Mohan Gandhi is the Co-founder and CEO of Entersoft, a cyber-security company headquartered in Brisbane. Entersoft helps organisations secure applications in most cost-efficient and pragmatic way with most offensive certifications such as OSCP and OSWE.
Entersoft currently has over 300 clients globally and recently won FinTech Awards 2016 for Best Innovation in Cyber-security & Anti-fraud. Entersoft has also launched Ensights, a news app that keeps you updated with the latest developments in cyber-security.
I sat down with Mohan to talk about his start-up experience and the growth of Entersoft since its founding in 2013.
Entersoft is one of the 8 companies admitted to the SuperCharger FinTech Accelerator 2.0. Don’t miss SuperCharger’s Demo Day on 11 April, 2017 at HKEx Trading Floor, where the companies will showcase their cutting-edge demos.
Check out the exclusive video interview with Entersoft here.
How did Entersoft begin and what are its missions?
Entersoft began with a core philosophy to establish a culture of offensive security. You can’t beat a hacker, but you can train to be a good one. Founders at Entersoft have a mission to create a workplace that encourages white hats to perform research beyond traditional boundaries. Our mission is to be offensive, proactive and pragmatic.
What makes Entersoft stand out from other cyber-security companies?
Unlike traditional security vendors, Entersoft goes above and beyond the basics of penetration testing. We understand what is critical to organisations, their applications and their core competencies. We attack and secure these core competencies and Crown Jewels first to help organisations improve their application security quotient. We are absolutely success driven and make security a strategic investment.
Can you tell us about hacker communities?
In general, there are 3 categories of hackers:
Script kiddies — Amateur hackers who have just begun learning how to hack — they attempt to attack websites by reading up about other hackers’ exploits. They work independently.
Black Hat Hackers — Lethal hackers who are a lot more advanced in their exploits. These are skilled hackers who have a better knack for creative problem solving and often design their own exploits.
Sponsored Hackers — Sponsored hackers are the most dangerous — they are a lot more sophisticated in their attacks and have a stronger army of hackers behind them.
Hacking is a thought process that cannot be taught. One should possess that intrinsic quality, or at least they have to channel it. Real hackers, they never project themselves as hackers. Also, ethical is just a word which is very subjective. It is not an etiquette that everyone who knows hacking should be an ethical person. When we hire we see this intrinsic quality or even if he lack it we create a cohesive ecosystem to develop this instinct.
What is your approach to hiring top talents in hacking, and how do you lead them to develop their reputation?
Hackers cannot be trained, they can only be cultivated. All we do is to just provide a stimulating and encouraging environment to legally hack. We also plant the seeds of patterns and algorithms for a systematic approach in their learning process. The rest depends on the individual’s passion and dedication to be top notch. We continuously monitor their critical success factors based on our internal KPIs.
We educate our team to not run after success. We train them to be efficient. We give them the liberty to choose their areas of expertise and make sure they have everything they need to become the best.
How do you evaluate a particular value of the bug? Does it depend on the number, the extent of their threat, and so on?
We value it based on global standards such as OWASP Top 10 standards, SANS security checklist, CERT checklist and our very own Entersoft Vulnerability Rating Index. The severity assigned to each vulnerability is calculated using the NIST 800–30 standard. The standard determines the risk associated with the application based on the likelihood of an attacker exploiting the vulnerability and the impact it would have on the business in such a case. We also consider the business impact as an important parameter to rate the bug and evaluate the gravity of attacks.
2016 has been an exciting year for Entersoft, winning FinTech Awards and launching Ensights, the cybersecurity news app. What is in the pipeline for 2017?
We are excited about the launch of Enprobe — a cloud based, scalable and lightning fast scanner that helps you identify vulnerabilities in your applications. It is a DevSecOps platform for Vulnerability Management.
What difficulties did you encounter in the early stage and how did you overcome them?
The difficulties we faced during our early stage was about the lack of proactivity from organisations regarding security and its implementation. During the initial stages the market was more reactive than proactive. This helped us understand the importance of educating our clients first and making them understand, that there is a company or a team of friendly hackers who can assess their apps with an offensive approach. Customers don’t know the difference between network security and app security. This problem still persists in the present day market as well.
Initially, we projected ourselves as an IT security firm. This created some confusion among a few of our potential customers that we are into managed security with regard to all the components in an IT infrastructure, which consequently led to chaos (which is good). We were then able to understand the problems at a granular level and therefore decided to focus on one area where our core IP can be utilised in order to rotate the wheel of revenues.
Do you have any tips for other FinTech start-up founders?
We think FinTech is just another tech term which got added to the list. All we can say is “Security is a process. It is not a destination”. Both technology and security should go hand-in-hand.
To get in touch with Entersoft, please email firstname.lastname@example.org