howard, and he’d let me know he was looking for someone to help him grow ZX. Being me, I told him I knew someone, and sent him my resume.

Looking back it’s crazy to think I was employee number four and now we’re at 33 and growing. So, I guess that’s how I got to become the CEO of ZX Security.

What is the core business of ZX Security?

ZX is a CREST certified cybersecurity consultancy with three divisions. In PenTest, we test and find vulnerabilities within an organisation’s internal networks, physical access, cloud, and external environments. In lay terms, we’ve built an awesome team of hackers! In our Cloud division we review and provides senior leadership security advice specific to cloud environments. And finally in Cyber Strategy and Risk we review, define and increase a businesses security postures.

ZX’s clients range from two seat SaaS start-ups in NZ aiming to disrupt the world from their garage in Tauranga, to government agencies and global 1,000,000+ employee organisations.

There have been a lot of concerning headlines over the last few years about consumer data leaks.  Could you tell us a little more about why it is important for a company to consider its security posture as a painkiller (need) rather than a vitamin (nice to have)?

The headlines can be annoying at times to be honest. I’ve found recent media coverage to be at best misleading, and at worst completely inaccurate. Often the media coverage is sensationalism and purposefully perpetuates a culture of pointing the finger, rather than using the opportunity to educate the public and create better awareness.

But that’s not why we’re here! Yes, there is an increasing visibility around security incidents. As our Director of Information Strategy & Risk, Steve Honiss says, it’s not like you can sell a SaaS product out of your garage door if your website, or application goes down due to a DDoS attack, or your business is held ransom through a ransomware attack by a bad actor. Businesses need to think of the cost of not being secure, rather than the cost of security.

You’ve mentioned in the past that increasingly investors (e.g. in M&A, or Private Equity deals) are requiring a security review as part of the due diligence process. What does a security due diligence process look like? An organisation would need to have the muscle in place to accommodate the process, but can you shed some light on what exactly is being reviewed typically?

Yes, the main two exercises typically involve:

  1. Advisory: This is where we sit in the room during initial acquisition discussions. Our position is to act as a security czar and note anything that requires additional attention – like the people, processes, applications, or overall business.
  2. Testing: penetration testing and source code review. This helps to determine if the proprietary application the organisation is looking to acquire has a solid security posture.

There is obviously a lot of business growth to get to that point – many of the companies we interact with are often just in their first year/s of operation. What would you say are the first ‘doors that should be shut’ to get the basics right from a security perspective for a company at the beginning of its lifecycle?

The key thing is to have a plan from the get-go. You are planning to invest a lot of time, energy and money into your new venture – so don’t let it come undone by neglecting security.

There are some simple things that everyone should do for both their business and home lives. Turn on MFA everywhere. Turn on auto-update on your computers and your phones. Get and use a password manager and stop using the same password for everything! Back everything up.

Every year, CERT NZ releases their Critical Controls. These are the ten things to do that will make the most impact in improving your cyber security posture.