Sramana Mitra: You’re talking about protecting critical assets essentially.
Chuck Bloomquist: Yes, you can call it critical assets. Whether it’s IP or regulatory control data, to us, it didn’t really matter.
Sramana Mitra: How did you determine what was categorized as critical assets?
Chuck Bloomquist: It’s based on value to the organization. If your revenue for 2015 was based on this formula or this design drawing, then it has value to the organization.
Sramana Mitra: I got it. Those are the characteristics. How did you determine them algorithmically? Did it have to be manually categorized or was the algorithm able to auto-categorize?
Chuck Bloomquist: This was prior to setting up any kind of an algorithm. First, we had to get the value to the organization. Once you get that, then creation of the rules is relatively fundamental at that point. Some will be based on keywords and some on regular expressions and associations with a variety of different pieces of network information and user information that you can add to that decision-making process.
The key is in meeting with the appropriate people inside the organization and getting them to tell you the relevant information in the organization. There’s quite an art to identifying that – knowing which questions to ask and knowing which resources inside an organization you need to get in touch with in order to find it. Once we learned that, the process became a lot smoother and a lot more efficient.
Sramana Mitra: It sounds like it was essentially a manual set up and then the rest of the process was an algorithmic process.
Chuck Bloomquist: Correct. At the same time, data loss prevention tools, which had the ability to do content analysis, started coming into the market space. That was the technology piece that we were waiting for. Those tools really opened the door in the marketplace because it had the functionality that we were talking about. Now, we could automate. Once I can identify it, then I can define it. Once I can define it on a policy inside of a data loss prevention system, I can find it inside the organization. That was the trigger point to invest in this security program.
Sramana Mitra: You were doing these service contracts. When you said that you were dialing people, were these Chief Security Officers? Was there any kind of method of madness of whom you were targeting?
Chuck Bloomquist: Initially, no, but we figured out pretty quickly where to start. What we would find is that we could get meetings in the IT space. We could easily talk to security as well. We learned quickly that IT people were not really the decision makers. We had to continue to push our way up and finally, identifying which were the appropriate titles that would understand the proposition that we were putting in place. What we found is that it typically resided in the C-suite whether it’s the CEO, CIO, or even the CFO. Generally, we would have to work through the IT to get there.