Any IT companies that missed the memo about the opportunities in information security should probably consider changing email provider. In a climate where breaches are everyday news and with C-level executives eager to avoid the backlash from users and shareholders, infosec service providers can be a vital line of defence. But while most CRN readers have heard the message about diversifying into security, few have backed themselves to such great acclaim as this year’s No.1, The Missing Link Security.
With 2016 revenue of $11.5 million, it’s the largest company to top the CRN Fast50 in five years and the only No.1 to have cracked $10 million without acquisitions. At 333.26 percent, it is also one of the fastest-growing firms in the awards’ history.
The security-focused IT provider was set up by six directors as a sister company to well-known Sydney integrator The Missing Link Network Integration. The two entities have a different ownership mix. While Network Integration is a partnership of founders Alex Gambotto and Daniel Forsythe, The Missing Link Security also counts general manager Karen Drewitt as a director, along with technical leads Aaron Bailey and Sam Marshall, who both joined out of Dimension Data’s security team in mid-2013.
For Bailey, the new company offered an opportunity for autonomy over technology decisions that he didn’t have within the monolithic DiData. One vendor choice in particular drives The Missing Link Security to the top of this year’s CRN Fast50, and that was the decision to partner with FireEye.
“When we started in September 2013, FireEye was fairly new in country. The technology they do bring is effectively sandboxing... it was a fairly new concept. I was aware of the vendor from my previous role. They were trying hard to get our attention at Dimension Data,” says Bailey.
“There was nothing like a clean sheet of paper to look at this disruptive vendor.”
FireEye drove more than 80 percent of The Missing Link Security’s revenue in the 2016 financial year, and the company also specialises in Fortinet, Palo Alto Networks and Zscaler. Within the product mix, some customers prefer infrastructure, while others lean toward cloud. “Some clients will mandate appliances plugged into their data centre. Defence, for example, has been quite clear about not liking cloud technology. Other clients are at the other end of the spectrum and want to rely on cloud services.”
Drewitt adds that The Missing Link Security is “constantly evaluating” the vendor mix.
In the fast-paced world of beating cyber criminals, incumbency is no indicator of future success. Yesterday’s market leading security vendors are under constant pressure from the next generation.
“The advantage I have been able to enjoy here versus my previous role is greater autonomy over vendor strategy. I have seen the issue of just locking in with a vendor,” says Bailey.
“It is a complex landscape,” adds Drewitt. “I read somewhere that larger enterprise organisations can have up to 80 security vendors. That is an incredibly complex mix we have to be across.”
Bailey stresses that reselling and integrating products is only part of the company’s business mix – services are a big factor in the success.
Bailey splits The Missing Link Security into “breakers” and “builders”. The breakers are the ethical hackers that provide penetration testing, while the builders are the engineers and architects who work with products.
“A third of our team are hackers,” he says. “They don’t build products, they just break into people’s networks. Having that lets us learn the latest attack techniques.”
The company ensures that breakers and builders talk to each other, which helps devise new solutions for customers and drives further business opportunities.
Drewitt adds that this knowledge sharing culture attracts white hat hackers. “Part of it is building a team where they can learn from each other,” she says. “We have tried very hard to ensure we have the best in the business. That is an attraction, especially for someone who is new to this side of the industry.”
Much has been said about the demand for security skills. In terms of recruitment, IT solution providers like The Missing Link Security are in competition with end-user IT teams as well as the vendor community – both the market leaders and the hot startups.
“I don’t think we have ever been outbid by a big company,” says Bailey. “I don’t see commercials being a roadblock. We believe in paying people what they are worth, and what clients will pay for them.”
While conceding that “vendors generally do pay more than a company like ours”, Bailey adds that “a surprisingly high number of people are not about the money. It is about job satisfaction and what they are learning.”
“The top prize for a hacker is to break a computer, but they can’t learn that from a computer. More so than any other area of IT, it is very hard to learn hacking in the classroom. There is some training but it is no replacement for learning under the mentorship of someone who knows how to do it,” says Bailey.
“We have spent quite a bit of time and effort in building our brand in the security area,” says Drewitt. “We have had candidates come and approach us because of the other people we have in the team, not least Aaron and Sam. It is a constant building of the brand.”
She adds: “The truth is there is no silver bullet. We try really hard to be an employer of choice.”
The Missing Link Security looks to instill a culture of further development right into the incentive schemes. The company recently instigated a policy whereby staff could take their bonuses as training. The company actually doubles the bonus when it is spent on development. “If they want the cash, take the cash, but if they want training, take double.”
There’s no time for resting on laurels in cybersecurity. Bailey is brimming with ideas for where to take the business next. One vendor he is keeping an eye on is Darktrace, which uses machine learning to detect anomalies in the flow of data around the network. “Whether I can call it the next big thing... I don’t know if it will be the next Palo Alto but we will see,” says Bailey.
The Missing Link Security is also looking to build its prowess in security automation and orchestration, Bailey says. “The problem with having so many vendors and technology is keeping your staff trained and skilled in 20 different vendors. If an alert or alarm goes off, you want to shorten the time between that alert going off and making a decision.”
The rise of security information and event management (SIEM) technology means there is an overload of notifications pinging a security operations centre. “With the number of alerts coming in, it’s hard to separate the wheat from the chaff,” says Bailey.
The company has also recently been approved by the Council of Registered Ethical Security Testers (CREST), which is run in Australia by Greg Rudd (yes, Kevin’s brother).
“Greg Rudd said ours was the best admission he had ever seen and they have asked us to build the audit framework – to audit our competition,” says Bailey. He expects CREST approval to drive plenty of business, given the focus on cybersecurity under prime minister Malcolm Turnbull’s national innovation and science agenda.
“We are now very well placed to increase our client focus to federal government agencies and further capture more SMB and midmarket clients by leveraging those government grants and the innovation budget,” says Bailey. “You may see us a lot more in the limelight.”
Pictured above: Sam Marshall, Aaron Bailey, Karen Drewitt, Alex Gambotto and Daniel Forsythe
Key executives Aaron Bailey (security director), Karen Drewitt (general manager), Sam Marshall (security director), Daniel Forsythe (director) Alex Gambotto (director)
HQ Artarmon, Sydney
2016 revenue $11.5 million
Top vendors FireEye, Fortinet, Palo Alto Networks, Zscaler