Minding Your Business
The information security industry is booming in Georgia fueled by startups and Cyber Command
Vital Industry: Wenke Lee, co-director of Georgia Tech’s Institution for Information Security and Privacy
One of the truisms of the modern world is that you’ll be hacked sooner or later. It’s a matter of when, not if.
“Everybody’s under attack all the time,” says Chris Rouland, a cybersecurity industry veteran and founder of the Atlanta-based startup Bastille. “For bigger companies, the general consensus is if you think you haven’t been hacked, you just don’t know it yet.”
A growing number of Georgia companies are devoted to preventing and containing damage from those data breaches at businesses and government agencies. The information security industry, known as infosec, is growing so fast that the state university system is scrambling to make a dent in the demand for skilled employees. State business executives are making cybersecurity a priority like never before.
The state has more than 115 information security companies that employ more than 10,000 people, says Tino Mantella, president and CEO of the Technology Association of Georgia. Those companies generate $4.7 billion in annual revenue, making Georgia one of the top three markets in the United States for the cybersecurity industry.
Georgia enjoys an economic synergy created by the private and public sectors. The geographic focal points for the Georgia information security industry are Atlanta, the business capital of the Southeast, and Augusta, home to Fort Gordon. That’s where the U.S. Army Cyber Command is now located.
The state has been a national leader for years in financial tech, meaning the software and programs used in purchases and banking transactions, and healthcare tech, which includes storage of medical records. Those are two industries that hackers love to attack, so it’s natural infosec would grow here.
Industry giants like IBM and Dell have operations in Georgia. Honeywell opened a research and development center in Duluth last year to develop cybersecurity technologies.
The Tech Connection
The nimble startup companies that begin with a handful of dedicated employees give the Georgia infosec scene a youth-powered vitality.
Georgia, and Atlanta specifically, enjoys a pipeline of brainy, ambitious tech specialists from Georgia Tech, access to capital and an energetic entrepreneurial community that embraces good ideas, whether they come from old-timers or students, says Wenke Lee, professor and co-director of Georgia Tech’s Institution for Information Security and Privacy.
“The Mark Zuckerbergs of the world have proven that great ideas from university students can catch fire with consumers and become viable businesses,” he says.
Some of the successful security companies that have roots in academic research and training at Tech are ISS, Ionic Security, Damballa and CrowdStrike. Another firm, Pindrop Security, was founded while Vijay Balasubramaniyan worked on his doctorate at Georgia Tech.
“The first office was across the street from the campus right in Tech Square,” says Paul Judge, the company’s chairman and himself a doctorate graduate from the school. “Mustaque Ahamad, Vijay’s advisor, helped him pull together the founding team, including myself. We are now the largest tenant in The Biltmore across the street from the campus.”
Balasubramaniyan is now Pindrop CEO, and Ahamad is the company’s chief scientist. Pindrop specializes in voice communications security, largely for banks, insurers, brokerages and retailers. The company technology quickly analyzes the audio of each call to determine where it’s really coming from; if the caller is using a cell, landline or VoIP (Voice over Internet Protocol); and if the audio characteristics fit those of previous fraud attempts.
Other Atlanta-based firms include:
NexDefense. The firm created Sophia (the Greek word for wisdom) software that protects the computer systems controlling large facilities like nuclear reactors and electric power plants. The software detects deviations in network traffic, such as an unauthorized user seeking access to control systems, and alerts the security team.
Bastille. The company recently uncovered a vulnerability in wireless keyboards and mice called “Mousejack” that allows a hacker within 100 meters to take over a computer through a flaw in wireless dongles that plug into a computer. Once inside a computer, the hacker can invade a larger network with devastating consequences.
Lancope. Formed in 2000, the firm created the StealthWatch System, which weeds out unauthorized hits on a network by creating a baseline of normal activity that allows it to detect anomalies, including insider threats and illicit activity from bring-your-own devices like smartphones.
Cybersecurity is a high-ticket, international enterprise. Cisco Systems bought Lancope last fall for $452 million. Dell’s Atlanta-based SecureWorks raised $112 million this spring in a public offering.
The Internet of Things
The chances of getting hacked are growing exponentially, and not just because there are more smartphones and tablets out there. Hackers can now sneak into a major company’s network system through refrigerators, televisions, air conditioning systems and other objects not conventionally thought of as “smart.”
Those devices are part of the Internet of Things (IoT), the worldwide collection of devices, vehicles and even buildings that are wired with electronics and software and connected to networks.
The Target data breach, one of the best-known in the United States, occurred when hackers obtained the login credentials of a heating and air conditioning contractor, The Wall Street Journal reported. From there, the thieves worked their way into the deep guts of the company’s computer system and stole about 40 million customer credit and debit card numbers.
By 2020, 20.8 billion connected “things” will be in use worldwide, predicts Gartner Inc., a leading information technology research and advisory company.
Another development that challenges infosec firms is cloud storage, in which data is saved in an off-site storage system operated by a third party. It frees up storage space in your own system but creates another opening for hackers.
What can business owners do to protect themselves?
To start with, they should acknowledge that cybersecurity is not just about stopping hacks. It’s about responding quickly when a hack occurs. That’s why sizable companies need an employee who’s dedicated to information security, not just making that the duty of an IT specialist, industry experts say.
High Cost of Hacking
“Consumers need to understand that a black market exists where all this data is collected, pieced together and then sold,” says Pindrop’s Judge. “Criminals then use your profiles to attack via the phone channel at banks, insurance companies and more.”
Sony’s 2014 hacking led to the disclosure of personal data of about 47,000 people and embarrassing internal emails revealing that female stars in American Hustle, like Jennifer Lawrence, were paid less than the male stars.
