WANTED: Partners in cybersecurity
Well-honed strategies help integrators find firms with specialized technologies<@VM>Contractors answer FISMA's call<@VM>Cybersecurity chief talks of progress
Michael Maggio of Newbury Networks Inc. grabbed the attention of Northrop Grumman Corp. with this claim: Our technology tracks wireless users.
David Black, along with other executives at Accenture Ltd., spends his time scouring new offerings from cybersecurity specialists and evaluating them for potential partnerships.
Northrop Grumman Corp. performs most network security itself, but it does turn to a select group of security firms to meet other requirements, said John Stack, information assurance program manager for the company's IT sector.
"The vast majority of cybersecurity tasking comes out of existing contracts. It wasn't thought that it was going to [be] that way two or three years ago, but that's the way it's worked out." ? Robert Manchise, Anteon International Corp.
By Patience Wait
Michael Maggio knew his company's wireless security product could be a winner, but he needed to cut through the noise of a crowded marketplace.
So the Newbury Networks Inc. president and chief executive officer made a claim bound to get the attention of prime contractors dominating the security market: He trumpeted the ability of his company's WiFi Watchdog product to track wireless users.
"We have a technology that tells you where people are" was Maggio's pitch to Northrop Grumman Corp., who tested the product at its San Antonio lab in May 2003.
"Within a week, they were floored by it," he said.
The Los Angeles-based integrator added WiFi Watchdog to work it was doing for an Air Force customer, and Boston-based Newbury had its break into the government cybersecurity market.
Newbury's courting of Northrop Grumman is increasingly typical of the way large integrators and smaller, specialized cybersecurity companies meet and form partnerships. Prime contractors need technologies and skills to supplement their own offerings and boost their chances to win more business. The smaller companies know their best chances for government work will come through integrators.
"As a [security] solution provider, you need a strong partner," said Al Fox, director of public-sector operations for Sana Security Inc., San Mateo, Calif., which offers intrusion prevention software.
According to Reston, Va.-based Input Inc., the federal government spent about $4.3 billion on IT security in fiscal 2003, and spending will grow to $5.9 billion by 2008.
Although a lot of money is sloshing around, it isn't always easy to find. Few contracts are dedicated solely to cybersecurity. Instead, much of the money is put into contracts where security is one element of bigger programs.
"The vast majority of cybersecurity tasking comes out of existing contracts," said Robert Manchise, chief scientist at Anteon International Corp., Fairfax, Va. "It wasn't thought that it was going to [be] that way two or three years ago, but that's the way it's worked out."
At the same time, the cybersecurity industry is incredibly fragmented.
"It seems to be a cottage industry, full of a lot of small, 25- to 50-person companies that do it, and do it well," Manchise said.
[IMGCAP(2)]Jack Dannahy, president and chief executive of Ounce Labs Inc. in Waltham, Mass., agreed with that description.
"Since 2000, more than 600 privately funded security firms have been formed," said Dannahy, whose 27-employee firm specializes in applications security.
And so companies such as Ounce Labs, Sana Security and Newbury are searching for ways to grab attention in the lucrative but crowded cybersecurity market, while the integrators have adopted strategies for finding just the right technology or solution.
"It's a win for everybody," Newbury's Maggio said. The security firm gets access to new customers, the integrator improves its cybersecurity solutions, and the customer reaps the benefits, he said.
To find new partners, Anteon established what Manchise describes as a "mentor-protégé clearinghouse" on its Web site. Small companies can upload their capabilities, provide Anteon with links to white papers they've written and select key words to describe their skill sets. As Anteon puts together teams, its employees can search the database to find specific capabilities among registered companies.
"We don't keep a lot of talent sitting on the bench, and cybersecurity experts are high-priced talent," Manchise said. "So we keep a cadre of other companies that have that talent."
Northrop Grumman performs most network security itself, but relies on a select group of security firms to meet other requirements, said John Stack, information assurance program manager for the company's IT sector.
[IMGCAP(3)]"We don't go out and do a major search each time," Stack said. "If there's some niche area, computer forensics or something, we'd go out to a teammate."
Accenture Ltd., the Hamilton, Bermuda-based integrator, takes another approach. David Black, senior manager for security technologies, is responsible for assessing new offerings from cybersecurity specialists.
