It’s a seller’s market for the cyber war’s special forces.
Just ask Scott Davies, 30, who left a career snooping on Australia’s enemies in December for a similar gig at FireEye Inc. Or Brian Varner, 35, who swapped a job with the U.S. Department of Defense breaking into networks in the Middle East and other hot zones to be a security engineer at Symantec Corp.
“I have a blank canvas to paint whatever I want,” says Varner, exulting at the lack of bureaucracy, not to mention his ability to work remotely from Florida.
All told, cybersecurity companies have hired hundreds of ex-government sleuths in recent years, capitalizing on the boom in business caused by hackers who stole more than 1 billion records in attacks last year. The former spies, cyber-warriors and government-groomed hackers are becoming the cornerstone of the cybersecurity services industry, which is projected to bring in more than $48 billion in revenue next year, up 41 percent from 2012, according to Gartner Inc.
“The people coming out of the military and the intelligence community are really, really good,” says Nir Zuk, co-founder of Palo Alto Networks Inc. and himself a former Israeli army computer hacker. “They know the attackers. They know how they work.”
FireEye has hired more than 100 ex-government hackers since 2013, part of an international expansion that has cost more than $1 billion, according to Chief Executive Officer Dave DeWalt. Symantec has increased the size of its security services division by almost a third, to 500 people, in the past year.
Even smaller companies are snagging top talent. Lacoon Mobile Security, a mobile-security startup that Check Point Software Technologies Ltd. agreed to buy this month, has hired 15 people from Israel’s Unit 8200, said Michael Shaulov, a Lacoon co-founder who, like Zuk, served in the Israeli military’s computer-hacking group. The hires usually had five to eight competing offers and each earned more than $100,000 straight out of the armed services, Shaulov said.
“There’s a bit of a run on security talent,” said Rob Owens, an analyst at Pacific Crest Securities in Portland, Oregon, who has covered the industry for almost 20 years.
While CVs that include government hacking can supercharge careers, they’re not a guarantee of safety — or an easy fit in corporate America.
Bloomberg reported in February that JPMorgan Chase & Co. has put two former Air Force colonels in its cybersecurity division and that they clashed with the FBI, Secret Service and some members of their own staff about their insistence that Russia’s intelligence services were behind a hacking attack on the bank last year. Law enforcement has determined the attack was the work of ordinary cyber-criminals, and insiders said the clash was an example of how military training can cause some to see state-sponsored attacks where there are none.
At Palo Alto Networks, one of Zuk’s recent hires was Chief Security Officer Rick Howard, who spent more than two decades in the U.S. Army. He last served as chief of the computer emergency response team before entering the private sector. The $1 billion FireEye has spent on expansion is on top of the 2013 acquisition of Mandiant, a data-breach investigations company, which was founded by former Air Force special agent Kevin Mandia. That deal was valued at $1.05 billion.
Some investors have been leery of the costs of the added headcount.
FireEye spends 48 percent of revenue on research and development, the highest ratio of any of the 31 companies in the ISE Cyber Security Index, according to data compiled by Bloomberg. The index average is 18 percent.
While FireEye’s shares fell from a high of $95.63 in March of last year to a low of $25.76 in October, in large part because of concerns about spending, the stock is up more than 30 percent this year amid signs that DeWalt’s pitch to investors is gaining some traction.
“The costs are so much bigger now for the security industry than they ever were — the threat landscape has changed so much,” DeWalt said. “You can’t just have a product. You need the people to match it. There’s no shiny bullet that does it all.”
- Most Cyber Attacks Not Due to Sophisticated Hacking
- Cybersecurity Is Corporate America’s Job
- Corporations Warned Not to Hack Back
- Hackers Increasingly Target Banks, Business, Not Consumers
- New York to Investigate Insurers’ Cybersecurity Work
- Insurance Industry Says Cyber Threat Database Needed
- Risk Modelers Working on Tools for Gauging Cyber Risk
Was this article valuable?
Here are more articles you may enjoy.