How Adnovum is leveraging its Swiss roots

How has Adnovum been doing so far and what are some of your key growth areas?

Thomas Zangerl: The first thing I’d say is that Covid-19 did not harm us as a company. In fact, we’ve been growing quite fast, and we’ve transformed our business in Europe where we went from a functional to market-oriented structure.

The key industries that we focus on are banking and insurance, public sector, as well as transportation and logistics. We grew by about 16% in 2020 and 12% last year, which we are happy with because it’s faster than the market. That’s important to us because if you grow slower than the market, you become an acquisition target.

We’ve been transforming our business in Singapore as well. When we first came here, we were serving the large Swiss banks, but that business has decreased over time, so we went into the government business.

To give you an example, the Swiss government operates about 600 IT applications and 450 of them are authenticated using our solutions. Those government systems are used by the military, federal police and tax organisations, among others. We want to leverage that because we believe what’s good for the Swiss government can be good for other governments too. Today, we have customers such as the Monetary Authority of Singapore using our IAM solutions.

Our strategy now is to expand beyond the core industries we serve and focus on combining software with security, which makes us unique. There are many companies that can create software cheaper than we do, but we have a promise on quality and delivery that requires us have certain structures and certifications in place.

From there, we are also going into areas like zero-trust security, which is a continuation of what we are already doing. We’ve built up knowledge on the behaviour of users as we deal a lot with banking systems. Even though users are authenticated on those systems, we still don’t fully trust them. For example, we can impose three-factor authentication before they can submit a transaction if their behaviour deviates too much from the norm.

Such capabilities can also be used to secure internet of things (IoT) devices. We don’t have a big footprint in IoT now, but we want to look at that market and develop solutions to secure devices such as home security cameras, which often have standard passwords that are left unchanged by users.

Our strength in IAM, and now zero trust, has been instrumental to our growth over the past two years when more organisations had to authenticate employees who were working from home using their own devices.

The IAM market has multiple players providing different solutions. What you’ve just described as behavioural and security analytics is not new. How is Adnovum doing things differently?

Zangerl: If you look at the ecosystem of IAM vendors, it changes with hyperscalers like Amazon and Microsoft entering the race with cloud-based solutions. We don’t go into that market because IAM on the cloud is often built for simple use cases and there will always be somebody who can do it cheaper and faster than us.

The areas we want to go into are more complex – for example, integrating a large number of applications that are secured by zero-trust solutions. We are also focused on areas where regulation and compliance play an important role.

There are many companies that can create software cheaper than we do, but we have a promise on quality and delivery that requires us have certain structures and certifications in place

Providing an IAM solution is just one thing, but the governance and compliance behind that is key. And so, we see opportunities from organisations that are regulated by data privacy laws such as the General Data Protection Regulation (GDPR) in Europe.

Next year, Switzerland will also introduce a law which will be on the same level as the GDPR and that will increase compliance and legal requirements. That’s the sweet spot for us.

Could you provide an example on how compliance and governance is being applied in IAM projects that Adnovum is working on?

Zangerl: For example, in a regulated environment, you have to be aware of unused accounts. You have to be able to prove any type of provisioning of permissions or access rights. A technical log file is not enough – you have to approve user roles within an organisation like accountants, and that the principle for approval has been followed.

So, it’s a reporting and workflow thing and it can be very specific to an organisation. That’s where the typical vendors in the market don’t usually go into.

There’s been a lot of hype about zero trust, and some people are confused about what it really means, but it’s a simple concept: Don’t trust anyone or any device, whether this person or device is inside or outside your network and apply the same controls everywhere. How are you educating your clients about zero trust?

Zangerl: In the 1990s and 2000s, if you have a device which is under the control of your employer, you go into the office, connect it to the network and then you’re in a trusted environment. Any threat is seen to have come from outside of the company.

Then came the VPN [virtual private network], which creates a tunnel from the same device to the network, enabling you to work from home. But with Covid-19, you could be working on any device connected to trusted and untrusted networks, which could open the door to attack vectors. To access what you need, you’ll have to authenticate your identity with your user ID, password and hopefully biometric information. That’s a simple way of explaining zero trust.

But zero trust is not a revolutionary concept. The technologies enabling zero trust, such as access lists and certificates, have been around for a long time.

Another aspect that I find interesting is perimeter security that prevents people from attacking you from the outside. But if you look back to the early 2000s, there was a problem with Swiss banking data being sold around the world. The data was not stolen from the outside, but from the inside, so you must consider that not all employees will act with good intentions.

I believe that, for quite a long time, we have been strong in implementing IAM solutions, but we also see an increasing trend towards consulting services. Take ransomware mitigation, for example. There’s no one pill you can take to solve the ransomware problem.

You can have firewalls, inspect content and separate production data from backup data. You can block upstream traffic to the internet because that can be an indicator of someone transferring data out of your network, but that could be a false positive if that person is backing up his personal data to a cloud service used by your company.

The next part is cyber security awareness. How does a phishing attack look like? What’s the nature of the emails that come with those attacks? Even though we are a company of specialists, we still have people who click on e-mails to go to a website and submit their credentials in one of our internal phishing simulations.

So, the whole thing is not just a piece of technology. It’s also the consulting services that we provide, particularly for mitigating ransomware which can cause financial and reputational damage. We have small consulting engagements with boards of directors and executive boards, and that can open doors to zero trust and IAM projects.

Would you say that the demand for consulting services has increased amid the pandemic?

Zangerl: I don’t have market statistics, but my perception is that demand has clearly increased, propelled by what I mentioned earlier. Many companies found out that they have deficiencies in their IT security environment, some of which are very basic. They also found out that people are using their own devices at home, so they won’t know what’s in those devices. It’s not super high tech, but they need explanation and guidance.

Do you also see a demand for companies that may want to harden their applications and go to you for additional development work?

Zangerl: I believe very strongly in that. In many businesses, today or in the past, you develop a piece of software and then you somehow operate very leanly to minimise technology management or risk. You run the software for several years and you leave it alone until you have to touch it because it has a vulnerability.

In future, we could offer, say, a full service package but you don’t have to pay a large amount of money for the initial development. Instead, you pay a fee every year. The challenge is that IT organisations usually have annual budgets and may not want to go into multi-year contracts which governments do.

For example, in Switzerland, you can have a public tender that includes software builds, including options, and operations for 10 years, so you have an intrinsic view of what’s needed in software maintenance. So, support is a key thing and we’re also diversifying as I had mentioned earlier.

Cyber attacks have intensified against industrial control systems and critical infrastructure. Is Adnovum getting into the operational technology security space?

Zangerl: It’s a problem that comes to us in a very special way because the president of our board of directors is also on the board of a Swiss power network operator which has lots of these systems in their power plants. The special thing about these systems is that they are usually quite old and run older versions of Windows.

The challenge is that these systems cannot protect themselves. But fascinatingly, the pain does not seem to be big enough to drive action and investments to secure those systems, because people think the systems somehow work and nothing bad has happened. It’s a bit of a high risk thing. We have partners in this area that provide software which can specifically protect Scada systems, for example, and we also see that as a market.