Quis custodiet ipsos custodes?


2008-10-20

A fundamental problem was described by Plato in the Republic, his work on government and morality. In the Republic, the perfect society reliant on laborers, slaves and tradesmen is described by Socrates, the main character of the work. The guardian class protects the city.

A question is put to Socrates, "Who will guard the guardians?" Plato's answer to this is that they will guard themselves against themselves. We must tell the guardians a "noble lie." The noble lie will inform them that they are better than those they serve and it is, therefore, their responsibility to guard and protect those lesser than themselves. We will instill in them distaste for power or privilege; they will rule because they believe it right, not because they desire it.

In our work as custodian, or protector, atsec has an important role in evaluating or testing the conformance of a product or service related to information security, giving security assurance commensurate with our reputation and the trust afforded to us. In our world, the users, developers and sponsors are the laborers and trades people described by Plato. Plato's answer to the question "Who will guard us against the guardians" holds true to atsec's business. atsec expends a lot of effort and resources in guarding ourselves. We culture the belief in our version of the noble lie: that when it comes to the field of IT security, we are, through our great experience, better than those we serve; through our belief in this lie, we develop the responsibility to guard and protect our customers.

As we seek to serve our customers, we are governed first and foremost by our business principles, and it is no accident that these reflect Plato's thinking!

We are independent
atsec is a privately owned company. We are not affiliated with any hardware or software vendor, and we never will be. Our credibility as consultants hinges on that independence. Our customers can rely on us to be objective. We have no interest in selling anything other than our security expertise.
atsec is financially independent? we are bound to no bank loan commitment, no outside investors, no vendor partners, and we don't use credit. We are free to follow the path we set for ourselves, competently and steadily pursuing our work on behalf of our clients, prudently growing our company as solid opportunities emerge. The measured path the company has chosen to pursue might even look a little boring ... but "boring" is right when it insulates us against the hard consequences of widespread financial credit difficulties. Our stubborn insistence on maintaining independent excellence in IT security might be seen as arrogant ... but "arrogance" in your area of expertise is justified if it comes from well-founded self-confidence.
In the last few weeks, this principle has protected atsec well from the short-term effects of the credit crunch. We have no worries about the security of atsec's securities.

We know the business
atsec knows the worldwide information security consulting business very well. With a multinational staff, it is only natural that we feel comfortable operating internationally. We are a company with global reach.
The information security problem is global and borderless. We see clearly in the current financial crisis the inevitability of global interconnectedness and the folly of not recognizing and planning to manage that dependency. atsec operates in every region, understanding the legislation and regulation differences that are applicable to operations in those regions, and we also support our clients as they address issues with global connotations.

We stay focused
atsec consultants are information security consultants. As such atsec focuses solely on information security consulting. We do not consult in any other areas, and we do not sell hardware, software, or any other ware.
We are the best! You can rely on us to ensure that your security assessment is the best. We demonstrate continual excellence in information security. We do not dilute our skills by trying to make money through selling products or accepting work that is outside our field.

We act with integrity
Information security consulting and evaluation is a high-integrity business, and very much a matter of trust. All of our employees are committed to sustaining the highest degree of integrity in our client relationships. We are devoted to delivering highest quality in a timely manner.
This principle, too, is very close to our hearts. There are many ways in which we demonstrate integrity, but consider that in a single year, atsec undergoes audits and assessments from the following bodies:

  • NIAP, CSEC (Sweden), and BSI (Germany) who run the national Common Criteria schemes with which we are accredited and who regularly independently assess our technical proficiency.
  • The CMVP (NIST and CSEC (Canada)) who assess our proficiency with the cryptographic module validation program, the cryptographic algorithm Validation Scheme, The NPIVP (NIST PIV Program), the Information Security Automation Program.
  • The General Services Administration (GSA).
  • NVLAP (and the corresponding responsible bodies in Germany and Sweden) who assess our laboratories for conformance with ISO 17025.
  • The PCI Council, who regularly assess the quality and standards of our performance as we perform our work in PCI QSA and ASV.

Not content with that list, we voluntarily, at a not insignificant expense, pursue added oversight from:

  • ISO 9001 and ISO/IEC 27001 conformance certifiers.
  • Independent management consultants, who are invited on an annual basis to help us review our business strategies, not just in the short-term but on a medium- and long- term basis, too.
  • Our financial auditors, who also play an important role in establishing atsec's integrity.

Why do we do all of this? To develop and demonstrate competence, adherence to ethical principles and not least, to develop and maintain the trust afforded to us by our customers. atsec's belief is that excellence comes with an obligation, in this case to protect our customers. We are not their rulers, but their servants, dedicating our excellence to making their organizations, products and services more robust and, hence, business and society in general more secure.

You may point out that in some sense, the organizations that audit and assess us are atsec's guardians. It is completely true, and without them, our city would be weaker. However, atsec is not content to accept that these organizations cannot benefit from our assistance and so, using our knowledge and skills developed in the information security city, we take pride in our active role in defining the various validation schemes; developing the standards to which we and IT products and services conform; and even in training and supporting the assessment of our guardians! Why on earth would anyone spend precious resources in a small company on such activities?

Why?

Simply because we believe it is right.