Rick Fleming vividly remembers the look on the executives faces. The officials already knew that their credit union had some Internet-related security problems. But when Fleming, vice president of security operations at Digital Defense, showed them a slide of the computer screen used by the credit unions tellers — a screen that was obtained by Digital Defenses hackers over the Net — "their faces just went white," Fleming says with a chuckle.
During another presentation to a different set of clients, Digital Defense flashed each managers supposedly secure computer password on the wall of the conference room. The two demonstrations are among the companys most memorable events. Created just 18 months ago by a group of former Air Force information warfare veterans and a talented group of young hackers, Digital Defense, in San Antonio, is finding a ready market for its security services.
Although dozens of security firms are already providing riskassessment, security monitoring and other security consulting services, Digital Defense is proving it can play with the big boys. Earlier this month, it signed a deal with Grupo Financiero Banamex-Accival, one of Mexicos largest banks, to do information security analyses on all 1,200 of the banks branches. Banamex is the target of a $12.5 billion takeover by Citigroup.
By targeting the financial sector, Digital Defense is aiming at the richest segment of the Internet security business. IDC recently estimated that spending on information security in the banking sector will rise from $1 billion this year to nearly $1.9 billion by 2004. Add another $1 billion or so that will be spent by the insurance, financial services and medical sectors, and it becomes apparent that information security is growing into a very big business.
In the U.S., there are more than 20,000 banks and credit unions, all under increasing pressure to make sure their Internet-related operations are secure. Much of that pressure is coming from a federal law known as the Gramm-Leach-Bliley Financial Services Modernization Act. By July 1, all financial entities in the country are supposed to have policies and infrastructure in place to assure the privacy and security of consumer-related information. That law, combined with recent highly publicized hacker attacks on targets such as Microsoft and the White House, has meant a surge in demand for security services. And yet, Joe Cooper, Digital Defenses founder and president, says much of his time is spent educating clients.
Companies "are just now waking up to risks they face," Cooper says. After doing security assessments on about 60 credit unions, Digital Defense claims it has had a 100 percent success rate in breaking into its clients networks.
Founded in January 2000, Digital Defense is largely a product of the Pentagon. About a half-dozen of the companys senior people are retired Air Force computer security specialists. Marc Enger, the companys executive vice president of security operations, retired with the rank of colonel and was operations director at the Air Intelligence Agency, the Air Forces intelligence and computer security arm. Many of the companys other personnel worked at Computer Sciences Corp., which employs hundreds of people at the Air Forces Information Warfare Center in San Antonio. According to Cooper, only one of the people at the firm has not worked either inside the military or as a government contractor to the military.
The company got its start after Cooper and Fleming were asked to assess the security at a small San Antonio credit union. After completing that job, they began looking at the broader credit union market and saw a potential niche. A few months later, armed with $700,000 in venture capital, Digital Defense opened its doors. Today, the company is nearing profitability. Cash flow is reportedly strong and Cooper sees a bright future. The private firm would not release revenue figures.
Employing two dozen people, Digital Defense has done security work for dot-coms and insurance companies, as well as credit unions. It is also training examiners at the National Credit Union Administration to analyze the security systems used by various credit unions.
"They are coming from an audit background," Cooper says. Auditors are accustomed to following checklists to examine compliance on matters such as accounting and operations. Security is much harder to assess. So Cooper is training the examiners to "go from a checklist environment" to knowing how to "determine if someones firewall is working."
A pivotal growth area for Digital Defense and other security firms is in managed security services, an area in which larger companies such as Counterpane Internet Security, Internet Security Systems and NetSolve already have a strong foothold. Digital Defense aims to increase its share of the market by providing less frequent monitoring at a lower price. "We are not trying to offer total security or intrusion detection services, just vulnerability analysis," Enger says. "When we find a problem, we tell our clients how to fix it."
That approach appealed to Gil Roman, information systems director at Pacific Service Credit Union in Walnut Creek, Calif. Pacific Service offers Internet-facing services, including home banking and online auto loans. "We have to be very, very, concerned about security," Roman says.
After looking at a number of security firms, Roman decided to sign a three-year contract with Digital Defense at $1,650 per month. The deal requires Digital Defense to do annual security audits and remote penetration tests, as well as monthly external and internal vulnerability assessments. Digital Defense will also provide daily updates on new vulnerabilities and advise the credit union about the best way to configure new hardware and software. Roman says the key factor in his decision was that "their prices were good."
As the market expands, Digital Defense faces the same problem that other small businesses face: hiring enough talented people to keep the business growing. To deal with the Banamex contract and other business, Digital Defense will likely have to double its work force by years end. But it must be careful in hiring. Digital Defenses employees have access to financial records and information that could easily be misused. Enger believes some of the companys best recruits will come out of the military because they "are prequalified in terms of their security backgrounds."
And if Digital Defense cant get the people it needs, Enger says, "its going to be difficult to grow."