We have just celebrated our 10th anniversary of the
founding of CQR, and this gives us an opportunity to look back at the way the
world was when we started the company, and compare it to the world we find
ourselves in today.
In late 2003 almost everyone working in the information
security industry in Australia either worked for a system integrator, who sold
consulting services as a sideline to their hardware and software business; or
for a large accounting firm who were branching out from their IT audit practices. In both cases the advice given by the
security consultants wasn't independent, it was seen as a vehicle to upsell
their core services. If you had a
problem with network security, you were much more likely to be told that you
needed a new firewall - one that was sold by the system integrator of course -
than that you needed to improve your firewall configuration.
The four founders of CQR independently realised that
there was a need in the market for genuine product-independent security advice,
and that business focussed technical risk assessment was something that no-one
else was offering. A decade later this
is still as true as it was back then, and we even see regression as independent
security firms are being rolled back into system integrators and defence
contractors.
It's one thing to have a vision, but quite another to put
it into practice. To make it happen
required belief and commitment. Belief
that there was a need for the services that we were providing, and commitment
to give up well paid jobs for 25% of a startup with no expectation of any pay
for at least the first 6 months. We have
never wavered in the belief and commitment, and it has been rewarded year after
year by our loyal clients and partners.
Our first year stretch target is now well below our average month.
Of course we had our detractors, who said that we would
be out of business in a month. Then
three months. Then a year. When displacing an existing service delivery
model, those displaced can either roll with the changes and grow, or waste time
and focus looking at their competitors and stagnate. Companies that were once our competitors are
now no longer in business, new companies have sprung up following our lead, and
we have adapted to meet the challenge.
But we have never taken our eye off our vision of being the largest
independent security consultancy in Australia.
We were the first business in Australia to certify our
operations to the international standard for information security management
(then AS 7799, now ISO 27001). We
believed then, as we believe now, that we should be the number one client for
our own advice. We have never advised
our clients to do what we say, but not do what we do.
Our success in our home town of Adelaide allowed us to
open offices in Sydney and Melbourne to better service local businesses with
local resources, rather than rely on a fly-in fly-out model which doesn't meet
the flexibility needs of our clients and doesn't scale. We also went international, opening an office
in the UK which has now expanded to deliver services throughout Europe, Asia
and the USA.
In 2013 we see cyber-security stories in the paper every
day, there are nation-states spying on our companies, and information security
certifications are seen as critical to the trust model of doing business. Information security is no longer a
nice-to-have, but a fundamental part of sustainable business practice. The need for independent information security
advice has never been greater.
In the next 10 years, we have detailed plans for the
Australian operation to expand to open local offices to cover the rest of
Australia as well as have a permanent presence in New Zealand and Singapore;
while the UK operation will be delivering services both locally and in Europe and the
USA.
I'm proud to have taken the risk to quit my job. I'm proud to say that I've been involved in
building CQR up from nothing to its dominant position today. I'm proud to be making the world a safer
place.
Phil Kernick Chief Technology Officer
@philkernick www.cqr.com