Ryan Davis, NS1’s newly hired chief information security officer (CISO), says the company’s customers ask a lot of questions about business continuity plans and exercises lately.

It makes sense. NS1 develops web and application traffic management software for almost 500 major brands worldwide including Squarespace, Salesforce, Linkedin, Yelp, and Dropbox. And these companies don’t want the COVID-19 pandemic to disrupt their business operations.

“There’s a very heightened concern, and I would say rightfully so, that their vendors are doing all of the things right,” Davis said. “Given the critical nature of what we do, I don’t fault any of them for coming in asking those questions. That being said, I think now is too late. You should be asking those questions before you’re in the middle of an incident.”

Plus, Davis says, business continuity and disaster recovery plans tend to take into account natural disasters. Like, what happens if a hurricane knocks out my company’s data centers? But a pandemic forces businesses to also consider what happens when employees start getting sick or dying?

“I 100% hope we don’t have to contemplate it, but a pandemic is a situation where you do have to contemplate that,” Davis said. “If you start losing people who are critical to your business, how does the business sustain that? We try to make sure that we have redundancy, people who are cross trained so there’s someone else who can do that person’s job. Especially at large enterprises, how do you make sure that the person whose job it is to change the locks on the doors, how do you make sure that there’s somebody who’s redundant to that?”

Davis says this may be the biggest lesson learned after the virus goes away. When it comes to business continuity, “we always gravitate toward the same scenarios. Most people don’t contemplate a pandemic. So I think there’s going to be a lot of revised business continuity and disaster recovery plans that will probably more succinctly account for a scenario like the one we’re in the middle of. I can’t tell you exactly what all those lessons learned will be, because I think we’re still figuring that out. But I think a lot of companies now are realizing that those plans that they had drafted some time ago, they probably should be revisiting them on a more frequent basis.”

Davis joined NS1 earlier this month. He’s the company’s first CISO in its 7-year history. Previously, Davis served as CISO and CIO at security software company Veracode, and prior to that he supported Department of Defense customers while holding information assurance roles at MIT’s Lincoln Laboratory.

As CISO at NS1, it’s Davis’ job to unify the company’s security strategy. And security has always been a priority to the company, he says. NS1 maintains SOC 2 Type II certification. It also does external network penetration tests, during which an “attacker” tries to enter the internal network via vulnerabilities in the company’s external assets.

“I want to make security a differentiator for us,” Davis said. “So that’s really my mission. That, to me, is the way we win the market.”

This doesn’t mean NS1 wants to be a security company, he says. In fact, NS1 partners with other infrastructure and security companies including Cisco and Dell Technologies, which led NS1’s $33 million Series C funding round last October.

But it does mean “building security in from the inception,” he said. “That everything we’re doing, we’re factoring in security as part of that.” This involves a DevSecOps approach that integrates application security into the DevOps process.

NS1’s platform automates network protocols and processes including traffic routing, load balancing, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and IP Address Management (IPAM). It also provides several DNS security capabilities including domain name system security extensions (DNSSEC), distributed denial of service (DDoS) protection, and a redundancy product with two separate DNS networks with single pane of glass management.

Additionally, it provides real-time telemetry data from users, which, when combined with automation, is an extremely valuable tool for security professionals analyzing web and network traffic.

“We don’t see ourselves as a security vendor,” Davis said. “What we do do is integrate very heavily with some security vendors like the Cisco Umbrella platform. What we are trying to do is figure out ways that we can make that data available, so that somebody who does have a security decision making engine can take some of that raw data and make some intelligence out of it. Our focus is being able to figure out how we can partner with security vendors and make the data that we have more meaningful and powerful.”