The Home Depot was hacked at the company’s payment terminals, resulting in the exposure of 56 million credit and debit card numbers. The company said it had $232 million in expenses stemming from the security breach.
Target said its hack cost the company about $252 million. What really caught the attention of top executives across the country was CEO Gregg Steinhafel’s resignation because of the scandal.
Since then, companies have been investing more money in information security.
Top Georgia executives say security is now their No. 1 initiative, according to a survey in the 2016 TAG State of the Industry Report. Last year, it was No. 5.
Derek Harp, co-founder and executive chairman of NexDefense, identifies himself as a “cybersecurity evangelist” on his LinkedIn account. He says leaders in the field need to step up their game.
“We’re at a major tipping point in that various threat actors have become highly sophisticated and well-funded, with seemingly endless opportunities to cause financial, reputational and now physical harm,” he says. “The way I look at it, it is contingent upon people with leadership opportunities to do whatever is in our power to educate and lead the next generation of emerging cybersecurity practitioners.”
One often-stated fact of the industry is that the first line of defense – humans – constantly needs strengthening.
Industry specialists say hackers are turning away from broad-based attacks on a system in favor of detailed approaches to individual employees.
In spear phishing, a hacker sends an email to a company employee that looks like it comes from a trusted source, perhaps one of the employee’s superiors. If the employee clicks on an attachment or complies with a request to enter password information on another webpage, the hacker can access the company network, perhaps disguised as the duped employee.
A sub-industry of cybersecurity education firms has cropped up. Firms like Aware Force, based in Dunwoody, provide videos, podcasts and newsletters to companies so employees will be up-to-date on the newest online tricks.
Harp says there’s a generational difference toward information security.
“It’s also interesting to note that, while millennials are the most digitally savvy generation in the history of the world, they are also the least concerned about their own cybersecurity,” he says.
Lee says part of the security problem is that companies seek so much information from consumers in the first place.
“I personally would like to see wide adoption of more flexible opt-in/opt-out policies that allow the consumer to opt-in to sharing some data, but perhaps not all of their data in exchange for use of a product or app,” he says. “Right now, privacy policies are ‘take it or leave it’ and give the consumer no option. You must comply, or you can’t use the product. In many cases this gives businesses more data than they intended, and it also gives them the burden of more liability for more data they now must protect.”
Fort Gordon Leads the Way
The federal government is driving the expansion of cybersecurity.
President Obama has created two new organizations to focus on the threat and has asked for $19 billion to spend on cybersecurity – a 35 percent increase over the previous year.
In Georgia, Augusta is clearly the leader in federal improvements to information security.
In late 2013, the government announced the U.S. Army Cyber Command was relocating from Fort Meade, Md., to Fort Gordon. That put all Army cyber and network operations under one commander for the first time in its history.
By the time the Army cyber center transition is complete around 2019, 4,100 military and civilian workers will have transferred to Fort Gordon, bringing with them family members.
The move has sparked a surge of private military contractors to open offices in Augusta, including Booz Allen Hamilton, Northrop Grumman, MacAulay-Brown, Sabre Systems and Chiron Technology Services.
Economic development leaders are already talking about a seven-county area on both the Georgia and South Carolina side of the Savannah River as the “Fort Gordon Cyber District,” says Stan Shepherd, chairman of the board for the CSRA (Central Savannah River Area) Alliance.
Augusta University is taking full advantage of the situation. Provost Gretchen Caughman says the school is ramping up certificate programs on cybersecurity to be embedded into bachelor’s degree tracks and offering an associate’s degree in the subject.
But the state university system is not providing enough people for this industry, despite the recent increase in cyber studies at schools like Armstrong State and Augusta University. In fact, a 2015 task force that Caughman chaired found that Georgia had about 8,000 cybersecurity job openings in 2014 but only 46 grads from public schools to fill them.
“Even though we all knew it was going to be huge, we were all surprised at how big the gap was,” she says.
The solution suggested by the task force: Increase the emphasis on cyber studies at colleges, partly by the use of online courses, and get middle and high school students interested in the subject.
“The university really needs resources to recruit those faculty and maintain state-of-the-art labs,” Caughman says. “You really need to be training on the next thing out there.”
Another problem: The private sector outpays the public sector, making it difficult to retain talented people. Cybersecurity salaries usually pay about $15,000 over the average salaries for IT jobs overall, the task force reported.
What Can State Government Do?
Some people in the industry think the state government needs to do more than educate potential employees. Tax credits are a recurring idea.
Rouland, of Bastille, says tax credits for the security industry would do more to benefit the state economy than those given to the film industry.
“If you look at the movie tax credits the [state] has given away, that money goes back home. It doesn’t stay here,” he says. “Cybersecurity tax credits would create more jobs here.”
Mantella from TAG favors a broader tax credit that would benefit several sectors of the tech industry. But he says information security is “the No. 1 area with potential for Georgia for the next five years.”
State Sen. Bruce Thompson, chairman of the Senate Science and Technology Committee, says the General Assembly wants to work with the chamber of commerce to grow the cybersecurity industry.
“I would favor tax credits as long as it is structured to increase the market share,” he says. “Georgia is home to more than 115 information security companies, which generate more than 25 percent of the worldwide security revenue market. The cybersecurity market was over $75 billion in 2015 and expected to reach $170 billion by 2020. Again, I would support legislation that provided tax credits/incentives to increase Georgia’s share of this market.”
Even without the state government’s help, the cybersecurity industry will keep growing in Georgia. The success is building on itself.
“This kind of proof after proof builds confidence among investors that the right mix is happening in Atlanta,” Lee says. “The perfect storm is here.”