On episode 38 of The Andy Show
NICKY PENNYCOOK [00:00:51] Hello, and welcome to today’s The Andy Show. I’m your host for today, Nicky Pennycook . And today we’re going to be talking to the CEO at Torsion Information Security, and that’s Peter Bradley. So let’s bring Peter in.
PETER BRADLEY [00:01:10] Hi!
NICKY PENNYCOOK [00:01:10] Hi Peter, how are you doing?
PETER BRADLEY [00:01:13] I am very well, Nicky. How are you?
NICKY PENNYCOOK [00:01:16] Yeah, thank you. Thank so much for joining us today. So to kick of, would you like to introduce to us and tell us a little bit about Torsion Information Security?
PETER BRADLEY [00:01:28] Sure. Yes. So my name is Peter Bradley, CEO and Founder of Torsion Information Security. What we’re doing at Torsion is we’re tackling an age old problem in cybersecurity and in particular in data governance and data access governance. And that is getting, allowing our customers companies to get visibility and control of who has access to what. And in particular, we’re talking about just regular files in file systems and collaboration systems, both online and on premises. Now, I’d say it’s a problem that has existed for 20 something years, and it’s never really been solved before. There’s been attempts to solve it. And we do have competitors. But, you know, we firmly believe that attempts that have come before us to solve this problem have just simply been ineffective. The problem happens when companies buy those tools or not. And, you know, we believe we’ve come up with a radically different way of solving this problem and one that is is remarkably more effective than none of the things that have come before.
NICKY PENNYCOOK [00:02:40] That’s great. So I’ve got some question here. So I’m just gonna jump straight in. And so you talk about file sharing and access and I’m assuming specially at the moment. This is a hugely important that’s on. So, is it an emerging problem? And why are businesses struggling with this?
PETER BRADLEY [00:02:59] Like I said so, it’s a sa problem that has existed for 20 years. But it’s an emerging problem as well. And let me explain myself. So the businesses have always had you and hundreds of thousands of files, and they’re stored in systems file servers, and now and then SharePoint systems and now Cloud based systems such as Office 365 and Dropbox and so forth. What makes it also emerging problem is that. Now everything’s in the Cloud. So whilst we’ve always had, you know, hundreds of thousands of files. Those files are now accessible 24/7 from anywhere. And sharing any given file outside of the bounds of the organisation is now so easy that the people in your organisation can do it at the click of a button without thinking anything of it. And as a result, the stakes have gone up. The potential impact on the business of the wrong thing being accidentally shared with the wrong person or the wrong thing being shared outside of the company where it shouldn’t have been. The stakes have gone up. Now the potential impact on the business of those kinds of mistakes is far greater than the it ever was. Why a business is struggling? It really comes down to two things, control- getting visibility control of who has access to what files and information. The reason it’s so difficult and the reason this problem has gone, not effectively so for so long. Boils down to two things, scale and business change. So first of all, scale there is just so much information, right? Just the volume of files and SharePoint sites and collaboration containers, Teams and One Drive containers and Google Drive containers. And the volume of stuff is just, it’s astronomical and it’s growing and scrolling at a rate of knots. It’s growing so quickly that it’s simply not possible for any kind of manual, human based process that might attempt to be orchestrated by an I.T. team or a centralised data governance team. It’s just impossible, right? There’s just too much stuff for any kind of manual process to possibly keep up. And the second reason that this is such a challenge is business change. Because businesses don’t stand still, right? The structure of the organisation constantly changes, organisational restructures, people changing roles, customers coming and going, partners coming in and going, suppliers coming and going, new offices, new entire ways of working, such as, you know, a virus coming out of nowhere and all of a sudden the whole world is working from home. Change is just so constant, that who should have access to what is a constantly moving target, right? You might be working in this role, on this accounting, in this office, this week. But next week you might be working on something else. Which means what you should have access to changes over time. And so… there’s simply no manual process that could possibly keep up with that. So ultimately, you know, put the business in a place where people have access to the information that they should have, and nothing that they shouldn’t. That is just so impossible to do when it changes so much and it happens that such a massive scale. Yeah. So the other reason that this problem hasn’t really been effectively solved before is the way that our industry has always thought of this problem. We believe it is wrong as well. So not only was it a problem that simply can’t be solved manually, and yet tools that have come before us are largely manual. The other problem is that the tools that have come before us are tools for I.T. administrators, the software that an I.T. admin can install on his desktop, and he can run reports on who has access to which files and folders. You can push all the levers, largely manual. The problem with that is the I.T. doesn’t really understand information. The I.T. guy is the wrong person to be making decisions about who needs access to any given file in the first place. He doesn’t really understand the information, but we believe that if you want to make a good decision about who should have access to this particular file or folder and what is the security and compliance context around the information in that file or folder, and how should that change over time? If you want to make a good decision about those things, you need a close, intimate understanding of the information itself. You can’t make that decision well, if you don’t understand the information. The I.T. guys don’t. The high guys don’t have that close an understanding of the information itself. It’s their job to think at a higher, more abstract technical level, now that they think about sort of technical system things and networking issues