CEOCFO-Members Login


February 2, 2015 Issue

The Most Powerful Name In Corporate News and Information


Network Security Assessments for Medium to Large Enterprises


Mark Fidel

CEO & President




Interview conducted by:

Lynn Fosse, Senior Editor, CEOCFO Magazine, Published – February 2, 2015


CEOCFO: Mr. Fidel, what is the fundamental idea behind CAaNES?

Mr. Fidel: We are from a research university, so we have incorporated university-level research capabilities into our business model. We perform network security assessments for medium to large-sized enterprises. We test their networks to determine how secure they are, and we then come back with actionable information about where the weaknesses are, why the weaknesses are there, how to correct the problems and how to maintain a secure environment going forward. We also excel at incident response matters regarding data breaches, malware outbreaks and the like. We maintain have a pretty competent forensic business as well.


CEOCFO: What do you understand about security that others may miss?

Mr. Fidel: One of the things that we pride ourselves on is that we do not perform sampling of our clients’ networks. In other words, if it is a 10,000 node network, and a node for this purpose is anything with an IP address, we will take a look at every node, not 20% of the nodes and then extrapolate the findings or 60% of the nodes. We have a proprietary piece of software called RiskSense, which helps us with the analytics. We are able to turn our projects very quickly for the client, and then we leave the raw information as well as the analysis and remediation path for the client. We leave that in RiskSense for them and they can license RiskSense from us in order to continue their work at improving their network.


CEOCFO: Do many of your clients take advantage? Have you seen an increase in people following through given the current climate?

Mr. Fidel: Very much so. We have never run into a problem where clients do not want to follow through, but there are often limitations both in human resources as well as sometimes technical resources in order to make the follow through meaningful. When we are doing assessments, the amount of raw data that we are collecting is very voluminous, and it can be overwhelming. Our RiskSense product helps make that manageable and helps give our client an idea of the worst things that we need to attack first and go after first. It has never been a lack of willingness, it has usually been a deficiency in capability, and we think we help provide that capability for our clients.


CEOCFO: Are there areas that are not common knowledge but you see as more troublesome than others?

Mr. Fidel: The human element remains the largest variable, so insider threats are particularly troubling, meaning people with knowledge and access who have an agenda of their own that is contrary to the clients wellbeing. The way to counteract the insider threat is through a systems application of effective policies and procedures in order to not allow somebody more capability than their position deserves and to make sure that audits are done on a routine and random basis so as to assure that the information that the client is charged with protecting is protected. It is often the person in the mirror who is the most overlooked when dealing with security problems. The other element is that we as humans tend to be more trusting than not as a default, which is fine. I prefer to be that way as well, but when you are dealing with data matters and data security, it is best to be cautious first and have somebody or a system earn your trust versus you trusting that individual outright. We do a lot of social engineering work in advance of some of our assessments, and some of that social engineering involves trying to determine access paths to a company just by what is publicly available about certain individuals within the company.


CEOCFO: Do you find there are some simple steps like better passwords that most companies do not consider important enough to pay attention to but could help along the way?

Mr. Fidel: Some of the simplest things are to not open emails from you do not know and do not open attachments from people you do or do not know if you are not anticipating receiving that attachment. A lot of malware outbreaks and incidents begin with someone innocently opening up what they think to be a Word file. It may be a Word document, but it may also have a piece of malware attached to it. They are looking at what may be meaningful or a meaningless document, but in the background this malware is now attached to their system and doing its thing. Let us say you and I were in more frequent communication than we are now and you ask for a PowerPoint file on our company. I have sent it to you, and you are expecting a PowerPoint file. Let us say I also send in a separate email over a weekend an Excel file. You were not necessarily expecting that, and I would hope that before you opened it you asked me what was in it. I may say I actually did not send you a file. That is not done because of the instant gratification that electronic communications presents all of us. I can email you and not necessarily expect a response until you are ready to respond, but if I really need you maybe I will text you and that type of thing. It is a balance between trust and patients, which is what it ends up being. By and large, our enterprise-level clients are getting much better at password management and forcing new passwords in a routine basis, and requiring complex passwords not only of their own employees, but of their customers when the customers have to come in on to a customer-facing website. Over all, I think it is getting better, but then you have the examples of some significant breaches that happened in 2014. I am still not certain that the Sony breach was not a former insider job.


CEOCFO: Are you surprised that people still do not realize they should not be so quick to open an email?

Mr. Fidel: There is not a lot that does tend to surprise us, but it is always a shake your head moment when we come across an incident that could have been prevented very easily by taking another route or being a little bit more conscious. It only takes one breach, which is the problem. It is not 15 breaches and then having a significant problem, but it takes one person clicking that malware infected file open that does it. That is where you want to put technology between the problem and the person, such as scanners that check the email coming in. Technology is getting better and bad guys are getting better, and it is a little bit of a catch-22.


