The five minute CIO: Eamon Noonan

20 Sep 2013

Eamon Noonan, co-founder and technical director of The Exam Centre

The Exam Centre is a dedicated Dublin-based facility for professionals to take computer-based tests and certification exams. Co-founder and technical director Eamon Noonan tells us about expansion plans, using IT to focus on customers and why security is underappreciated.

Can you describe your role – how much of it has a business focus and how much is dedicated to technology?

My remit is more from the technological perspective. That came actually by design rather than accident and the reason is, both of us [with co-founder Linda Hennessy] found ourselves redundant after several years in the industry. We formed our own business and decided from the get-go that we were going to split the responsibilities of the company to make sure our own talents came out to the front.

We look at the business from two different perspectives. The Exam Centre is a walk-in test facility for the likes of Cisco and Microsoft. My job is to ensure all machines work as they should, and to ensure all patches are done and maintain the integrity of the exam.

Linda’s function is marketing. We have noticed a 250pc increase in our business as a result of work Linda has put in. She has pulled in the clients.

It also means the system has to function correctly. We have 20 machines, we run on a very secure network, on machines with the highest spec. We try to give people an exam experience – making sure that those who come in to do exams do so in an environment with no distractions around them.

I’ve taken over 50 computer-based exams so I know what it’s like to walk into an environment, stressed out, and do an exam.

How important is technology to the business?

Use of technology in this business is absolutely paramount. We depend on people using our equipment to take exams.

What are the big trends or developments in your sector and how will you respond to them using technology?

Realistically, the biggest emphasis is, in this country people need to get back to work, and to do that, they need to be trained and to be assessed. Our three-year plan is to have nine centres throughout all of Ireland. The trend is to allow an experience where anyone can get an on-day exam to get a certification. Traditionally, people had to wait days, weeks or even months to get an exam – I think that’s rubbish!

Because your business model has to be ‘build it and they will come’, what implications does that have for your IT budget?

We made a decision, we had this idea, and we invested our redundancy into this … we spent the money – there was no point doing this halfway. We wanted to do it right … It takes a lot to get a client through the door, so we want to make sure we keep them.

We had an exam room during the summer when it was 29 degrees. The centre was full, we had fans running … in the end, we closed the centre for two days to install air con. OK, it’s an expensive process but the [customer] experience is what it’s about.

Having that customer focus – what implications does that have for how you approach IT?

When we decided we wanted to start the business, it needed more than that. We needed to have a buffer. We went to our banks and they gave us the buffer.

We didn’t go out and buy 15-inch monitors, we bought the latest 19-inch monitors, and machines with quad-core processors. We did everything to ensure that when the customers walked through the door, they knew where they were.

How much of your day is spent on administration of the technology you’ve got?

I spend approximately two hours a day ensuring everything is up to date. The system is started up 45 minutes before the first students arrive, and full diagnostics are run. We have to be careful, especially on Microsoft’s patch Tuesday. And the backups, uploading exams to the various servers … have to be run at the end.

The whole process might seem simple by virtue of being routine. You do it so often, it becomes second nature, so that works well for us.

The way that we work here, it’s all about making sure the customer coming through the door has the right experience, because they’re stressed when they get here.

The technology has to work. I spend weekends here making sure everything works. We regularly swap the machines out.

We’ve got redundancies at all levels built in. We’ve got a very high-speed synchronous wireless connection with the backup of a wired network. If one fell over, we would be down for two minutes but even that would be failure for me.

How much thought had to go into planning this infrastructure?

Before we said we were going to do this, we had a long laid-out plan; the philosophy was, we’re not going to do it unless we do it right. We weren’t going to scrimp and save on it.

I’m a geek: I look at the latest and greatest technology and I want to see how to integrate that into our business. Our time and investment at the initial stages pays huge dividends. We look at the fact that we don’t have downtime, even if we might be running our systems eight hours a day. It’s like a car: you’ve got to oil it and change the filters. You’ve got the treat them right but you still can’t depend on them forever.

Those who are doing exams require those levels of specs of machines to be able to do the processes that they’re being examined on. We get guys doing SANS [information security training and certification] exams – that’s the highest levels of security so we can’t do that with machines that aren’t capable of doing that.

We’re planning for next year, where our minimum spec is 8GG RAM, and at least 1 TB of storage. We would have a redundant capacity way beyond that because some exams may require a huge partition on the drive.

What’s your approach to security, given that your other business is very strongly focused on this area?

Because our secondary business [Digicore] is teaching a full master’s degree in computer security and forensics, we understand all of the problems that are associated with it. So in our own business, we go through all the processes of access control, of multiple verifications. We don’t have one single point of failure within the organisation.

We are dealing with people’s futures – that’s as important as someone’s medical details. The exam process is strictly between you and the exam vendor: we just facilitate that process. But we are rigid about the exam process. We don’t store any unencrypted information on our systems, and we have a multiple process of validation for people coming in here.

How much would you say you spend on security as a proportion of your budget?

It represents around 10-12pc per year. For example, we’re about to increase the number of CCTV cameras and we’re getting zoom cameras. We’re also about to introduce our own ID cards – it gives people who come to do the exams a third ID validation of who they are … All of this raises the awareness of what the security is about, and it validates that the achievement is real.

Your own background is in IT security: how has that shaped how you approach technology generally?

It’s done it simply because we realise this is the golden compass: you have to work from this point backwards. Security should be the pinnacle of what you do and everything falls in behind.

Security should be the primary element: it should be the area that everybody moves from, not to.

Some businesses claim sales, finance or HR is more important, but if IT fails, the business fails. We don’t think about security as being an important issue – it’s seen as something a select few will take care of. It’s something we have to have, rather than we need to have.

There’s not enough spend put into security. Any IT security person will tell you they’re constricted by budgets. Unless we change our philosophy and say our most important category is data, we are wasting our time.

I believe everybody should be taught about cybersecurity as part of the secondary-school curriculum … does it mean being paranoid? No. It just means being educated.

A lot of people in IT security complain that it’s only a consideration very late in the day on IT projects: do you think IT professionals give security the importance and recognition it deserves?

I totally agree with that. From an educational perspective, we run a program called CSTP – certified security testing professional – and it teaches people how to circumvent security vulnerabilities: to teach people how to do [an attack] so they can prevent it.

Some people who design websites are under such pressure to be able to produce commercial code that what they do is, they forget about the security constraints and the security posture that sits behind the site.

Generally, it becomes a position of having to fix the problem after the horse has bolted. I believe people should have some background in secure coding.

As far as security is concerned, it doesn’t get the recognition it deserves, simply because it’s always a bolted-on element – it’s always an afterthought. It’s only when laptops are stolen, or customer records found in a skip that it becomes prominent after the event, and sometimes a long time after it.

Gordon Smith was a contributor to Silicon Republic