Building a cybersecurity success story through M&A – a Q&A with Paul Farrell of Nehemiah Security

In a previous post on Corporate Growth, Capital Style, we spoke with Paul Farrell, the CEO of Nehemiah Security, a cybersecurity solution provider based in the National Capital region.

During our discussion, we talked about the reasons why enterprises are more at risk today than ever before for cyberattacks, looked at the cyber stature and posture across enterprises – many of which are not sufficient to address the current threat landscape – and walked through the Nehemiah Security solution suite and the tools it brings to the table to help secure networks.

In the second part of our conversation with Paul Farrell, we shifted gears away from cybersecurity and towards Nehemiah Security as a company.

We talked about how Nehemiah Security was built through strategic acquisitions that not only delivered cutting edge applications to the company’s portfolio, but also brought experienced security professionals into the company that are working diligently to develop the tools of tomorrow. We also pressed Paul for the best practices and lessons learned from his past experience as both a buyer and seller in M&A transactions.

Here is what Paul had to say:

Corporate Growth, Capital Style (CGCS): Nehemiah Security has seemingly built its solutions and bolstered its growth through a series of acquisitions. What was the reasoning behind the company choosing such an aggressive acquisition strategy?

Paul Farrell: We sold our last firm, Moreover Technologies, to LexisNexis. And we got some time to take a breath, look around the marketplace. When we did that, we found five sectors that we thought we could purchase firms in and actually make a difference. The one sector that really ran true to our chairman was cybersecurity.

[Our chairman] has his own multimillion dollar software firm, and he saw that the solutions he needed to protect his networks weren’t available on the market. He just wasn’t happy with what he saw. And so, when we finished our research, he chose to point us towards cybersecurity, because he thought we could make a difference.

That’s how we ended up in cybersecurity. We then built the company through a number of acquisitions over time, as we learned and better understood the market.

Early on, we acquired Tritium Corporation, which had an endpoint solution. And that was a great acquisition. We were able to incorporate much of that application’s functionality into the software that we acquired from Triumphant, an acquisition we made last year. The Triumphant acquisition brought us the adaptive reference modeling – AtomicEye Continuous Protection – as well as AtomicEye Attack Surface Manager, and we supplemented it with the functionality and solutions from the Tritium acquisition.

Then, we acquired Siege, which has been solving nation-state problems for a long time for the United States government. They had several things that they were doing, and that they were doing for years. One of them – which they had been doing for eight years – was risk quantifying. They had been doing the other side of it, doing predictive models for red team activities. We took that functionality, commercialized it, and used it as the basis for AtomicEye Risk Quantifier.

So, the suite that I discussed before all came from these strategic acquisitions – all of which were integrated effectively and incorporated into our solution suite.

And – in addition to acquiring solutions and customers – we’ve added something else through these acquisitions. We picked up a tremendous amount of people with more than eight years of experience in cybersecurity – a great number of really knowledgeable, innovative employees that are helping us build these solutions for the future.

CGCS: What are some lessons learned or best practices from these four acquisitions that you’d like to share with our readers?

Paul Farrell: Many of the firms that we’ve acquired or have looked to acquire have never done it before. And one of the things they don’t realize is that we – as buyers – are going to know everything about them. We broke off an acquisition last year because – well there were multiple reasons – but the largest reason was because we realized that we knew more about the firm than their executives did.

That doesn’t give you a comfortable feeling as an acquirer.

Sellers in this market – if they haven’t done it before – don’t realize how much it takes to get through due diligence. Or they don’t understand the extent and scope of what’s going to be revealed. We’ve sold things and we’ve bought things multiple times, and when we acquire a firm that hasn’t sold before, those are some of the problems that you run into.

It’s good to have educated buyers and educated sellers, and to understand the breadth of the work it’s going to take.

And then there’s the personal relationship between the CEOs. There are going to be several things that happen during the course of a deal, and you have to have a good personal relationship with the person on the other side so that you can overcome those challenges.

It can’t be an adversarial relationship. It has to be looked at more as a partnership that’s building towards the future.

And we had that. The last acquisition that we did with Siege Technologies; their CEO and I talked every Monday at 3PM for one hour. And that was tremendous. In fact, we still do it today. Every Monday at 3PM we’re on the phone talking about business, and it’s extremely helpful.

To learn more about Nehemiah Security and its suite of innovative security solutions, visit their Website at www.nehemiahsecurity.com.