Black works with Bruce Coffing, senior manager and alliance relationship director, who evaluates the soundness of aspiring partners and guides developing relationships.
"I probably get three to five new [security] companies finding their way to me every week, wanting to get to know Accenture," Coffing said.
Integrators also monitor the cybersecurity space by reading the trade press and attending shows and conferences.
At SRA International Inc., which counts cybersecurity as a core competency, the company turns to outside companies only when it needs people to supplement its own work force, according to Tony Valletta, SRA's senior vice president and director of command, control, communications and intelligence.
SRA takes pains to hire reputable security companies, not "body shops," when it needs additional labor, he said. The company looks for certified security professionals, accreditation and past performance, among other criteria.
"Security should be part of the total life-cycle development of any project," Valletta said. "We've determined that security is so important, we put the resources together."
On the other side of the equation, cybersecurity specialists have the challenge of distinguishing themselves in a cast of thousands.
"There literally are hundreds of point solutions to the security problem," said Greg Akers, senior vice president and chief technology officer for Cisco Systems Inc., San Jose, Calif.
Very small companies tend to concentrate on technology, trying to make their products as strong as possible. They may look for a single strategic partner that can help them make their way.
Sana Security Inc. pursued a relationship with AT&T Corp. because it has access to government agencies and security clearances, Fox said.
AT&T tested Sana's product and added it to its team that won an Air Force Materiel Command contract in October. Now, Fox also spends a lot of time with an AT&T business developer looking for the right opportunities, he said.
Citadel Security Software Inc., a Dallas firm that provides automated vulnerability software, has established long-term partnerships with several integrators, said Steve Solomon, the company's CEO.
"Every [integrator] has a different vehicle and serves different agencies," Solomon said. "To me, it's important to be neutral."
Other cybersecurity firms work to build their identities with federal agencies, looking for the agencies to recommend -- or require -- the use of their products.
"The best way to get the systems integrators' mindshare is to have a solid relationship inside an agency yourself," said John Frazzini, vice president of intelligence operations at iDefense Inc., a 50-person business in Reston, Va., which provides security intelligence on emerging cyberthreats. "As a result, the customer tells the integrator, 'I want you to use X.' "
The company earned a spot on the General Services Administration's IT schedule last May, and in June won an enterprisewide contract with the Health and Human Services Department, delivering threat intelligence to agencies such as the National Institutes of Health, the Food and Drug Administration and the Centers for Disease Control and Prevention.
[IMGCAP(4)]Barry Leffew, vice president of VeriSign Inc.'s public-sector unit, which offers managed security services, said companies need to identify and target specific agencies or projects and talk to integrators about the value they can bring.
"The key is defining the solution and the vision of what you can offer to the integrator, how it helps the integrator differentiate their solution," Leffew said.
Dannahy at Ounce Labs said relationships come long before the business opportunities show up.
"I've done a lot of work in the D.C. area, [and] I've gotten to know some very smart people down there," he said. "You start by using those relationships to learn what organizations care about the particular style of security I'm addressing."
A small company needs to leverage its relationships in a star pattern, Dannahy said, working from a center point of reference out to people they recommend.
"For a company of limited size, 50 or 75 people who are interested in your solution are [enough,]" he said.
With companies looking for so many interested partners, monogamy is not a goal.
"We wind up working with several different integrators," iDefense's Frazzini said.
Even Newbury Networks, which won its way into Northrop Grumman's heart, does not expect or offer exclusivity.
"Most of our deployments are through channel partners," Maggio said. "We can focus on the technology."
Staff Writer Patience Wait can be reached at firstname.lastname@example.org.
"Since 2000, more than 600 privately funded security firms have been formed." ? Jack Dannahy, president and chief executive of Ounce Labs Inc.
The single biggest driver shaping the cybersecurity strategies of federal agencies today may well be the Federal Information Security Management Act, signed into law in December 2002.
FISMA replaced GISRA, the Government Information Security Reform Act of 2000, and requires annual IT security reviews, reporting and remediation planning by agencies.
It also carries a big stick: Reports are filed with the Office of Management and Budget, and failure to make progress on security issues can jeopardize funding for projects.
An annual report card, released by Rep. Adam Putnam, R-Fla., gave agencies an overall grade of D. Putnam is chairman of the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census.