CEOCFO: When a prospective client is talking with you, do they understand the difference and depth of what you offer or are they more surprised when they have started to work with you at realize what you provide?

Mr. Fidel: I think we do a good job at explaining up front what we do, but then the realization as to the extent of our services and the extent of our capabilities given what we are charging, I think there is often a fair amount of surprise. That being said, there has yet to be a web-based application that a client would let us test and certainly a network that a client has let us test that we have not been able to breach and get administrative control over. I think they are pleasantly surprised, and it is also a balancing game that we have to play in terms of not being a threat to the IT organization. Instead, we are a partner to the IT organization and helping them do their job better.


CEOCFO: Would you tell us a little more about the forensic side of CAaNES?

Mr. Fidel: In forensic matters, our clients are almost exclusively attorneys or the legal departments of clients or law firms. We are asked to come in, and it is almost exclusively civil litigation, not criminal matters. We are asked to come in and collect and often analyze data from digital sources. If you can imagine it would hold data, then we have the capability of looking at it. Traditional sources are laptops and desktops computers, and less traditional are becoming more frequent, such as handheld devices, tablets, smartphones, and even older flip phones. It used to be if you wanted information about the call log of a particular phone you would have to approach a carrier such as AT&T, but nowadays the phones are holding a lot of information themselves. We have the capability to not only acquire that information forensically, and that means preserving it in such a way that we can prove its origins. There is no difference in the court systems between validating an electronic record or document and validating a physical document. It just gets a little bit trickier on the electronic side. Sometimes we are asked simply to preserve a data set for whatever reason we could do that, and often times where are skill set really shines through is in the analysis of that information. If the client is looking for particular keywords or patterns of activity that can be seen in how an individual is accessing data, then we can probably find that pattern for them or find that information for them.


CEOCFO: How is business these days?

Mr. Fidel: Very good. This time last year, we were at 25 employees. We are not a big company, but now by the end of January we will be at 40 employees. Our sales were up 60% year over year from ’13 to ’14, and we are profitable, so we are growing.


CEOCFO: How do you deal with the challenges of finding qualified people?

Mr. Fidel: We are physically located in Albuquerque. We have two national labs, Sandia National Laboratory and Los Alamos National Laboratory. We also have a variety of defense-oriented businesses as well as some high-tech manufacturing. We are finding so far that we are able to hire the software engineers and software developers that we need from local resources, which is nice. I am probably competing with Denver and Phoenix in terms of salaries versus Los Angeles, San Francisco, Chicago and Boston. We are able to source so far our headcount locally. We utilize our staffing firm to help us, and we also provide for bounty fees for our employees if they can refer us to somebody for hire and stays for a certain amount of time. So far we are doing well on that.


CEOCFO: What have you learned over time as your products and services have been available? How is what you do different and better today than it was a few years back?

Mr. Fidel: A few years back my answer would have been the same, but I am just amazed at how thorough we are at what we do and what we can uncover for the customer. Especially if we are a year over year vendor to them in terms of the security assessment, our goal is to see them improve and make it more difficult for our job to be accomplished. If our job is more difficult this year than last year that means the client is improving on what they are doing in terms of the data management in a data security perspective. I am just constantly amazed at the talent we have been able to hire, and it really raises our game and provides depth whereas two years ago we would have been able to have two and a half large assessments going simultaneously, now we can do about four to four and a half large assessments. By large, I would say over 10,000 nodes going simultaneously.

CEOCFO: Put it all together for our readers. Why choose CAaNES?

Mr. Fidel: This is a crowded marketplace for what we do. However, we are extremely responsive. We sit down and make sure we understand the client’s environment before just charging in. Almost all of our new clients are referrals from existing clients, and those are trusted referrals. Year over year, time in and time out, we are doing an excellent job for our customer base. We are engaging larger and larger customers every year. We are very easy to work with, and we do become a trusted partner to our clients.


“We perform network security assessments for medium to large-sized enterprises. We test their networks to determine how secure they are, and we then come back with actionable information about where the weaknesses are, why the weaknesses are there, how to correct the problems and how to maintain a secure environment going forward.” - Mark Fidel




Mark J. Fidel

505-217-9422 x 101







Any reproduction or further distribution of this article without the express written consent of is prohibited.



Network Security Software, CAaNES, Business Solutions Companies, CEO Interviews 2015, Mark Fidel, Network Security Assessments for Medium to Large Enterprises, test for networks to determine how secure they are, provide actionable information about where the weaknesses are, why the weaknesses are there, how to correct the problems and how to maintain a secure environment going forward, Business Services Companies, RiskSense analytics software, RiskSense for improving networks, Recent CEO Interviews, solutions for data breaches, malware outbreaks and forensics, web-based application to test a network for breaches and get administrative control over, CAaNES Press Releases, News, Business Services Stock, Companies looking for venture capital, Angel Investors, private companies looking for investors, business services companies seeking investors, network security software companies needing investment capital does not purchase or make
recommendation on stocks based on the interviews published.