Message from Chairman

Dr. Craig Wright

In my twenty plus years in information security I have seen many things. I started as many in the security world begin, with the view that we need to maintain secrecy. That obscurity has some (even if a minor effect). However, in the course of years and in completing over 1,000 reviews and audits in those decades, I have documented and watched the effects of darkness on security.

The results have changed my views from one of covering the truth in order to minimise damage to that or the sunshine principle. Only when we bring exploits into the light of day do we hope to counter them. This is not simply from a perspective of personal opinion, but through the one science that can help us measure these effects, economics. Everything has a cost and only through treating security as a relative and not an absolute can we hope to effectively protect or systems and through them, society.

In writing on SCADA issues, I have been told that I will not ever see another audit of such a system. That is clearly false as some of my best supporters in this are people who are clients. There are those who will not hire me for saying that I want things open, and these are also the types of people I would not ever want to deal with again. There is a reason for this, those who run SCADA systems responsibly suffer greater costs and are less efficient in the short term than those who manage their systems well. The difference comes in the long term, but this in itself can be problematic.

In my years testing systems and responding to incidents, I have seen more failures than I care to remember. Some have been spectacularly complex, others have been dismal and it amazed me as to how poorly the controls could be set.

Carl von Clausewitz wrote how “the backbone of surprise is fusing speed with secrecy.” We provide that secrecy when we allow compromised systems to remain online, when we hide the fact that our critical systems have been compromised. He further reminded us that “War is not an independent phenomenon, but the continuation of politics by different means.”

We are seeing the Chinese and North Koreans compromise more and more critical systems each week. Some of these are in the press, but these are either the failures or the systems that are already mined for all they are worth. For the most part, these breaches remain secret and out of public purview. To the North Koreans, the entire purpose of a computer network seems to be as a platform for politics through any means.

To paraphrase Clausewitz, everything in security is very simple. But the simplest thing is difficult.

Judge Learned Hand formulated a legal rule. He said that everything had to be measured in terms of ensuring that “B<PL”. That is, the burden of untaken precautions (B) has to be less than the product of the probability of an outcome (p) by the severity of outcome (L).

This is more than simply looking at the short term costs and effects, but the probability of more dire events and consequences as well. To allow Judge Hand’s rule, we cannot hide in the dark, we need to expose the disease that comprises many of our security controls to the antiseptic of sunlight.

Now, my focus is on teaching. I still do some work and consulting, but only as I do not believe a teacher who is teaching security can do so without exposure to the “real world”. If I do not work on sites that want to have an audit such that they can fulfil a compliance obligation and not actually take the risks seriously, I could not be happier.

With Strassan, I am glad to be working with a team who takes security seriously and wants tyo do something to fix the issues and not to simply hide them.

Message from CEO

Shoaib Yousuf

Information security is no longer an IT stepchild but a mission-critical effort: a data breach has an immediate effect on a company’s bottom line, on its marketshare, its stock price, and in some cases, on its ability to survive the loss of confidence and loss of contracts.

No CIO that I know of is looking to cobble together a solution set that will burden his or her team. Nor does he want to invest dollars in solutions built for today’s threats, but not tomorrow’s. Instead, we are recommending, and seeing a good response to, a more ‘holistic’ approach that manages the flow of sensitive data through an enterprise system.

CIOs are looking for solutions that can share intelligence, reuse work already done, and adapt to the constantly evolving threat and compliance landscape and without a lot of additional investment of time or money. Accordingly, we believe that a flexible and comprehensive approach to creating a product suite will meet that need, giving CIOs more security for their dollar and giving security vendors an advantage in the market.

The need to protect information assets is becoming a top management priority. The protection is necessary to keep the competitive advantage in the challenging market place. If an organization does not take structured steps to safeguard itself, the consequent losses could result in substantial damages in revenue, brand erosion and even legal culpability. Information needs to be protected across its life cycle and must be protected from unauthorized access, changes and non-availability.

We formed “Strasan”, which means passionate in Croatian language and matches our image, where we can help organizations to reduce risk and enhance competitive advantage by protecting their information assets and providing positive assurance on governance.

Strasan professionals have helped several organizations to implement Information Security Management System and governance using a unique pragmatic business approach. This approach ensures we focus on understanding our clients’ requirements and their risk appetite before recommending or implementing any security solutions.

Message from COO

Sanjeev Bhola

Strasan, has been founded in 2011. It is a relatively new “kid on the block” but its founders are seasoned and world renowned Computer Security Professionals.

Our IT security products are the core of our business. We are introducing new ways of protecting businesses in the electronic world ahead of the bad guys. Today, we are growing quietly and cautiously in the Asia Pacific region.

Our corporate policy, "Create and Innovate", is firmly embedded of our DNA. With a corporate culture based on Creating and Innovating, we endeavor to practice "something new, something different" everyday, and our products and consultants have an unchallengeable position in securing critical business information assets and critical SCADA infrastructure. We continue to live this spirit, and will move on to create affordable and robust computer security solutions.

Today, businesses world-wide are subjected to cyber-crime, cyber-theft and cyber-terrorism. In response, Strasan has created three central themes in its Management Policy. The first is an aggressive development of new cyber-security appliance-based products that protect medium to large businesses globally in the connected world of Internet. The second is specific and tailored security assessment services in Banking, Utilities, Oil & Gas, Mining and Manufacturing industries. The third is real-time harvesting of global intelligence on security vulnerabilities so armed with this knowledge we can proactively protect business information of our customers.

Strasan will develop through a management where transformational ideas are encouraged and conventional thinking is challenged, and where we are always at least half a step ahead of the computer hackers.