"Security is becoming more and more of a concern [to agencies], not only to protect their infrastructure but also to protect their reputation," said Barry Leffew, vice president of public sector for VeriSign Inc., Mountain View, Calif. "It is not perceived positively when large agencies get Ds or Fs on security."
John Frazzini of iDefense Inc., Reston, Va., is more blunt: "What's the pain point in the marketplace? The biggest pain point is, 'How do I meet FISMA requirements?' "
FISMA also has changed how agencies approach cybersecurity, said Ken Ammon, president of Network Security Technologies Inc., or Netsec, a managed security services firm based in Herndon, Va.
Previously, CIOs spent most of their time figuring out how to save money on security, Ammon said. "Now that it's a compliance issue, they're figuring out how to swallow that pill."
Cybersecurity companies are rushing to adapt their products, messages and strategies to respond to FISMA's demands.
"We completely changed our strategy," Ammon said of FISMA's effect. "When FISMA came out, we finally had a compliance driver to get the management level to focus on the issue."
The implementation of FISMA spurred Ounce Labs Inc., Waltham, Mass., to change the way its product works, said Jack Dannahy, president and CEO. "FISMA has led us to implement more reporting that speaks to the questions [our customers] are going to ask."
For some integrators, FISMA has opened up more consulting opportunities.
"What we find is that most so-called system owners look at the FISMA documentation and scratch their heads," said David Black of Accenture Ltd. "We've been able to help them machete their way through the forest."
Amit Yoran is director of DHS' National Cyber Security Division.
Henrik G. de Gyor
Amit Yoran knows it's impossible to eliminate completely cybersecurity incidents within government. So the director of the National Cyber Security Division in the Homeland Security Department is working to minimize damage and downtime by improving preparedness among federal agencies.
But even this is no easy task. No sooner had Yoran announced the National Cyber Alert System in January than the MyDoom worm overran e-mail servers across the country.
Appointed as director in September, Yoran previously was vice president for managed security services at Symantec Corp., and years before he was a director in the Defense Department's vulnerability assessment program.
Yoran sat down with Washington Technology
Staff Writer Brad Grimes and Government Computer News Senior Editor Wilson P. Dizard III to discuss the progress his group has made in defending government systems from cyberattacks. "We are increasing cybersecurity preparedness, period," Yoran said. WT:
How serious are the cybersecurity threats to government systems?Yoran:
Federal government systems need to be concerned with some of the most sophisticated [attacks], depending on which agency or department they're from. Those departments and agencies that realize the national security and homeland security implications of the systems they operate are generally the ones with the most mature programs.
A lot of work needs to be done across the board for us to be where we want to be. ... The more visible worms and viruses are the ones that tend to get the media's attention. But it's certainly the quieter, more sophisticated intrusion activities that are a concern.WT:
What is the National Cyber Security Division doing to combat threats?Yoran:
In just the few months since we've been operating, there are a couple different areas we feel we're already making progress. The first is operators working together at a very technical and tactical level with the Government Forum of Incident Response and Support Teams. It is an interagency forum that we host for those 24-by-7 computer emergency response teams, where we interact with one another on an ongoing basis, sharing a situational understanding of current attacks, an understanding of who the attackers are and exchanging defensive techniques and measures.WT:
Will you attempt to use the federal government's purchasing power as leverage to require vendors to provide more secure systems?Yoran:
I think it's a great concept, and the federal government has done that in a couple places, certainly with Karen Evans and the SmartBuy program. ... I would expect those programs on which she was taking a lead position will continue to move forward. We've had a couple dialogs with Karen and the folks at OMB about that, and feel they're really headed in the right direction.WT:
Can you pressure companies to develop more secure products?Yoran:
You have to not only say, "Thou shalt produce more secure code or else," we have to arm them with the tools, the processes, the technologies that can facilitate the production of better code.WT:
With more of our nation's infrastructure moving toward IP infrastructures, aren't we just opening ourselves up to more cyberattacks?Yoran:
To some extent we are increasing our vulnerability and risk, because we are deploying more cyberconnected systems. We can't just back up and say we don't want voice over IP. What we need to do is be more aggressive in addressing security requirements. I'd say that even though we're becoming more connected, we are improving our security posture.WT:
What will be your measure of a successful cybersecurity program?Yoran:
Zero cybersecurity incidents or outages is not a reasonable goal. We're focused on improved preparedness; we're focused on minimal impact and minimal duration.