K EYW seemed to fit the mold of a typical government contractor when it arrived on the scene in 2008. Its executives were contracting veterans who had sold their last company to Northrop Grumman and hoped to carve out a spot in the expanding field of cybersecurity. ¶ Just another acronym-named company in a government-gray industry. Its very initials suggested a what-me-worry approach to life, a play on Key West and its chief executive’s fondness for all things Jimmy Buffett. ¶ But what seemed a steady — even a little boring — line of business has proven to be anything but. The end of two wars, sequestration and, most recently, the government shutdown have roiled the contracting world, pushing some companies to look beyond the federal government in search of new avenues for growth.
After building its business on work with government intelligence agencies, Hanover-based KEYW earlier this month unveiled a cybersecurity platform called HawkEye, geared toward companies from financial firms to utility businesses.
With HawkEye, KEYW is attempting more than a customer shift; it also wants to make what is arguably an even tougher change: moving from a services company that provides staff to government agencies to a product company that sells technology.
Contractors don’t have the best track record when it comes to chasing new lines of business. Norman Augustine, the former chief executive of contracting giant Lockheed Martin, once famously said that defense companies’ efforts at moving into new sectors were “unblemished by success.”
But KEYW is betting the underlying cybersecurity challenges facing the government are not all that different from those facing private industry.
One of the reasons diversification is so difficult is that selling to the commercial world is much different than dealing with the government.
When a private company decides to buy something, it can simply do so. Government agencies, on the other hand, are typically required to put together a request for proposals that can include all sorts of mandated requirements, such as whether small or disadvantaged businesses should participate in a procurement. They must be prepared to defend their purchases should any losing bidder appeal, and they are subject to the whims of the congressional budgeting process.
Federal agencies “have a much longer procurement cycle ... because they have to go through all these different companies and reviews,” said Howard A. Schmidt, the former cybersecurity coordinator in the Obama administration who now runs a cyber consulting business. “Private sector has the ability to say, ‘Hey, this is good stuff. I want to go buy it.’”
There’s a certain reliability to government purchasing, but it can be difficult to speed up or to make highly lucrative deal. Selling to the private sector means more unpredictability about timing and profits, but the rewards can be far larger.
Richard A. Clarke, who has advised presidents on counterterrorism and cybersecurity, said the process of selling is also dramatically different.
“What you do with the government is not really selling; it’s responding to [requests for proposals],” he said. “What you do in the private space is you’re knocking on doors, you’re using shoe leather, you’re collecting business cards, you’re going to conferences.”
KEYW formed its commercial business through a series of acquisitions that included the purchase of 35-employee Sensage of Redwood City, Calif., last year. KEYW dubbed the new organization Hexis Cyber Solutions and installed Chris Fedde, formerly of data protection company SafeNet, to lead the group.
This year, Hexis has hired a half dozen executives, typically from commercial firms.
The central idea behind Hexis’s central product HawkEye is that there’s no one solution to deal with cyber attacks or malware; because the capabilities of hackers is constantly changing, companies need protection that can adapt as well.
When users apply HawkEye to their networks, it will at first simply track activity, noting the typical behavior, from where and how users log in to the kind of traffic that passes through.
Over time, it collects enough data that it can identify deviations in normal patterns or unauthorized devices. Based on user settings, it can automatically act to handle a given threat by, for instance, turning off a device, isolating a particular part of the network or alerting company staff.
KEYW made itself its own first customer for the product, installing it on its network to work out any bugs.
Fedde then set out to identify potential beta customers in some of the major industries that might become customers — financial services, energy, high-tech security and telecommunications.
Fedde’s former company SafeNet, which produces data encryption technology, was one of the earliest to sign on and became a beta tester about three months ago. The company installed the technology on its networks and let it run, watching to see what it caught and what it didn’t.
Jan Manning, the company’s chief information officer, was seeking a product that could address the constantly changing attacks the company faced.
Manning said she — and most other companies — want products that prevent attacks, but she accepts it’s likely some malicious e-mails and intrusions will get through. When that happens, she said, the key is being able to rapidly fix it.
“It’s very expensive to clean up after it,” she said. “If you can find it quickly and then remediate quickly, that’s what you want to do.”
Now, Manning said, the company has decided to keep running HawkEye.
“It’s not going to replace fire walls,” she said, but what it can do is automatically take care of some intrusions — without requiring much attention from SafeNet’s staff.
Telecommunications company Inmarsat Government, too, served as a beta customer, testing the technology on its corporate network, said Jason Ramsbottom, the company’s chief operating officer.
He said Inmarsat hadn’t found another product that could actually fix attacks — rather than simply trying to prevent them.
If HawkEye “continues to perform as it has been, I anticipate using it,” Ramsbottom said.
As KEYW went through the beta process, it naturally found bugs and made tweaks to HawkEye, Fedde said. But perhaps more importantly, it realized that what commercial users sought was far more extensive information than the early version of HawkEye made available.
“What we learned was they loved the awareness factor, they wanted us to give them more and more dashboards, they wanted more feedback as to what’s really going on in their network,” Fedde said.
KEYW’s experience does not surprise Tim Sullivan, the chief executive of Chantilly-based cybersecurity company nPulse Technologies and founder of Fidelis Security Systems, the General Dynamics acquisition that now serves as a hub for the contractor’s commercial cybersecurity business.
Government agencies as well as banks and telecommunications companies are using nPulse’s technology, he said.
Sullivan said it makes sense to start with a government customer, because the government is generally more concerned with what the technology does.
What commercial companies want is a more polished, easy-to-use product. When preparing nPulse for banks and and other private companies, Sullivan said his team added new features and analytics.
“Ground zero for cybersecurity is Fort Meade,” home to U.S. Cyber Command and the National Security Agency, he said. “If you’re solving their problems, you’re solving the toughest problems.”
That’s the mind-set that keeps companies such as KEYW pushing into commercial work — despite the difficulties that other contractors have encountered when seeking to move outside their traditional arena.
“The problem with having one foot in defense and the other in commercial is that it requires a company to maintain parallel cultures,” said Loren Thompson, a defense industry consultant. “It hasn’t been done very well.”
Still, KEYW is determined to try and doesn’t plan to walk away from government contracting.
Leonard E. Moodispaw, KEYW’s founder and chief executive, said it’s important that Hexis be separate from KEYW so that it doesn’t get tangled up in government contracting bureaucracy. The contractor plans to fully separate the two by the end of the year, meaning Hexis employees will have separate benefits plans and timekeeping rules.
But he doesn’t want to divide them so far that they can’t share technology and information.
“There is a great deal of benefit to having the two companies being sister companies,” he said.