When a data breach hits, enterprises turn to outside firms to pick up the pieces

CIOs and CISOs are tasked with defending and protecting corporate enterprises in an increasingly hostile cyberscape.

Companies across all industries worldwide reported a total of 42.8 million detected attacks last year, according to the PWC Global State of Information Security Survey 2015. That’s a 48 percent increase in incidents since the prior year.

Various reports indicate that cyber attacks will trend up for the rest of 2015, and in 2016.

More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years, according to a Peninsula Press (a project of the Stanford University Journalism Program) analysis of numbers from the Bureau of Labor Statistics.

The growing number of attacks – combined with a shortage of experienced cybersecurity personnel, is leading CIOs and CISOs to hire outside firms for help.

“Unprepared organizations, when notified of a breach by external entities such as the FBI, are increasingly employing professional security service providers to address security emergencies,” said Frost & Sullivan Network Security Research Director Frank Dickson. “Evasive malware and security skills shortages are driving demand for professional security services. Professional Security Services in North America will reach $1.9 billion in market revenue by 2018.”

Who are CIOs and CISOs turning to for help with cybersecurity?

Here’s a lineup of some top cybersecurity professional services firms in North America:

• Accuvant, Denver
• Coalfire, Louisville, Colo.
• Deja vu Security, Seattle
• FRSecure, Waconia Minn.
• GreyCastle Security, Troy, NY
• Grid32 Security, Newark, NJ
• Herjavec Group, Toronto, Canada
• IT Security, Inc., Pittsburgh
• LIFARS, New York City
• Morphick, Cincinnati
• PivotPoint Security, Hamilton, NJ
• Secure Digital Solutions, Saint Louis Park, Minn.
• Taia Global, McLean Va.
• Templar Shield, San Diego
• TrustedSec, Strongville, Ohio
• Vanguard Integrity Professionals, Las Vegas
• Veris Group, Vienna, Va.
• Wetstone, Cortland, NY

These pure-play cybersecurity professional services firms have specialized capabilities that are focused primarily on federal and government agencies:

• CACI, Ballston, Va.
• Defense Point Security, Alexandria. Va.
• GuidePoint Security, Reston, Va.
• KEYW, Hanover, Md.
• MindPoint Group, Springfield, Va.
• PUNCH, Washington DC
• root9B, Colorado Springs, Colo.
• Tapestry Technologies, Chambersburg, Pa.
• TechGuard, Chesterfield, Mo.
• Vistronix, Reston, Va.

Going through the list of these pure play firms, turns out there are some CISOs and senior level executives from major corporations and federal agencies – who have turned into cybersecurity entrepreneurs.

One of them, Brian Minick, is CEO at Morphik. Minick was previously the CISO at GE Aviation and Energy for nearly five years.

“From my experiences as a CISO, every time I bought a new technology, I had to hire additional people onto the team in order to run it, and then in a couple of years we had to deal with upgrades and obsolescence issues,” says Minick. “Add to this the challenges of finding and retaining talent and it becomes a very difficult spot to be in. These forces are what drove us to create Morphick. By partnering with our customers, Morphick is able to deliver the people, process, and technology required to counter the most advanced attacks.”

John Harbaugh, COO at root9b was previously deputy group chief, Cybersecurity Operations at the United States Department of Defense. Harbaugh also served as office chief, Cybersecurity Threat Analysis and before that as director of Cybersecurity Operations at the DoD. Earlier in his career he served for 19 years at the United States Air Force in network intelligence analysis and cybersecurity roles. Harbaugh notes that several clients have selected root9B based on their management team’s extensive cybersecurity backgrounds.

Root9B serves clients in the commercial and federal sector. In addition to its Colorado Springs headquarters, root9B has regional offices in San Antonio, New York City, San Diego, Boise, Idaho, and Honolulu, Hawaii.

The founder and management team pedigrees of the pure play firms outshines most value-added-resellers (VAR) when it comes to cybersecurity. VARs tend to be product centric with professional services aligned to specific vendor solutions they resell. A VAR can sometimes have an “in” with a CISO if they’ve sold a lot of product and services to them. But in a head-to-head matchup of cybersecurity experience and manpower, the pure plays firms will come out on top over the VARs.

There are some VARs who see the big picture opportunity in cybersecurity, and successfully transition into pure-play firms. Robert Herjavec of “Shark Tank,” ABC’s Emmy Award-winning hit entrepreneurship reality show, is founder and CEO at Herjavec Group in Toronto. Herjavec founded his firm in 2003. The company originally sold Check Point firewalls to corporations in Canada. Over the years the company has acquired several cybersecurity services firms, and today it is one of the larger pure-play professional services firms in North America.