and this kind of stuff. This is where I.T. guys, that’s what they do. It’s not their job to understand the information in every single file, right? It’s not possible. The only people who have that level of understanding of the information itself are the data owners in the business. And so the tools that have come before us, they’re not only manual and therefore ineffective, but they empower the wrong people, right? So this is one of the biggest differences between how our competitors and how we approach. The problem is that, first of all, we don’t focus on the I.T. guys. We focus on the data and is in the business. And secondly, we remove the manual element. We automate it all, figuring out who should have access to this information and then automatically controlling it. Automatically pinpointing instances where this guy has access to that document and it’s not okay. Automatically pinpointing that at scale. And in real time and using advanced techniques like Machine Learning, A.I. and these sorts of these sorts of modern techniques which have been facilitated by the Cloud. Using those kinds of techniques to do it and thereby doing away with all of them manual processes ultimately takes our customers to a place where they have think visibility of who has access to information and perfect control of who has access to what information, regardless of scale, regardless of business complexity, regardless of the rate of business change, and regardless of which systems their information is embedded in the Cloud or premises or combination of both.
PETER BRADLEY [00:09:30] Cool. Well, you talk a little bit about what needs to be done? The technicalities behind it. So, look, all businesses that are about to say it’s not an emerging problem, but then it’s also tended to imagine then say what are they doing? And how is technology and specifically your technology helping that?
PETER BRADLEY [00:09:52] Sure. Yeah. So, I mean, historically, what they have been doing is trying to approach this with manual processes, manual governance, audits and reviews and central I.T. teams or compliance teams or security teams that try their best to to understand who has access to what and and get control of it. But, you know, as I mentioned, those centralised processes, they get overwhelmed by scale and they are orchestrated by people who don’t understand the information and therefore the ability of those people to draw insights and actually add value is limited because they don’t understand the information. So what our customers are doing and conversely, by putting in our technology and connecting it to their existing information systems. So a Torsion customer will connect that Torsion instance to their Office 365 tenant and to their on premise file, to their on premise SharePoint systems. And the other systems where they store and manage files and information and carry out information management and collaboration type of our use cases. And then after a little bit of thinking about data governance modelling, and upon us help their customers to understand how they want to interact with their information, how they want the business uses to engage with their own information. From a security and a compliance government’s perspective. After they’ve figured out a little bit about how they wanted to work, setting it up in the tool is dead easy. And then Torsion runs it for them automatically. So customers of ours big and small. Ranging from the sort of 50 odd customers all the way up to thousands and up sorry, 50 odd staff members all the way up to thousands and thousands of staff members. They are now able to effectively get rid of those manual governance processes that they used to have. Get rid of those I.T. centric tools that weren’t really effective, replacing old those. And let Torsion run it for them automatically top to bottom. The way the Torsion works is that it does run mostly in the background. We only pop our heads up in terms of a user interface or an engagement with the user. We only pop a heads up when something’s wrong, when we spot an instance, for example. Now, you… We might have figured out that you, the business owner of this file. We.. and then we can also notice that this file is accessible by that guy. And it’s not correct, right? It shouldn’t be that way. That guy should not have access to that kind of information. So we spot that circumstance automatically. The next thing we do is figure out that you are the business owner of that file. So you are the person we tell, right? We give you the notification. We’ve just found that this guy has access to your file and doesn’t look okay. What do you want to do about it? The user experience for you is designed to be as extraordinarily simple as possible. We actually aim for our entire engagement with you to be 2 seconds or less. Literally, that’s all we want to ask for. And that’s our goal is 2 seconds of your time and that’s it. And we’re out of your way. Right. We want to sit in the back. We don’t want to bother you. But you know that that interaction is simply. Well, here’s the problem. Here’s the context. What do you want to do about it? Fix it or ignore it? That’s it. Simple as that. If you say fix it, then we do. And we’re out of your way. And then that entire flow. We’re obviously keeping track of all of this stuff from an auditing and reporting perspective. So Auditors, administrators, centralised teams can keep an eye on it. They can run reports on what’s going on. What issues have been detected? What issues have been fixed and ignored. And what’s the state of play from it? From an I.T. perspective or a compliance perspective? You can read reports on that at any time. But the way that we engage with those business users is we give. We put them in the driver’s seat in terms of telling us what they want to do about a problem, because they understand the information is that the data on this but that is balanced by a recognition that the business owners are busy. They are not technical, theý’re not interested in this stuff. And so the only way that we can legitimately ask for their attention or engage them in a question or a decision about the data access governance. The only way we can do that is by making it insanely simple for them. 2 seconds of their time and we’re out of their way. And the choice is big and obvious. Fix it or ignore it. And that’s it. And then we’re out of the way again. So that’s kind.. and then using automation Machine Learning in these kinds of things to fill in the gaps, to ultimately achieve the goals that we set out to achieve.
