50 Best Workplaces of the Year 2020

An Interview with the leadership of Fortress Information Security: ‘Our mission is to secure critical infrastructure by implementing cybersecurity controls-based automation at economies of scale’


The complexity of modern supply chains has risen as globalization has opened new markets. Procurement can now achieve greater economic efficiency by sourcing technology products and services from hundreds of prospective suppliers from dozens of countries. But maximizing economic efficiency has come at the cost of greater transparency and resiliency.

Regulatory changes, spurred by geopolitical tension as well as by COVID-19, have driven companies to re-evaluate the risk posed by their global supply chains. Supply chain diversity is essential to maintain the cost-efficiency of business operations, but in order to maintain it companies must be equipped to understand and evaluate the risks associated with current and potential suppliers in their physical and digital supply chains.

In response to the need to manage risk in a simple and cost-efficient way while remaining in compliance with regulatory requirements, Fortress Information Security offers a portfolio of turnkey solutions. Fortress helps secure over one-fifth of the US power grid and critical assets, and manages over 300,000 assets and 40,000 vendors for utilities as well as enterprises in other sectors such as transportation, financial services, and defense.

Fortress technology solutions are purpose-built to align with regulatory frameworks such as the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, as well as National Institute of Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), and others. Fortress’ platform is modular, and highly configurable to meet individual organization’s needs, and leverages machine learning and artificial intelligence to help organizations accelerate security and increase regulatory compliance. Fortress is the only company that connects assets and vendors in a holistic approach.

Fortress was started in 2015 and is headquartered in Orlando, Florida.

Peter Kassabov and Alex Santos, Fortress Information Security Executive Chairman and CEO respectively, spoke to The Silicon Review. Below is an excerpt.

Q. Explain your services in brief, Mr. Kassabov.thesiliconreview-fortress-information-security-image-20

Our mission is to secure critical infrastructure by implementing cybersecurity controls-based automation at economies of scale. In summary, this means that our work helps to secure supply chains of critical infrastructure across multiple industries, in compliance with regulatory standards, with a focus on energy utility and federal industries.

The company offers solutions for each of the four components of successful cybersecurity programs – software technology platform, data and analytics, services and a data exchange called the Asset to Vendor Network, where members can collaborate to increase security, lower costs and ease the burden of compliance.

Q. Mr. Santos, modern cyberattacks are equally automated. How do you help organizations to fight fire with fire?

Fortress helps organizations to prevent supply chain attacks through our File Integrity Assurance platform, one of our newest offerings. The FIA interface offers self-service capabilities as well as access to our team of experienced security analysts. Full audit details are available for all software sources and files validated this way for easy CIP compliance.

The integrity and security characteristics of software files are validated by validating code signatures, comparing cryptographic hashes, and analyzing files for malicious functionality using proprietary and industry-leading capabilities for malicious code prevention.

Software sources are validated by verifying domain threat intelligence, Secure Socket Layer (SSL)/Transport Layer Security (TLS), and Public Key Infrastructure (PKI) for identity validation and indications of Domain Name System (DNS) compromise.

Q. Mr. Kassabov, perception and reality must coincide in the field of cybersecurity. How do you know if a breach is probable?

Companies are commonly attacked as a result of their vendors’ vulnerabilities. Fortress utilizes Data-Driven Vendor Risk Ranking to predict the inherent risk of third-party vendors, assigning risk as low, moderate, high, or critical and prioritizing them accordingly.

Another way that Fortress helps organizations to prevent supply chain attacks is through Continuous Monitoring. This regularly reveals weaknesses in vendor configuration management, application security, patching cadence, malware origination and spam propagation. The Fortress Continuous Monitoring platform monitors regulatory violations across OSHA, EPA, WHD, HIPPA, state watchlists and other sources.

Besides, Fortress offers Foreign Ownership, Control, or Influence (FOCI) Assessments on vendors and their products. FOCI Assessments help utilities to prepare for Executive Order 13920 and provide insight into the US bulk-power system supply chain by looking at the suppliers that source electric grid components. Our FOCI Assessments reveal vendor’s relationships to the top countries of concern, including China, Russia, Iran, North Korea, Venezuela and Cuba.

FOCI Vendor Assessments look at a company’s cyber presence, physical presence, manufacturing, mergers and acquisitions and corporate families. FOCI Product Assessments evaluate inherent product risk, vulnerability and patch management risk, product security risk and patch integrity, and authenticity validation.

Q. A good workplace stresses teamwork while still encouraging individual achievement and creativity. Does your company follow the same strategy, Mr. Santos?

Fortress encourages collaboration throughout all levels of the organization, while also emphasizing the importance of personal achievement and growth. Employees need to feel passionate about the type of work they are doing, and confident in their skillset and contributions. When employees have these needs met, they’re more likely to want to work together in a collaborative team effort.

Q. Mr. Kassabov, what does the future hold for Fortress Information Security and its employees? Are exciting things on the way?

We’re hiring! Fortress is growing bigger with an annual growth rate of over 100 percent, and we’re projected to exceed that this year. With a culture of innovating and developing solutions that exceed client expectations, we’re growing better as well. As our team continues to expand, our goal is to maintain a culture of confidence, competence and career aspiration achievement that benefits owners and employees in a mutually synergistic way.

Q. The Charismatic Duo at the Helm of Fortress Information Security

Fortress Information Security was founded by Peter Kassabov (Executive Chairman) and Alex Santos (CEO) in 2015. Mr. Kassabov and Mr. Santos are serial entrepreneurs, and Fortress is the fourth company they have started.

Before founding Fortress, they co-founded Digital Risk LLC, a mortgage risk analytics and compliance solutions provider to the U.S. mortgage market. In 2013, Mr. Kassabov and Mr. Santos sold Digital Risk to Mphasis, a subsidiary of Hewlett-Packard, for $202 million.

Before Digital Risk, Mr. Kassabov founded Connextions Health, an integrated direct-to-consumer healthcare insurance sales, complex disease management, and wellness services company that provided predictive modeling solutions to major clients such as United Healthcare, Blue Cross Blue Shield, Health Net, and Cedars Sinai, among others.

Before founding Connextions Health, Mr. Kassabov founded a major BPO and systems integration firm called Connextions Inc. in 1999, which provided integrated CRM and supply-chain solutions to major clients such as Mercedes Benz, Olympus, Earthlink, Chase Manhattan and Nextel, among others.

“We offer solutions for each of the four components of successful cybersecurity programs – software technology platform, data and analytics, managed services, and a data exchange called the ‘Asset to Vendor Network’, where members can collaborate to increase security, lower costs, and ease the burden of compliance.”