20 Dec Internet security is big business for Wisconsin Rapids firm
Wisconsin Rapids, Wis. – Sami Saydjari could serve as an inspiration for anyone who has ever dreamed of building a home-based business, but his four-year-old venture is no ordinary consulting company.
Saydjari has established a $5 million annual business called the Cyber Defense Agency in his Wisconsin Rapids home, one that is helping the United States defend itself against cyber attacks.
His work environment wasn’t always residential. He has more than 20 years’ experience directing information assurance research, including 13 years at the National Security Agency and three years as a program manager with the Defense Advanced Projects Agency.
Since these organizations are based in the nation’s capital, why would Saydjari select a city 1,000 away to establish a home and a business? Part of the answer is that he is a Wisconsin native – born in Rice Lake – and part of the answer is because, thanks to the magic of computer technology, he can.
“I was born in Wisconsin, so I just wanted to raise my son in the Midwest,” Saydjari explained. “It wasn’t particularly Wisconsin Rapids. That just happened to be the place we landed.
“It’s more about raising a family in a small town, and being a virtual company that is a thought leader, where the physical location is really not terribly important.”
Line of defense
The company’s location may not be important, but its work is. CDA provides research and strategic consulting to secure critical infrastructure against attack – critical infrastructure that ranges from the Department of Defense to the power, finance, and telecommunications industries.
Due primarily to its work with Defense, CDA has grown into a $5 million a year company with 20 employees, but they don’t congregate in one spot.
The company, founded in 2002, has people in Wisconsin, California, Minneapolis-St. Paul (including the CIO), Tennessee, and the Baltimore-Washington, D.C. region. About half of its employees are in the vicinity of the nation’s capital, where most of its defense clients operate.
CDA has received two DoD grants through the Small Business Innovation Research program, so its scattered staff did not prevent the department from selecting it for key projects. The SBIR awards, including one for nearly $750,000, are for research contracts, so locale doesn’t matter as much as brain power. That power is being deployed to conduct automated “red teaming,” a way to shape a better defensive posture by having organizations self-assess their information systems to understand how adversaries might come after them.
Other work, however, cannot be performed in the home. “For some of our other work that is classified, we needed a facility, and we in fact have a facility capable of handling classified work in the Washington, D.C. area,” Saydjari noted.
Thus far, CDA primarily has served the DoD, but the company is in discussions with prospective private-sector clients. It started with the defense sector because it was familiar territory and because the department has been living with the cyber security problem for the past 30 years. More recently, Saydjari said there has been an increasing understanding of what’s needed by the private sector, so the timing is right to branch out.
The company has a very aggressive mission, but that doesn’t necessarily translate into revenue goals and other measures of growth. Although security metrics are difficult to measure, CDA’s bottom line is linked to mission – it intends to reduce the national cyber security risk by half in the next five years. “If it takes a company of this size to do it, we will be this size,” Saydjari said. “If it takes a company 10 times this size to do it, we’ll do that.”
CDA doesn’t yet belong to an industry association, but it operates in the information assurance industry, which Saydjari characterizes as immature. He gets no argument from Jeff Stapleton, founder and president of the Information Assurance Consortium, one of a handful of industry associations. Thus far, membership consists of a small group of small businesses, individuals, and similar organizations that serve as liaisons, and the composition of the industry remains unclear.
“I don’t know of any information technology security body that has collected cross-industry information on information assurance,” Stapleton said. “Nobody is measuring it, so nobody really knows.”
In shaping a security policy, Saydjari advises CIOs to look at the risk to their systems, and the ways in which they depend on their information infrastructure to accomplish the corporate mission. As the hacker community evolves into a professional criminal class with a profit motive, it comes in all shapes and sizes, including members of organized crime. More frequent random invasive attacks have given way to fewer targeted attacks, yet they still cause billions of dollars in damage.
In combating today’s threats, Saydjari gives equal weight to sensible policy and technology solutions because both have to work in unison. In his view, technology without policy is useless, and he laments the lack of integrated security solutions.
He said there is no magic tech tool on the market, but a diverse set of mechanisms handling a very narrow portion of the attack space. With several remote locations, CDA encrypts sensitive traffic, places its most sensitive data on separate computers (outside the network), and has developed a secure sharing site.
“What I advocate right now is an intelligent security architectural approach to defending the system, again with respect to the way the mission is accomplished,” he said, “and orchestrating those mechanisms together in a way that coherently defends against attackers.”
In 2002, Saydjari was one of 50 people who wrote a letter to President Bush stating how vulnerable the United States is to a cyber attack. He has called for a cyber “Manhatten Project” to address the threat, which isn’t from terrorists alone. Such a project would require presidential leadership and a multi-billion-dollar investment to bring together the nation’s top scientists and engineers to build a defensive capability – mostly in an open engineering project that is managed as a virtual entity.
“We need robust technology against nation-state adversary attack,” he said, “and that requires concerted government strategic investment.”
• Jerry Norton: Auditors paying more attention to IT woes
• Security concerns grow with mobile tech devices
• Companies still neglect network security
• Company issues warning on outsourced software
• Wisconsin Rapids firm will challenge student security skills