NICKY PENNYCOOK [00:14:54] Yeah, cool. Thank you. So you talk a lot about how I.T. teams shouldn’t and no longer actually need to manage those permissions for those files. So I say that’s quite a big step forward. And I can imagine that’s quite a shock to some people as well. How are people reacting when they realised that data governance doesn’t mean or have to be an I.T. issue anywhere?
PETER BRADLEY [00:15:19] Yeah, sure. You’re right. It is a big step. And I mean, it’s not quite as black and white as that is when it shut the I.T. guys out. They ought to the extent that they want to. But now that in it in a conversation, a classical conversation about identity access management. Now, I am typically historically is a conversation about who should have access to what system at a time or what network at a time. It’s kind of at that relatively high level. But when the conversation comes down to the much lower level of granularity, who should have access to this file at the time? More time than traditional identity access management doesn’t come down to that level of granularity. Consequently, it’s a big line spot. The I.T. guys don’t understand the information well enough to have a conversation one file at a time. And identity, traditional identity access management tools don’t go down to that level of granularity so it’s got there. The way that people react when they see the demo of Torsian. It’s honestly, it’s one of my sort of favourite moments in showing it’s all that. People’s reaction is generally. Well, of course, this is how we should have been solving this problem for the last 20 years. This is how we should have been doing it. This is how we should have been thinking it all along. We’ve just never seen how it could be done before. And so, after you know, once they say, oh, okay. Now I say it and it’s blazingly obvious. It’s not complicated. But you need to see how it works to then go. Of course, this is how we should have been thinking about it. This is why we’ve been unable to really solve this problem for the last 20 years with with traditional I.T. admin type tools. This is why they haven’t worked. This is how this is so massively different. And straight away, you can say, yeah, this is going to work. Where those other tools that we tried, they really don’t play with a lot of our customers. I won’t name names, that have purchased our competitive- a competitor’s tools in the past and have tried to use them. And I’ve spent a lot of money on them and have found that whether or not they bought those tools and made those investments, problems still happen. Access to… who has access to what gets out of control over time. Whether they buy those tools or not. And that simply means that tools don’t work. And so for Torsian to come along with such a radically different approach and when you see it, it’s like, yeah, clearly that’s gonna work. And and it really does. You know, the customers are remarkably satisfied with it. So, you know, it’s it’s an exciting time for us as a new company hitting the market, growing quickly with with some genuinely disruptive technology, approaching an old problem that just about every company has any company that has invested and is using these kinds of information management collaboration technology, such as Office365, such as Dropbox, such as Legacy File Shares and everything in between. Every company out there, they don’t want this problem. And so now to come along with a brand new solution which genuinely solves it in a way that our competitors never have. It’s an exciting time.
NICKY PENNYCOOK [00:18:56] Yeah, absolutely. You’ve obviously, you’re in an exciting time but we’re also in a very crazy time. And something 6 months ago. I mean, longer than that, we didn’t realise that they would then be needed to lockdown situation. People are going to be working from home more. And like the world has just changed at a click of a finger. Now that we’ve moved to home working, and teams are at home, not in the offices and stuff. Has this added any additional security issues when it comes to data sharing?
