An investment firm run by former Bush administration Homeland Security chief Michael Chertoff is deepening investments in firms that provide high-end cybersecurity advice to private corporations, a strategy that leverages the firm’s close connections to the government cybersecurity community.
Texas-based Delta Risk, which has ties to cyber-operations centers at two Air Force bases in San Antonio, is getting $3 million from a Chertoff Group affiliate fund to help expand. Coalfire, based in Colorado, got an undisclosed amount from the Chertoff Group and the D.C.-based private equity firm Carlyle Group at the end of last year.
Chertoff founded the Chertoff Group after he left government in 2009. He helped attract prominent military and intelligence insiders to the firm as they left government, including Michael Hayden, who oversaw cybersecurity operations at the National Security Agency and the CIA.
The Washington-based group has made smaller investments since its founding, but revved its engines in early 2014 through affiliated holding companies after raising money from a group of national security-minded individuals who weren’t disclosed.
Both companies are trying to capitalize on a well-documented dearth of analysts defending private businesses from theft.
“One of the macros that helps us a lot is the shortage of cyber talent,” said David Leach, principal and head of private equity at the Chertoff Group.
A 2015 analysis from Stanford University found more than 200,000 unfilled cybersecurity jobs across the United States, and a separate report by market research firm Burning Glass found more than 27,000 in the D.C. area alone.
The shortage has contributed to a wave of automation across the industry. Thousands of start-ups have popped up pushing various sorts of technology fixes designed to work in the background of a company’s normal IT operations: perimeter defenses like firewalls, analytical platforms designed to make cyber analysts’ jobs more efficient, employee training modules, artificial intelligence algorithms that track hackers’ movements.
Chertoff’s investment firm is trying something different: doubling down on human talent.
“The big picture is there’s no one way to solve the cybersecurity problem; there is no single solution that’s going to make everyone safe and protected forever,” Leach said.
Delta Risk, founded in 2007 by three former Air Force cyberanalysts who later sold their ownership stakes, is a prime example of the sort of high-end services work that Chertoff is steering its investors toward.
His 100-person company generates close to $20 million a year selling security advice to businesses and government agencies. Delta’s solution is a suite of services — low on automation, high on expensive manpower — that find various ways of quantifying a company’s cybersecurity risk and offering advice on how to handle it. The result is a company that looks more like an insurance brokerage firm than an anti-virus software provider.
Delta Risk chief executive Scott Kaine says customers often come to him in the chaos and confusion following a hack. His company’s job is to figure out what went wrong and how the client can better secure its information.
The firm employs trained “penetration testers” (hackers) to exhaustively probe a customer’s network for holes and drill the company’s IT managers by replicating large-scale hacks in a process known as “red-teaming.”
It’s all made possible by the revolving door effect of cybersecurity talent between the intelligence community and the business community that supports it. Seventy percent of Delta’s workers are recently retired cybersecurity analysts who are still on active National Guard duty in the Air Force. Most of them hail from one of two Air Force bases in the San Antonio area where the company is headquartered.
“We have people embedded in the workforce there where they talk to their peers and get them to come over,” Kaine said.
Chertoff’s other big investment, Coalfire, follows a similar approach. Both firms market cybersecurity primarily as a risk-management problem and focus on labor-intensive solutions.
“We don’t run around saying we have a box that identifies everything and makes things go away,” Kaine said. “People are the key element that tends to get overshadowed by the glitz and glamour of these software and box centers out there.”