WANTED: Partners in cybersecurity

By Patience Wait

Michael Maggio knew his company's wireless security product could be a winner, but he needed to cut through the noise of a crowded marketplace.

So the Newbury Networks Inc. president and chief executive officer made a claim bound to get the attention of prime contractors dominating the security market: He trumpeted the ability of his company's WiFi Watchdog product to track wireless users.

"We have a technology that tells you where people are" was Maggio's pitch to Northrop Grumman Corp., who tested the product at its San Antonio lab in May 2003.

"Within a week, they were floored by it," he said.

The Los Angeles-based integrator added WiFi Watchdog to work it was doing for an Air Force customer, and Boston-based Newbury had its break into the government cybersecurity market.

Newbury's courting of Northrop Grumman is increasingly typical of the way large integrators and smaller, specialized cybersecurity companies meet and form partnerships. Prime contractors need technologies and skills to supplement their own offerings and boost their chances to win more business. The smaller companies know their best chances for government work will come through integrators.

"As a [security] solution provider, you need a strong partner," said Al Fox, director of public-sector operations for Sana Security Inc., San Mateo, Calif., which offers intrusion prevention software.

According to Reston, Va.-based Input Inc., the federal government spent about $4.3 billion on IT security in fiscal 2003, and spending will grow to $5.9 billion by 2008.

Although a lot of money is sloshing around, it isn't always easy to find. Few contracts are dedicated solely to cybersecurity. Instead, much of the money is put into contracts where security is one element of bigger programs.

"The vast majority of cybersecurity tasking comes out of existing contracts," said Robert Manchise, chief scientist at Anteon International Corp., Fairfax, Va. "It wasn't thought that it was going to [be] that way two or three years ago, but that's the way it's worked out."

At the same time, the cybersecurity industry is incredibly fragmented.

"It seems to be a cottage industry, full of a lot of small, 25- to 50-person companies that do it, and do it well," Manchise said.

[IMGCAP(2)]Jack Dannahy, president and chief executive of Ounce Labs Inc. in Waltham, Mass., agreed with that description.

"Since 2000, more than 600 privately funded security firms have been formed," said Dannahy, whose 27-employee firm specializes in applications security.

And so companies such as Ounce Labs, Sana Security and Newbury are searching for ways to grab attention in the lucrative but crowded cybersecurity market, while the integrators have adopted strategies for finding just the right technology or solution.

"It's a win for everybody," Newbury's Maggio said. The security firm gets access to new customers, the integrator improves its cybersecurity solutions, and the customer reaps the benefits, he said.

COURTSHIP RITUALS

To find new partners, Anteon established what Manchise describes as a "mentor-protégé clearinghouse" on its Web site. Small companies can upload their capabilities, provide Anteon with links to white papers they've written and select key words to describe their skill sets. As Anteon puts together teams, its employees can search the database to find specific capabilities among registered companies.

"We don't keep a lot of talent sitting on the bench, and cybersecurity experts are high-priced talent," Manchise said. "So we keep a cadre of other companies that have that talent."

Northrop Grumman performs most network security itself, but relies on a select group of security firms to meet other requirements, said John Stack, information assurance program manager for the company's IT sector.

[IMGCAP(3)]"We don't go out and do a major search each time," Stack said. "If there's some niche area, computer forensics or something, we'd go out to a teammate."

Accenture Ltd., the Hamilton, Bermuda-based integrator, takes another approach. David Black, senior manager for security technologies, is responsible for assessing new offerings from cybersecurity specialists.

Black works with Bruce Coffing, senior manager and alliance relationship director, who evaluates the soundness of aspiring partners and guides developing relationships.

"I probably get three to five new [security] companies finding their way to me every week, wanting to get to know Accenture," Coffing said.

Integrators also monitor the cybersecurity space by reading the trade press and attending shows and conferences.

At SRA International Inc., which counts cybersecurity as a core competency, the company turns to outside companies only when it needs people to supplement its own work force, according to Tony Valletta, SRA's senior vice president and director of command, control, communications and intelligence.

SRA takes pains to hire reputable security companies, not "body shops," when it needs additional labor, he said. The company looks for certified security professionals, accreditation and past performance, among other criteria.

"Security should be part of the total life-cycle development of any project," Valletta said. "We've determined that security is so important, we put the resources together."

 

MUTUAL ATTRACTION

On the other side of the equation, cybersecurity specialists have the challenge of distinguishing themselves in a cast of thousands.

"There literally are hundreds of point solutions to the security problem," said Greg Akers, senior vice president and chief technology officer for Cisco Systems Inc., San Jose, Calif.

Very small companies tend to concentrate on technology, trying to make their products as strong as possible. They may look for a single strategic partner that can help them make their way.

Sana Security Inc. pursued a relationship with AT&T Corp. because it has access to government agencies and security clearances, Fox said.

AT&T tested Sana's product and added it to its team that won an Air Force Materiel Command contract in October. Now, Fox also spends a lot of time with an AT&T business developer looking for the right opportunities, he said.

Citadel Security Software Inc., a Dallas firm that provides automated vulnerability software, has established long-term partnerships with several integrators, said Steve Solomon, the company's CEO.

"Every [integrator] has a different vehicle and serves different agencies," Solomon said. "To me, it's important to be neutral."

Other cybersecurity firms work to build their identities with federal agencies, looking for the agencies to recommend -- or require -- the use of their products.

"The best way to get the systems integrators' mindshare is to have a solid relationship inside an agency yourself," said John Frazzini, vice president of intelligence operations at iDefense Inc., a 50-person business in Reston, Va., which provides security intelligence on emerging cyberthreats. "As a result, the customer tells the integrator, 'I want you to use X.' "

The company earned a spot on the General Services Administration's IT schedule last May, and in June won an enterprisewide contract with the Health and Human Services Department, delivering threat intelligence to agencies such as the National Institutes of Health, the Food and Drug Administration and the Centers for Disease Control and Prevention.

[IMGCAP(4)]Barry Leffew, vice president of VeriSign Inc.'s public-sector unit, which offers managed security services, said companies need to identify and target specific agencies or projects and talk to integrators about the value they can bring.

"The key is defining the solution and the vision of what you can offer to the integrator, how it helps the integrator differentiate their solution," Leffew said.

Dannahy at Ounce Labs said relationships come long before the business opportunities show up.

"I've done a lot of work in the D.C. area, [and] I've gotten to know some very smart people down there," he said. "You start by using those relationships to learn what organizations care about the particular style of security I'm addressing."

A small company needs to leverage its relationships in a star pattern, Dannahy said, working from a center point of reference out to people they recommend.

"For a company of limited size, 50 or 75 people who are interested in your solution are [enough,]" he said.

With companies looking for so many interested partners, monogamy is not a goal.

"We wind up working with several different integrators," iDefense's Frazzini said.

Even Newbury Networks, which won its way into Northrop Grumman's heart, does not expect or offer exclusivity.

"Most of our deployments are through channel partners," Maggio said. "We can focus on the technology."

Staff Writer Patience Wait can be reached at pwait@postnewsweektech.com.