While THINKSECURE PTE LTD ( ThinkSECURE ) today has grown into a multi-dimensional entity performing extensive Software Design, Research & Development and Solutioning Services, as well as related Certification & Training in respect of its Software and Services, its beginning origins were much more modest in scope.
ThinkSECURE was founded in January 2005 by established cybersecurity practitioners in response to a few disturbing trends which they felt was on the rise in the worldwide IT-Security industry at that earlier time :
1. A number of technical-level IT-Security courses focused only on tools which were outdated, did not teach any cohesive methodology and only sold on the basis of "Attend My Course And Get These Tools" (most of which were free off the internet anyway). There was no teaching of methodology which could guard against the obsolesence of tools and enable students to learn how to be self-motivated to maintain the skills learnt.
2. Many technical-level IT-Security courses also had no practical certification examination component. This resulted in an increase in people being certified who only knew how to do "exam-cramming" and who did not know how to practically apply the knowledge learnt.
An example of this type of situation was faced by one of our Founders who was hiring some field engineers during a previous appointment. 4 applicants were shortlisted, all claiming to have a particular certification. When 2 network devices were placed in front of them during the job-interview sessions and they were asked to configure them in 30mins for back-to-back operation allowing FTP and no other traffic, 3 of the applicants outright refused, saying they were not confident of configuring the devices. The 4th was unsuccessful although, to his credit, he did at least make an attempt. At the time, this kind of situation could be found in many places in the world with "brain-dumps" becoming more prevalent, thus enabling people to get certified on the basis of memory cramming alone and not practical testing.
An analogy of the situation: to know how to ride a bicycle, you must actually get on the bicycle and ride it. Someone telling you how to ride it will not enable you to ride it. Yet this was exactly what was going on when lab-based, practical examination techniques were not used. People weren't being tested based on getting on the bicycle and actually riding it, only how to describe how to ride it.
This eventually would have led to many certifications becoming devalued as an indicator of practical application of skill and knowledge as more and more people brain-crammed and took exams until they passed using memory, not skill. Thus, real IT-Security practitioners and their employers who paid good money to get certified were penalized when employers discovered the brain-crammers couldn't do the job and started discounting various certifications.
3. Some IT-Security service providers did not know how to conduct a proper technical in-depth security test, often confusing vulnerability assessments (which anyone can do - just go and download nessus and nmap) with penetration testing, which involves much, much more than just running a simple tool.
4. Some IT-Security service providers just didn't have a clue what constituted a proper security implementation. They focused too much on technology, often saying that "brand-x" or "brand-y" security product would solve all your problems. They didn't realize that People, Policy and Procedure all needed to be considered before deploying a Platform which is just an enabler.
5. Some IT-Security service providers marketed all their staff as having various certifications but the truth was that only some actually had these certifications and the rest of the technical folks were either in non-IT-security-related roles or had little actual experience in IT-security matters. By extending the certifications of a few members of a project team to cover the entire project team, some offenders took advantage of the trust extended by their customers.
All this added up to a situation where many certifications were being awarded on the basis of head-knowledge only and not practical assessment, which was detrimental to what employers wanted and needed: proving that professionals were able to apply practical knowledge and practical skills to any situation.
Our Founders, as cybersecurity practitioners, decided that only certifications with practical lab-based training during the conducting of the course AND practical lab-based certification examination to determine whether a candidate could apply the knowledge learnt would maintain their value and be a benefit, not a liability to the cybersecurity practitioner community.
Practical lab-based examinations would also help protect against brain dumps which would bring down the value of certifications and hurt those experienced technical professionals who took and passed certification exams.
In this respect, our Founders concluded that the only way the company's clients would be independently advised about securing their business using as many cost-effective and non-vendor-specific solutions as possible was to establish an independent entity which would not do any 3rd-party product-distribution/reselling. They reasoned that this would ensure that there would be no pressure for the company to push someone elses' product whether it fit in with the client's best interests or not.
Consequently, our Corporate Philosophy in place since the start of business summarizes this focus.