CEOCFO-Members Login


June 29, 2015 Issue

The Most Powerful Name In Corporate News and Information


Information Security Programs for Organizations


Danny M. Timmins

President & CEO




Interview conducted by:

Lynn Fosse, Senior Editor, CEOCFO Magazine, Published Ė June 29, 2015


CEOCFO: Mr. Timmins, would you tell us the concept and philosophy behind NCI?

Mr. Timmins: When we look at how we built our company, we focused on culture and values. Outside of what we do, which is cyber security; we try to attract a certain type of person within the organization. For instance, two of our principal values are respect and integrity. They define us not only for what we do, but how we do it, both through interaction with our customers, and also internally within the organization.


We operate very much like a family organization, working together helping each other grow professionally and personally, enjoying in each others success, while focusing on our customer. The main goal is to deliver to our customer quality solutions & services; making sure the scope is correct, the task done on time and completed on budget.


CEOCFO: What is your approach to security?

Mr. Timmins: NCIís approach to cyber security has evolved with level of sophistication required within the industry. When we were founded 15years ago, the focus was primarily on product and how do we secure the gateway? The simple answer then was to put in a firewall product with some access controls. NCIís team went one step further, providing advice, sharing our knowledge and expertise, architecting a solution for the organization.


Today, NCIís experienced consultants and sales teams are solution driven with a desire to help businesses make security an integral part of their business. We start with assisting an organization understanding their cyber security posture or maturity level and the potential risks. Our Maturity and Threat Analysis presents the organization with a full assessment using a known framework. The executive summary and resulting roadmap will assist the organization in evaluating high-risk areas how to best allocate budget resources towards cyber security.


At NCI we feel this is important, as organizations over the last 6 years have continued the product focus cycle we started with. Yet products are only a part of the solution. Policy management, incident management, or simply an understanding of your application and level of security on your application will determine the breadth of the organizations needs. NCIís focus and go-to strategy today is to ensure the organization understands their baseline cyber security, how secure they currently are, and what their options are. Our intent is to give them the knowledge required so they may take an informed approach to addressing their cyber security needs to budget and allocate resources accordingly. We aim to solve a clientís unique needs while working within the scope of their technology platform.


CEOCFO: As solutions and threats change quite regularly, how do you devise a strategy for a company with that in mind?

Mr. Timmins: It is because solutions and threats are constantly changing, that an organization requires a baseline. Once we have a baseline, such as NCIís Maturity and Threat Analysis, we can assess potential risks unique to the organization and optimize results. Verticals do have similarities, but essentially each business has its own risk factors with the organization. There are also what the cyber security world call risk factors known as vectors; vulnerabilities faced within a vertical as published in the Verizon DBIR Report. An example of this would be a Malware that is the highest risk within that particular vertical. Factoring in this vector risk, the risk of the organization, and the baseline, we can better understand the organizations maturity from a cyber security perspective and point them towards the right solution.


Organizations generally tend to focus on areas they believe are high risk, but might not focus on all the areas they should. Itís not that they do not understand their business, but that they donít see it from an in-depth cyber security perspective. Looking at retail for example, the main focus may be on credit card, but what about client information, employee information or R&D to name a few other potential risk areas.


We consider there to always be risks, and the idea that because the landscape is constantly changing, without a baseline, it is difficult to apply risk change quickly when that risk comes. For instance, malware could be the focus for today, but it could be another threat that comes out next year. If you do not understand where your maturity posture is at, you will not know how to apply a particular risk that is coming, to the measure you already have in place from a cyber security perspective.


CEOCFO: What types of companies tend to turn to NCI?

Mr. Timmins: When NCI started in cyber security fifteen years ago, public safety and municipalities were two of our main client verticals and because of our size, we developed a niche focusing on all types of mid market companies. Our clients now include companies across all industry sectors, of all sizes. Today, with all verticals vulnerable to cyber security threats, there is nobody that we do not, or will not work with.


CEOCFO: What is your geographic range?

Mr. Timmins: NCIís current geographic region is Canada. We founded our business in Ontario, and expanded to provide cyber security solutions Quebec and the East Coast in 2008. Just recently we have expanded out west, giving NCI a national presence. One day we will be in the US and Europe.


CEOCFO: Are there certain areas that companies tend to ignore?

Mr. Timmins: When we first approach a customer, we initially evaluate the maturity of them from a cyber security perspective just by talking to them and asking questions. This is by no means and assessment but we can tell if they are on their way or not. Interestingly, the Maturity and Threat Analysis framework that we have created, customers that engage with us are on average at about 21%. We have had two customers that have been in the 50% range, but most in the 20ís. Simply stated, organizations do not understand the vastness of what cyber security is. I read an article recently that talked about resiliency that had me thinking about cyber security and what organizations need to understand to become resilient. Becoming resilient is not just about putting a product in or hiring a company like NCI, it is understanding that they are going to be attacked. Many, or most organizations still believe they will not be attacked, or affected if they are attacked and simply do not understand the enormity of the situation until it happens regardless of reading vast amounts of information. We believe that organizations are being compromised as we speak and they donít know, why would the person breaching the system disclose this.


The only time I really find a customer reacts hard is when it is PCI (Compliancy). NCI is very active in assessing PCI Compliancy. We recently had a customer resistant to PCI, and have since found themselves receiving a quarterly fine until they complied with PCI regulations. At NCI we do not make the rules, but we can assist meeting PCI requirements and getting beyond the fines. Sometimes it takes a monetary fine to get an organization to take action in establishing adequate cyber security infrastructure.


CEOCFO: What might be different a year from now at NCI?

Mr. Timmins: One of the most difficult challenges in the industry is retaining your talent. The demand for quality cyber people is very high. In both the US and Canada, there are just not enough people in the field. Recognizing that the people make the business, my priority is to make sure retention level is high.


From a cyber security perspective, our platform is to educate our customers. NCI has worked to establish a solid, trusting relationship with our customers, and believe by educating and ensuring an understanding of maturity level baseline, decision makers will see from a vision perspective what you are doing. This brings me to our managed and cloud services business where to differentiate ourselves, we intend to offer more of a proactive service. Currently mostly reactive, NCI would like to be a proactive force for organizations to change their cyber security. For example, if we had a customer with a roll out of 25 firewalls, instead of being reactive and waiting to work with the client, we will engage with them every month in an attempt to improve the baseline of their maturity posture effecting a positive change with the firewalls and other cyber security areas. On a quarterly basis, we are going to have what we call a virtual CISO. One of our experienced consultants will go in and be an advocate of change for them. At NCI we want to build a managed service and cloud service that gives more than just a 24/7 operating center to call when there is a problem. We want to move the pendulum towards proactive managed services of recurring business with strong trusting relationships, recognizing this is as the key to our longevity, our success and the success of our customers.


ďOne of the most difficult challenges in the industry is retaining your talent. The demand for quality cyber people is very high. In both the US and Canada, there are just not enough people in the field. Recognizing that the people make the business, my goal is to make sure my retention level is high.Ē - Danny M. Timmins









Any reproduction or further distribution of this article without the express written consent of is prohibited.



Information Security, Cyber Security, NCI, Canadian Companies, CEO Interviews 2015, Danny M. Timmins, Information Security Programs for Organizations, cyber security consultants, Business Services Companies, security solutions, technology and products, determine maturity level and potential security risks, cyber security threat analysis, Recent CEO Interviews, NCI Press Releases, News, Business Services Stock, Companies looking for venture capital, Angel Investors, private companies looking for investors, business services companies seeking investors, cyber security companies needing investment capital does not purchase or make
recommendation on stocks based on the interviews published.