Dirty Little Secrets of the Cyber Business
Unless they are cybersecurity contracts.
In the cyber business, in fact, the federal government can be the ticket to prosperity. Not so much for the amount of money it spends, but because government networks are ground zero for the cyber wars that are being fought on a daily basis and will continue to be waged for years to come.
“No other customer has tougher problems,” says former U.S. Marine turned venture capitalist Nathaniel C. Fick.
“For an early stage cyber company, having government customers is great,” he says. “Nobody is better than the Defense Department and the intelligence community.”
Fick has drawn such conclusions after three years of running Endgame Inc., a 150-employee software company funded by Bessemer Venture Partners, where he remains an operating partner. The firm has bankrolled hundreds of the most successful companies in the United States.
Many tech companies see the government, with good reason, as an unattractive customer. It can take years to sign a contract, and buyers often demand customized features that make it hard to build a product that can be sold to others. But in the cybersecurity business, the government has more virtues than flaws, Fick says. “From the perspective of running a cyber company, I think the government is an awesome customer.”
What makes the government valuable is its willingness in some cases to be an “early adopter” of cybersecurity products, he explains. “In most industries, the government is not a great early adopter. That is not true in cyber.”
Fick has found that his defense and intelligence agency customers take chances on unfamiliar cyber technology even when the government procurement culture at large usually prefers to go with safer choices. Being risk averse does not pay in a world where threats move with lightning speed, and the traditional federal procurement system has come under political fire for buying products that are obsolete before they are even put to use. Fick cites research that shows that federal agencies whose networks are breached do not become aware that they are under attack until months later, as they lack adequate technology to monitor intrusions. The average “dwell time” for hackers is 300 days, says Fick. It takes about 200 days from breach to detection to recognize they have an intruder in the network, and then another 100 days to contain and combat the attack.
“Lots of bad stuff is happening in your network between the breach and when you have it under control,” he says. “If that’s what’s happening, it’s obvious that the existing legacy products aren’t working.”
Endgame makes software that several defense and intelligence organizations use to monitor global networks, and hunt down both external and insider threats. The cybersecurity challenge is growing tougher by the minute, says Fick. People are connecting 4 billion items per year to the Internet, and that trend is unlikely to change. Corporations, government agencies, individuals with wearable devices and military forces all are becoming increasingly connected. “There was a time 30 years ago when states worried about states, companies spied on companies. That line has been erased.”
While the threats to networks are widely acknowledged, there is little consensus in the industry on how to turn investments in technology into profits.
Whether one chooses to focus on commercial or government business makes a big difference because the cultures are worlds apart. The federal market by sheer size is dwarfed by the commercial sector. Further, it takes a lot of capital investment to build a federal business because the sales cycles are so long, Fick says. “You have to pay developers and staff for a year and a half before you get customers to buy products. It’s the upfront investment that is required to build trusted relationships with the Defense Department or the intelligence community.”
For Endgame investors, the upfront costs are acceptable given the potential payback. “The government is a validator, provides the ‘Good Housekeeping’ seal of approval,” Fick says. For software vendors, especially, the government provides a battleground to “stress test” products.
The other battle being fought in cybersecurity is one for talent. Large defense contractors, under pressure to compete with upstarts like Endgame, are scoping the market for acquisition targets. “They need to buy innovation,” Fick says. “They can’t do it themselves. That’s just the reality of the talent market. This is very much a war for the best development talent.”
The government does have some key advantages, though. Cyber operators are able to do things in the government that they could not do legally in the private sector. The public sector also attracts analysts who cover access to the government’s fountains of information. The best and brightest developers, however, shun government contracts, he says. “Most of the defense world is dominated by services companies that are unable to move quickly enough to harness the pace of innovation.” The savvy developers don’t want to be part of a butts-in-seats services contract inside a federal agency.
The government has to learn how to buy innovative products created by the private sector and stop wasting money on customized technology, he says. The government does a lot of essential things. Building software is not one of them.
Defense Secretary Ashton Carter has vowed to bring in new industry players to help win the cyber war. He might succeed, Fick says, but he has to “kill the ‘not invented here’ mindset. You need people who can look at the world in a clear-eyed way and pick the best solution.”
One final secret: You don’t need tens of thousands of employees to protect large networks. This is not like buying big-ticket weapons systems. “Cyber and information technology allow you to decouple dollars from capability. In cyber you can spend relatively few dollars and get a lot of capability.”