The last time I met with Richard Turner, he was sitting in the CEO chair at Clearswift. Years later, and having had a whistle-stop tour at Proofpoint, I caught up with him at the FireEye London HQ in Bank, where he recently took the role of VP EMEA.
Turner had been at Proofpoint for just four short months before the position at FireEye tempted him to jump ship. And it’s not that surprising, given FireEye’s current position as the industry’s golden child.
When asked what it was about FireEye that attracted him to the role, Turner mentioned FireEye’s “differentiated position in the security industry”, its “understanding that a new approach is needed, and that breaches are inevitable”, its strong vision for understanding the customer, and the people that worked there.
After diligently listing off each of these reasons, of which all, I’m sure, fit perfectly with the corporate messaging, Turner finally added: “Besides, the financial results speak for themselves.” I tried not to smile.
So, back to FireEye’s “differentiated position”, what exactly does Turner mean by this? “FireEye was the first company to talk in a common sense, holistic manner,” he said. “Despite spending more money on security than ever before, attacks are bigger and a new approach is needed. FireEye has the best understanding of this.
“We accept that breaches are inevitable and that the security industry can’t exist on a promise of 100% security.” Turner declared this posture and belief “unique in the security space”, which I had to challenge. The “it’s not if, it’s when” messaging has been adopted by tens of vendors and is the ‘new black’ of infosec.
I’m not doubting it’s true. But is it unique? I would argue not. But those financial results – that I can’t argue with!
The role of VP EMEA is a newly created role, “a consequence of the business growing in scale.” EMEA, said Turner, is a big part of the business financially “and it has been recognized that we need to unlock new markets.”
Spend is Not a Proxy of Security
Turner touched on the subject of security spend, and I pursued this a little deeper. Should people be spending more on security, I asked, or less? “More spend would be a good thing, if it was making organizations more secure. But the headlines suggest otherwise. Spend should be about how it makes an impact.” Spend, he said quite rightly, is “not a proxy of security.”
Often, Turner told me, organizations are spending money on the wrong things. “Most organizations spend on low-value business problems and legacy security. It should be a shareholder value issue. A data breach affects profitability.” Re-prioritising spend would absolutely benefit most organizations, he said. “It’s important to understand that the adversary has changed and the strategy to combat has moved on.”
As an example of the evolved adversary, Turner mentioned the quality of phishing emails. “These days they look so good, the quality of the language is better, and they’ve improved to such a degree that the reality is that everybody clicks at some point.”
Law Needs More Credibility in Cyberspace
As our conversation naturally evolved into a compliance discussion, Turner had the following to say: “Most organizations do compliance for as little as possible. As long as they clear the [compliance] bar, it doesn’t matter by how far.” Security, he argued, should be less about regulation, and more about business risk. “There is no vanilla posture that everyone should adopt.”
Considering which headlines have made the biggest impact on the industry over the past eighteen months, Turner declares that Snowden has had the most significant – and “mostly positive” – impact on the industry, and that high-profile data breaches, like Target, have had the biggest impact on driving sales.
“The Snowden story may be considered a little negatively right now, but over time we’ll see that we’ll need more collaboration with the people who keep us safe in the physical world. Over time, there will be a realization that if we want to have an internet with the regulations and legal frameworks that we expect, then it will have to be properly watched and logged.” The monitoring and policing, however, should take place with the right approval processes in place, he said. “The law needs to have more credibility in cyberspace.”
Whilst Turner declared privacy a basic human right, he also added that in “giving people more privacy, we need to make sure that people with bad intentions don’t use this to their advantage.”
Before we concluded the interview, I asked Turner what his personal objectives are for his tenure at FireEye, having been in the role a couple of months. “Obviously, to deliver on the business objectives. But more than that, to fully execute the FireEye belief in security 2.0.”
FireEye, Turner told me, is “substantially changing the security market and landscape and I’ll be disappointed if we don’t fully achieve this impact and deliver the technology to customers,” he concluded.