Source: Washington Post
An investment firm run by former Bush Administration Homeland Security chief Michael Chertoff is deepening investments in firms that provide high-end cybersecurity advice to private corporations, a strategy that leverages the firm’s close connections to the government cybersecurity community.
Texas-based Delta Risk, which has ties to cyber operations centers at two Air Force bases in San Antonio, is getting $3 million from a Chertoff Group affiliate fund to help expand. Colorado-based Coalfire got an undisclosed amount from Chertoff Group and D.C.-based private equity firm Carlyle Group at the end of last year.
The Chertoff Group was founded by Bush Administration homeland security secretary Michael Chertoff after he left the government in 2009. He helped attract prominent military and intelligence insiders to the firm as they left government, including Michael Hayden, who oversaw cybersecurity operations at the National Security Agency and the CIA.
The Washington-based group has made smaller investments since its founding, but revved its engines in early 2014 through affiliated holding companies after raising money from an undisclosed group of national security-minded individuals.
Both companies are trying to capitalize on a well-documented dearth of analysts defending private businesses from theft.
“One of the macros that helps us a lot is the shortage of cyber talent,” said David Leach, principal and head of private equity at Chertoff Group.
A 2015 analysis from Stanford University found more than 200,000 unfilled cybersecurity jobs across the United States, and a separate report by market research firm Burning Glass found close to 50,000 in the D.C.-area alone.
The shortage has contributed to a wave of automation across the industry. Thousands of start-ups have popped up pushing various sorts of technology fixes designed to work in the background of a company’s normal IT operations: perimeter defenses like firewalls; analytical platforms designed to make cyber-analysts’ jobs more efficient; employee training modules; artificial intelligence algorithms that track hackers’ movements.
Chertoff’s investment firm is trying something different: doubling down on human talent.
“The big picture is there’s no one way to solve the cyber-security problem; there is no single solution that’s going to make everyone safe and protected forever,” Leach said.
Delta Risk, a Texas-based company that was founded in 2007 by three former Air Force cyber analysts who later sold their ownership stakes, is a prime example of the sort of high-end services work that Chertoff is steering its investors towards.
His 100-person company generates close to $20 million a year selling security advice to businesses and government agencies. Delta’s solution is a suite of services—low on automation, high on expensive manpower—that find various ways of quantifying a company’s cybersecurity risk and offering advice on how to handle it. The result is a firm that looks more like an insurance brokerage than an anti-virus provider.
Delta Risk chief executive Scott Kaine says customers often come to him in the chaos and confusion following a hack. His company’s job is to figure out what went wrong and how the client can better-secure its information. The firm employs trained “penetration testers” (hackers) to exhaustively probe a customer’s network for holes, and drill the company’s IT managers by replicating large-scale hacks in a process known as “red-teaming.”
It’s all made possible by the revolving door effect of cybersecurity talent between the intelligence community and the business community that supports it. Seventy percent of Delta’s workers are recently retired cyber-security analysts who are still on active National Guard duty in the Air Force. Most of them hail from one of two Air Force bases in the San Antonio area where the company is headquartered.
“We have people embedded in the workforce there where they talk to their peers and get them to come over,” said Delta Risk chief executive Scott Kaine.
Chertoff’s other big investment, Coalfire, follows a similar approach. Both firms market cybersecurity primarily as a risk-management problem and focus on labor-intensive solutions.
“We don’t run around saying we have a box that identifies everything and makes things go away,” said Kaine. “People are the key element that tends to get over-shadowed by the glitz and glamour of these software and box centers out there."