In late 2003 almost everyone working in the information security industry in Australia either worked for a system integrator, who sold consulting services as a sideline to their hardware and software business; or for a large accounting firm who were branching out from their IT audit practices. In both cases the advice given by the security consultants wasn't independent, it was seen as a vehicle to upsell their core services. If you had a problem with network security, you were much more likely to be told that you needed a new firewall - one that was sold by the system integrator of course - than that you needed to improve your firewall configuration.
The four founders of CQR independently realised that there was a need in the market for genuine product-independent security advice, and that business focussed technical risk assessment was something that no-one else was offering. A decade later this is still as true as it was back then, and we even see regression as independent security firms are being rolled back into system integrators and defence contractors.
It's one thing to have a vision, but quite another to put it into practice. To make it happen required belief and commitment. Belief that there was a need for the services that we were providing, and commitment to give up well paid jobs for 25% of a startup with no expectation of any pay for at least the first 6 months. We have never wavered in the belief and commitment, and it has been rewarded year after year by our loyal clients and partners. Our first year stretch target is now well below our average month.
Of course we had our detractors, who said that we would be out of business in a month. Then three months. Then a year. When displacing an existing service delivery model, those displaced can either roll with the changes and grow, or waste time and focus looking at their competitors and stagnate. Companies that were once our competitors are now no longer in business, new companies have sprung up following our lead, and we have adapted to meet the challenge. But we have never taken our eye off our vision of being the largest independent security consultancy in Australia.
We were the first business in Australia to certify our operations to the international standard for information security management (then AS 7799, now ISO 27001). We believed then, as we believe now, that we should be the number one client for our own advice. We have never advised our clients to do what we say, but not do what we do.
Our success in our home town of Adelaide allowed us to open offices in Sydney and Melbourne to better service local businesses with local resources, rather than rely on a fly-in fly-out model which doesn't meet the flexibility needs of our clients and doesn't scale. We also went international, opening an office in the UK which has now expanded to deliver services throughout Europe, Asia and the USA.
In 2013 we see cyber-security stories in the paper every day, there are nation-states spying on our companies, and information security certifications are seen as critical to the trust model of doing business. Information security is no longer a nice-to-have, but a fundamental part of sustainable business practice. The need for independent information security advice has never been greater.
In the next 10 years, we have detailed plans for the Australian operation to expand to open local offices to cover the rest of Australia as well as have a permanent presence in New Zealand and Singapore; while the UK operation will be delivering services both locally and in Europe and the USA.
I'm proud to have taken the risk to quit my job. I'm proud to say that I've been involved in building CQR up from nothing to its dominant position today. I'm proud to be making the world a safer place.
Phil Kernick Chief Technology Officer
Phil Kernick Chief Technology Officer