According to the Ponemon Institute’s annual, “Cost of a Data Breach,” study, “…the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million.” With breaches becoming increasing common and the cost of a breach skyrocketing, it’s surprising that many companies regardless of sector rarely, if at all, have a mature, fully-resourced cybersecurity program.
This year’s Corporate Growth Company of the Year (Under $25M), Iron Vine Security, recognized this need and has worked to position itself to help companies and government agencies establish a cybersecurity stature that can help protect them in this increasingly hostile threat environment.
In addition to having an in-demand portfolio of services and solutions, the company has grown tremendously because it has invested in expertise, back office infrastructure, and certifications that further differentiate Iron Vine in a crowded and fast-moving cybersecurity marketplace.
To learn more about their winning formula, we had a conversation with one of Iron Vine’s founding partners, Brent C. Duckworth, to help us understand what drove their growth and to get some insights into where the growth opportunities are within cybersecurity.
Here is what he had to say:
Corporate Growth, Capital Style (CGCS): To get started, tell us about Iron Vine. How did the company get its start?
Brent Duckworth: The three of us (Bill Geimer, Jason Figley, and I) founded Iron Vine Security in 2008. At the time, we were all experienced cybersecurity practitioners who had worked in the information technology industry since the nineties. Though we each had our own career path, we had worked with or around each other for several different companies, most recently a contracting company providing cybersecurity services to the federal government.
We started Iron Vine with the goal of building the company we always wanted to work for. That company would be focused on providing high-touch cybersecurity services to clients and would provide a rich, engaging, supportive culture for employees.
CGCS: What industries does the company work with and what services do you provide to them? Which of these industries accounts for the largest percentage of the company’s business today? Which has the most potential for growth in the near future?
Brent Duckworth: We work in multiple industries, including the federal government, financial services, healthcare, and international industries. However, the federal government currently makes up the largest percentage of our business today.
We help our clients establish and mature their cybersecurity programs so that they can reduce their risk, implement effective operations, and defend their systems and data. We do this by providing subject matter expertise at all levels of cybersecurity program development, including governance and policy, risk measurement and monitoring, network traffic analysis, incident response, cyber threat intelligence, malware analysis, and forensics.
We believe companies in all industries need to focus more on cybersecurity and mature their cyber practices. From our years of conducting technical risk assessments across different sectors, it’s rare that we find a company with a mature, fully-resourced cybersecurity program. Unfortunately, cybersecurity is often viewed as a blocker to rather than an enabler of business. So, it often only gets as much attention and resources as required for regulatory compliance, with little emphasis on effectiveness. We see significant areas for growth in all the industries in which we operate and are actively maturing our back-office infrastructure and practices to support that growth.
CGCS: Why are these industries the ones that you’ve chosen to focus on and serve? Are they particularly vulnerable/susceptible to cyberattack? Why do malicious actors target organizations in these industries? What types of malicious actors are responsible for attacking these organizations (state sponsored, hacktivists, etc.)?
Brent Duckworth: While we believe all organizations need to invest in better cybersecurity practices, more-regulated industries generally have more cybersecurity compliance requirements. Therefore, typical organizations, if they are doing anything in cybersecurity, are often doing so to meet some level of compliance, since non-compliance is the perceived risk.
While each industry historically has had its own compliance standard, many industries are coalescing around the standards and guidelines from NIST, including the NIST Cybersecurity Framework, which was specifically developed for critical infrastructure and non-government entities. This standardization of cybersecurity language, concepts, and practices makes the work we do more transferable across industries. So, while we are focusing on the federal government, cybersecurity program elements are almost universal, limited only by organization scale and resources. Ultimately, all organizations will need to move past compliance and see an integrated, effective, technical cybersecurity program as an essential component of business.
We have supported the federal government as well as DoD throughout our careers, and so we feel both a great sense of pride as well as responsibility in helping them. While they may not be more vulnerable than anyone else, they are heavily targeted. Malicious actors target them for the same reason they target organizations in all industries: they have information or access that is valuable.
These adversaries range from the curious, to cyber criminals, to state-sponsored actors, each with varying levels of sophistication. Attacker skill, however, is difficult to assess at face value, since adversaries generally employ the least amount of skill necessary to accomplish their objectives, saving their best exploits and techniques for when they really need them. So, an organization compromised by an unsophisticated attack often says more about the cybersecurity practices of the organization rather than the full capability of the attacker. Similarly, having a more mature cyber program won’t prevent all compromises, but it will often increase the required skill level of the attacker.
CGCS: Iron Vine is this year’s winner of the Corporate Growth Company of the Year (Under $25M). Was this the result of purely organic growth or has the company also pursued other means of growth – including acquisitions?
Brent Duckworth: All of Iron Vine’s growth has been organic and without any acquisitions. Since 2016 and the award of several multi-year federal contracts, we have seen a rapid increase in growth. Consequently, over the past eighteen months we have re-invested a significant percentage of profit into back office infrastructure, processes, and quality programs to support and enable future growth. Most recently this investment resulted in Iron Vine receiving our ISO 9001:2015 certification and being appraised at CMMISVC/3.
As part of our corporate maturation, we have also started exploring other pathways to growth, including buy-side acquisitions as well as new executive leadership focused on strategy and business development.
CGCS: Why has this been the correct strategy for the company to date?
Brent Duckworth: Every company is different, obviously, but for Iron Vine our best strategy was staying focused on cybersecurity and not widening the aperture to include broader areas of information technology operations or engineering. Maintaining that focus over time has allowed us to more readily identify potential new opportunities, hire and retain the brightest experts in the field, and ultimately provide the best value to our clients. The compounding effect of all of that, thankfully, has resulted in positive growth for us.
CGCS: Looking to the future, how do you foresee the company growing? Will Iron Vine continue to grow organically, look for merger or acquisition partners, or consider other means to expand its capabilities?
Brent Duckworth: We feel that Iron Vine is well-positioned for continued organic growth. That doesn’t rule out becoming more familiar with the buy-side process and the pros and cons of acquisitions. With our most recent investment in our financial systems, quality programs, the training and development of our team members, and back office processes, we are planning for the next level of expansion and improving our exposure to government-wide acquisition contracts.
Since we have experience and currently provide services across the entire cybersecurity spectrum, our only restriction has been the ability to scale, and we’ve improved significantly in that regard. Nothing is written in stone, of course, and we can’t see the future, but we are excited about the company, our growth, and what’s next for us and for our industry.
Want to make a nomination for next year’s Corporate Growth Awards? Click HERE for more information.