PETER BRADLEY [00:19:28] Oh, very, very much so. Now that the use of online collaboration tools, remote working tools, Microsoft Teams being the biggest in our orbit. Yeah. All of a sudden, people are collaborating and sharing, using these online tools to a much, much greater degree than they ever were before. And so, yeah, the fact that our tool works with Microsoft Teams and can give you clear visibility and control of who has access to information inside of Teams. As well as in the other technologies around it in the Offices 356 space and Sharepoint online, One Drive and so forth. Yeah. The need for a solution like this has just gone up a thousand percent almost overnight. Giving an example actually of one of our customers had a unique set of requirements. Which was caused directly by the COVID situation. So they’re a government department here in the U.K. They employ a combination of office based and laboratory based staff. And the balance was around about 1/3 office, 2/3 lab based. And if they’re watching, they’ll probably correct me on the specifics of that number but broadly, it’s about right. And across the organisation, you know, they have hundreds of thousands of files and different containers, all in Office 365. And who had access to which files in which containers, Torsion was already helping them get visibility and control of those things. When the virus struck. They were able to, the 1/3 of their workforce that is office based were able to transition to work from home fairly fluidly. But the two thirds of their workforce that was laboratory based, they had to go on furlough because you can’t run a lab from home when you don’t have the equipment and so forth. But after a little while, the head of the department wanted to temporarily reassign their lab by staff to other areas of the business. Just to keep people productive alright. Just to continue deriving value from his workforce rather than just having people sitting at home watching Netflix. So what that meant is a mass reassignment of access permissions. All of a sudden, like, you know, these people are… So that guy is going to that team. That guy’s going to that team. That guy is going to that team. But it’s all temporary, right? It’s all just for the next 2 months until the virus situation starts to lift and things will go back to normal. So hundreds of people now started to need temporary access to different areas of the organisation and all the information that pertains to those areas, the information that in and of itself is very, very complex. But then it all needs to be unwound as the fellow situation starts to unwind. So that job not only has to be done once, but it has to be done twice. And this, by the way, is an organisation that deals with a massive volume of incredibly highly sensitive information. The potential impacts of the wrong people getting access to the wrong stuff could be catastrophic. So it absolutely cannot be allowed even for one file, for one person for one day. It cannot be allowed. So achieving that in another, like in a normal state of times, is very, very hard. But then when you want to just move everyone and then 2 months later move him back. That’s I mean, to do that manually. Forget about it. Right. The risk is so high and the difficulty of doing that is so high, that it’s probably better to just leave everyone on furlough watching Netflix. But using Torsian, they were able to not only get that done but get it done really easily. Now we helped them just sort of understand, okay, who’s going where? Set up the tool, hit the go button, bang. Right. And straight away everybody now also has access to the things that they need temporarily. And all of those additional accesses have an expiry date. They’re going to snap back as soon as the virus situation ends. So that kind of thing, we’ve added a huge amount of value there. Allowed 2/3 of the organisation to get back to being productive. And for us, that was just kind of a day at the office.
NICKY PENNYCOOK [00:24:09] Yeah, yeah, absolutely. And that was a really nice example of seeing your work at practise and that was actually my next question. So, just as we sort of come to the end and in summay. How like we are in a completely different situation to what “we move forward ever gonna be end”. Do you think things are going to go back to normal? Are we going to see this continuous change in… Yeah. How are people using file sharing from home? Or is that going to be that mix between office and home and slowly going back to normal?
PETER BRADLEY [00:24:43] Now, I think we are witnessing the start of a new normal. Physical office spaces aren’t going away. But I think the role of physical office spaces in modern information centric businesses is going to diminish rapidly. We’re already seeing in the press examples of large organisations and big banks and so forth saying, you know what, we don’t need our office anymore. The bank is working fine with everybody working from home. Why do we need to spend all that money on an office for? Now, these online remote working technologies, there was always going to be a hurdle for us to get used to them. As an industry or as it is a workforce for us to get used to that working from home situation. But we were forced to overcome that hurdle when the virus hit us in March. We’re there now and you know, the idea of going back. You kind of look at it through new eyes and go, oh, we don’t need to. Maybe we can go back part time at this work from home, remote working technologies are ready to fill a gap. So you know, that means that the need to have strong visibility and control of who has access to what files and information and collaboration spaces and conversations and information. The need to do that is only heightened by the fact that people aren’t there anymore. You can’t look over their shoulder. You can’t keep an eye on what they’re doing in a physical sense anymore. So the need for these, for the remote working technologies is established. The need for tools like Torsian that can help balance out just how easy it is to remote work, just how easy it is to share stuff with other people and do these online or spontaneous collaboration type scenarios. Those tools need to be balanced by a certain degree of security and compliance. Otherwise, we’re just creating problems for ourself. So yeah, they’re off the road and we think is only going to increase as a result of this new world that we find ourselves in.
NICKY PENNYCOOK [00:26:54] That’s really interesting. Thank you very much, Peter. You’ve been really insightful. It’s been great to hear what Torsian up to and how you’re adapting and changing in this situation. And yeah, thank you, you’ve been a great guest.
PETER BRADLEY [00:27:06] Sure, thank you very much.
NICKY PENNYCOOK [00:27:12] So that was Peter Bradley from Torsian Information Security, tell us a a little bit about file sharing, how they’re changing. It sounds like they’re going for a really exciting time at the moment despite everything else that’s going on around us. And so we’ll be back tomorrow for The Andy Show at 12:30, Friday. So looking forward to that. And thank you for joining me today. You can check out disruptive.live and of course to our social media and can touch you if you want to be involved and be a guest. Peter, thank you.