With a newly minted PhD in “pure math” in 2004 (it was actually a dual degree in math and machine learning), Ellison Anne Williams saw her work going in one of three directions: the National Security Agency, IBM or academic research.
She chose classified government intelligence work and spent the formative years of her career laboring away in secret, immersed in the agency’s mission. She climbed the ranks to become a senior technologist at the agency.
But the urge to be her own boss never went away. So last year, after 12 years at the NSA, she left to start her own cybersecurity company.
She didn’t have to go far. She and about a dozen agency colleagues now work out of an office in Maple Lawn, a young community south of Columbia, Md., just a few minutes drive from the NSA’s campus at Fort Meade. The small company, called Enveil, has more than a dozen corporate customers and has raised $5 million from investors.
Williams likes the start-up grind, but it has required a change in mind-set.
“It’s what I always wanted to do, but that doesn’t mean there wasn’t a cultural learning period . . . a sort of detox,” she said.
Williams is one of a number of longtime NSA-ers who have been leaving Fort Meade for the private sector. Many are tempted by the opportunity to start a business — or pull down a big paycheck working for a major bank or other institution.
In recent years, high-profile hacks have repeatedly embarrassed brand-name businesses, nudging deep-pocketed corporations to spend more on data security. Market research firm Gartner pegs the worldwide information security market at close to $100 billion and growing.
Investors are taking notice, leading to a doubling of the number of venture-capital deals going to Washington-area cybersecurity start-ups. Media and data giant Thomson Reuters, insurance firm USAA and Bloomberg’s investment arm recently invested $4 million to help Enveil grow.
Williams owes much of her success to a rare moment of openness at the NSA: Through an official technology transfer program, she was able to declassify some of her work and commercialize it.
The company sells an encryption service designed to follow data wherever it goes. Her team at the NSA leveraged decades of research into novel ways of encrypting information and found new ways to apply it to large organizations.
She got some help from a private start-up incubator called Datatribe, which writes founders checks in the range of $1.5 million, typically in exchange for a 25 percent ownership stake in the company.
Datatribe was founded by Mike Janke, a former member of the Seal Team 6 elite counterterrorism unit who later founded an encryption firm called Silent Circle. Janke said part of the job of the incubator is to keep government technologists from leaving the area.
“JPMorgan and Morgan Stanley will take more people [from the NSA] in a month than we do in a year,” Janke said.
The incubator benefits from added financial firepower from Silicon Valley. At the direction of Bob Ackerman, who earned the moniker “cybersecurity’s money man” for investing in the industry in its early days, Silicon Valley venture fund Allegis Capital recently set up a Maryland-based office to be closer to Datatribe and the NSA. To help in the effort, it added Dave DeWalt, the former board chairman of California cybersecurity giant FireEye, as a board member.
DeWalt says he’s looking at Maryland-based companies because he wants to unlock the NSA’s trove of talent and know-how for the private sector. He says “offensive” cybersecurity expertise — as in going on the offense to hack someone else — is exceedingly rare in Silicon Valley but plentiful in Maryland.
“It started 10 years ago, maybe less, when governments began to attack commercial companies,” he said. At one point “we responded to 5,532 American breaches” while he worked in the private sector.
Ackerman said he’s not trying to poach people from the NSA or persuade anyone to abandon public service. What he does want to do is find people who are already thinking about leaving and give them an opportunity to start a business.
“There are a lot of people who, for their own reasons, get to a point in time where they’re passionate about what they do, they’re passionate about beating the bad guys, but they want to do it in a different environment,” Ackerman said. “We’re there to support them.”
Much of the incubator’s credibility comes from an early success that set a high bar for founders such as Williams. One of Datatribe’s first companies was a start-up called Onyara which, like Enveil, was built around NSA technology.
It was founded by Steven and Joe Witt, brothers who respectively worked in the CIA and NSA. In family discussions that started in 2010 and fizzled out twice under “do we really want to do this” anxiety, the brothers left their respective intelligence agencies in March 2015, taking a handful of close associates with them.
Onyara’s core product, called Apache Nifi, is designed to rapidly analyze the millions of rapid-fire signals that come off connected devices. The brothers declined to say what the agency was using it for, but the software was freely released outside the agency in the fall of 2014.
Corporations use the product to manage the signals coming off things like oil rigs, mobile phones and other industrial equipment.
Onyara signed its first customer after just four days and sold the company five months later for $40 million. Now the group operates as a Baltimore-based unit of a California-based security firm.
The way the Witt brothers see it, they never really left public service.
The people leaving intelligence agencies “don’t view it as they’ve left CIA or NSA and that’s it,” Steven Witt said. “They could go back into the public sector or run for public office.”
For her part, Williams believes the emerging ecosystem of young companies and investors will be key to the success of start-ups like hers.
“It takes somebody that understands the power of technology in a government setting to take a risk on something like this,” she said.