Indianapolis-based information security firm Pondurance is in growth mode, nearly doubling its staff of 14 in the past six months and expecting to add another 55 jobs in the next several years.
The company’s annual revenue likewise is on pace to double to $8 million this year—just two years after founding partners Ron Pelletier and Landon Lewis consolidated their consulting practices into a single bootstrapped entity with complementary skill sets.
Pelletier, a former Army officer who also worked as a senior manager at Ernst & Young, brings 15 years of information security, risk assessment, and business continuity experience to the table as a strategic adviser.
Lewis has the technical expertise of a white-hat hacker. That, along with his 16 years of information security work in a variety of industries, qualifies him to oversee the firm’s efforts in security testing, threat management, and network security monitoring.
While Lewis and his team find and exploit their customers’ weaknesses so they can be addressed, Pelletier looks at the bigger picture to identify underlying issues, like a lack of management oversight or an ineffective audit team.
“We bring a lot of sanity to the process,” Pelletier said. “Information security, for the most part, is not a one-size-fits-all solution. It’s definitely a customized approach to solving a complex problem. You can’t just throw money at it.”
Pondurance’s work with its 100-plus clients runs the gamut, from helping companies protect the sensitive data stored on their computer networks to ensuring that utilities keep the systems powering the nation’s critical infrastructure secure and functioning.
The company is part of a growing breed of what Forbes magazine calls pure-play cybersecurity firms, regional niche companies that focus on the growing market for securing data and IT systems. Research firm Gartner expected global spending on information security to exceed $75 billion in 2015.
Meanwhile, the cost of data breaches was estimated at $3 trillion worldwide in 2015.
Pondurance starts with an analysis that determines the client’s needs and its tolerance for risk. And oddly enough, the solution doesn’t always involve the latest piece of high-tech equipment.
“Technology certainly is a great enabler, just like the hammer is a great tool. If you buy a sledgehammer to put tacks in the wall, it may not be the right tool,” Pelletier said. “If you’re not sure what tool you’re wielding, it may not be the most effective option. We leverage technology to the extent that it’s good for our clients.”
“You don’t need, in all cases, the multimillion-dollar solution,” he continued. “You may just need some good processes or operational controls.”
And even that multimillion-dollar answer may not be worth much more than a false sense of security, if it doesn’t include ongoing monitoring, analysis, and follow-up, Pelletier said.
Industry averages suggest companies don’t discover their systems have been compromised right away, Lewis said. The median time from breach to detection was 146 days in 2015, according to a Mandiant Consulting report released in February. That’s down from 205 days the year before, but Lewis said it’s still too long—and no one wants a repeat performance after they’ve been hacked.
“Once you’ve helped a client with an incident, the last thing they want to do is shut the lights off again and enter head-in-sand mode,” Lewis said.
So Pondurance added security monitoring to its service offerings, and it’s building a state-of-the-art security operations center in its new downtown Indianapolis headquarters. The 1,200-square-foot hub will accommodate up to 16 analysts when it opens this year.
The company’s managed security services also have been popular, and the partners expect them to drive significant growth. The subscription-based service covers all the bases, from threat management and risk mitigation to incident response, they say. Pondurance even can provide a “virtual chief information security officer” who keeps everything running smoothly.
“That’s our opportunity to really leverage the full extent of our experience in multiple levels of the organization,” Pelletier said, calling his firm’s services “a veritable Swiss Army knife. He added, “That way, the clients don’t have to maintain a bench of resources that’s difficult to maintain.”
Media coverage of data breaches is driving much of the security industry’s growth, he said. Businesses are paying more attention to security measures, and those in regulated industries are feeling the pressure to comply with specific standards or be fined.
“There’s also a lot of reputational stake in the game,” Pelletier said. “You don’t want to be that organization that finds itself on the naughty list, or on the front page of USA Today, so there’s a greater sense of care than there has been.”