Interview of Apaga Technologies CEO Michel Davoudian to Mediamax Agency, Banks.am and Itel.am portals

- On April 27, Apaga Technologies organized a seminar on new ISO 27000 Information Security Management Systems standards and certification for banks and other financial sector companies. It was mentioned at the presentation that the new standards mark a new stage of development for the Armenian financial system. What is the reason for that, and what specific advantages do these new standards provide for?

- Armenian Government has decided to localize the ISO/IEC 27000 international standards and adopt them as national. These standards can be adopted by any company,  and should be specially  considered by banks and financial institutions. So, if we want our banking sector to be competitive nationally and internationally, we have to adopt these rules as a way to protect information.

These standards have been elaborated by various authoritative companies, among them, HSBC, Royal Dutch Shell, Unilever and British Telecom. These are big companies, which are very well organized and are very careful as to their information security.

I think implementation of these standards is very important for Armenia. Once the banks have ISO27000 certification, they get many advantages in cooperation with the international banking system. As you probably know, unfortunately Armenian credit cards are not accepted in many countries, even being Visa and Mastercards. Very often one cannot make a purchase, for instance, on eBay, using an Armenian credit card. So, once international banks know that Armenian banks comply with ISO27000 standards, along with a number of advantages, our credit cards will also be accepted internationally.

When you are well organized, you know that you don’t have to do the same thing twice. Adoption of these standards helps the company to optimize and rationalize its work and to cut down expenses. The standards are flexible, they don’t dictate the company how to act, they just advise to comply with the rules; there are many items which a company may decide to comply with or not.     

- How many Armenian banks and other financial organizations are already adopting the new information security standards? What is Apaga Technologies’ role in this process?

- Nobody has adopted them yet, but most Armenian banks are already on their way. We initially offer them the ISAS – the Information Security Audit Snapshot, a service to assess the situation through a tool with a ranking scale. It provides an accurate view of their present security situation. We examine not only their IT-infrastructures, but also all other issues concerning information security: business continuity planning, physical security, human resource security, access control, etc. Then we make a report, in which we outline the current situation, as well as the necessary steps to solve the potential issues. It’s a necessary process to achieve the ISO27001 certification. Most of the issues can be solved by the company staff, but some are more difficult to achieve and require external assistance. So, let’s say, if during an ISAS we find 100 audit findings, maybe 70 of them can be solved by the bank internally. The remaining 30 points may require the help of a consulting company like APAGA.      

- How do you assess the level of information security in Armenian financial sector in general? Are we inferior to developed countries in this respect?

- We’ve already made research on several banks and, although I cannot disclose the details, the level of information security in most of Armenian banks is not sufficient. Many financial companies have no real mean to protect and monitor themselves efficiently. The reason is that Information Security issues are still not well understood by management today. It is too easily associated only with IT instead, when in fact it concerns the whole company. Eventually banks will need to comply with ISO27000 standards and the Central Bank (CB) of Armenia will certainly encourage the effort, as it will make it easier to control and assess the financial sector.
 
- How many countries have already fully implemented these standards?

- The biggest percentage of companies, which have implemented them, is in Japan, India, USA and Europe. But even in Europe not every big company has ISO27001 certificate, as these standards are relatively new. The full process of implementation is a profound organizational and cultural change and may takeup to 2 years to achieve.

I should mention that even if a company doesn't want to get the certification stamp, it doesn’t mean it should not follow these standards, as they're very good guideline for a company to be well organized and function in a very smooth way.

- How do you assess the Armenian market of information security services?

- Today we cannot yet evaluate the market itself, because so far most of the IT security was handled with “homemade solutions”. This means you have IT-division, which makes a firewall for you and changes its rules manually. This is something that was acceptable 10 years ago. Today it can be acceptable for small companies, but by no means for banks. So, companies like Apaga, with European and Armenian certified and experienced consultants, can provide a full range of services to help banks do securely grow their business.

- Internet-banking services market is now being actively developed here. What effect does it have on the market of information security services?

- The situation in Armenia in this aspect is very interesting. Every bank wants to launch its online banking services. Many have already done it, but not always with a clear analysis from a security point of view. This could lead to major disasters for some of them.

The internet market in Armenia is booming, there are new operators, the quality is getting much better and the prices go down. So the websites will have much more local users and become much more open for  users abroad. It means we can expect much more risks.

During these few years we have seen many serious attacks from the Azeri and other places and unfortunately nothing has been done to prevent them so far. There are lots of talks, but companies mostly continue to protect themselves without professional assistance from outside.

Our certified consultants provide several services, including penetration testing. The purpose is to check and try to take control of the client’s systems. This is performed from the inside and the outside, just like a hacker could do. Remember that 70% of the threats come from the inside. We can then identify vulnerabilities and risks and provide detailed recommendations. This is called “ethical hacking”.

So, the market is improving for us. At the same time, IT-security market needs very high level of knowledge and only real professionals will stand the competition. Our company, for instance, which was established by me 25 years ago in France, has got significant knowledge on all the topics of information security. We know the new threats.

- Is it possible for Armenian companies, which provide information security services, and particularly, for Apaga Technologies, to enter the international market? 

- In fact I did the opposite, first establishing a company in France and later in Belgium. But I think it’s quite possible. There are very talented young specialists here in Armenia and we train them in order to elevate their level of knowledge and make them international level information security consultants.