Tuesday, August 2, 2011

SDM Alumnus Speaks to US Senate Committee Field Hearing on Small Businesses and Entrepreneurship in the Growing Cybersecurity Field

From Lois Slavin, SDM Communications Director
US Senator Ben Cardin (D-MD), left, with SDM alumnus
Dr. Charles Iheagwara. Senator Cardin chaired the
field hearing at which Dr. Iheagwara spoke.
Photo courtesy of U.S. Senate

SDM alum Charles Iheagwara, PhD, CISSP, PE, and chief marketing and business development officer at Unatek Inc., recently spoke on “The Role of Small Businesses in Strengthening Cybersecurity Efforts in the United States” at a US Senate Committee field hearing in Maryland.

Excerpts from testimony of SDM alumnus Dr. Charles Iheagwara
The growth of many medium and big-sized firms is made possible by the entrepreneurship of small businesses. Thousands of these companies have peaked in their organic growth but continue to grow from mergers and acquisitions of highly entrepreneurial small businesses. Therefore, there is no doubt that the entrepreneurship of small businesses is the fuel that propels growth, consolidation, and the expansion of services in organizations that have peaked in their organic growth. In the last 10 years, it is worthy to note that countless numbers of small businesses that are in the cybersecurity business have been acquired by large firms.

The role played by small businesses in strengthening cybersecurity efforts in the United States can be measured by several metrics and indicators. But by most accounts, the impact of small business contributions to the cybersecurity sector and the overall economy can be described in the broad terms of “talent,” “capacity creation,” “incubation,” “innovation,” and “niche services”—to mention but a few.

1. Talent.
Cybersecurity is a field that has become highly specialized. Like the medical profession where there are general practitioners and specialists, in the cybersecurity practice we have those that specialize in policy work, certification and accreditation, security engineering and architecture, analysts, etc. Small businesses with lower overhead structures are sometimes more capable of attracting and retaining niche talent.

2. Capacity creation. Many cybersecurity initiatives at the federal and state levels spur capacity creation of different business lines and activities. A case in point is the recent DFAR changes proposed by the DoD that will affect the entire DoD supply chain, which consist of mostly small businesses. Creating services that these small companies can use will become extremely important (and lucrative for the companies that do it).

3. Incubation (of technologies, business processes, and practices). Many cybersecurity technologies, business processes, and toolsets—to mention but a few—were incubated by one or a group of individuals working as small business entities that are engaged in cybersecurity practice or elsewhere. Such incubations eventually grow into products, solutions, and niche services that are launched into the marketplace by the big companies that acquired them.

In multiple instances, in one form or another, the concepts behind many cybersecurity defense arsenals originated from small businesses or individuals who are practicing as independent consultants.

4. Innovation. Small businesses are often executors of complex projects. As prime contractors, subcontractors, independent consultants, and employees, they are central to ideas generation. Through the many complex projects they work on they often discover areas of process, product, toolsets, business process, and technology that need improvement.

For example, as lead users of business toolsets, small businesses often recognize deficiencies and go on to improving or innovating the toolsets. They can be viewed as a poster child for the concept of “user innovation” as defined by MIT’s Eric von Hippel or “crowdsourcing” as coined by Jeff Howe in a June 2006 Wired magazine article about istockphoto (http://www.wired.com/wired/archive/14.06/crowds.html).

In contrast to the traditional R&D model that characterizes big firms’ innovation machines, where billions of dollars are spent before anything meaningful comes out of the efforts, working on the front line, small businesses are better at collecting customer inputs to innovate, a move away from the traditional R&D to where users drive innovation.

Small business–driven innovation comes in different shades. In the 1990s, innovation by small businesses in the cybersecurity market space centered mostly on developing the technologies, quality control, and cost of addressing cyberspace threats. Today, in consonance with the nature of cybersecurity, which has become a constantly shifting target, small business-driven innovations now revolve around efficiency and rewiring for creativity and growth.   

For example, Sourcefire Inc., which developed one of the model intrusion detection systems, was until a few years ago a small cybersecurity firm. It created the “Snort,” which was a basic model for intrusion detection systems. Today, it is a publicly traded company with many leading-edge cybersecurity products.

In the ’90s, when the Snort was created, technology development was the main focus in the cybersecurity market. Today, innovation has moved beyond defining the technology onto some other forms of perfecting existing technologies and products, improving techno-economic efficiencies and the cost of operations among others. This is generally reflective of the trend across the industry, and the contributions by small businesses in different innovative endeavors are by no means small in comparison to those that originate with big-sized cybersecurity organizations. Throughout this arena, small businesses are innovating in terms of technology, business models, and more.

5. Niche services. Niche services are those services that require specialized expertise, setup, and organization to deliver. The expertise is largely acquired outside the bounds of any formal or organized training organization. The most recognized niche service in cybersecurity is ethical hacking services. Although many training institutions deliver some form of cybersecurity training with ethical hacking content, it is known that ethical hacking expertise is largely acquired through other means that are outside the confines of a trainer classroom.   

The most famous hacker, Kevin Mitnick, did not acquire his hacking skills in the classroom but rather through his extraordinary talent. Today, individuals with such talents have organized their practice around small business consultancies that provide their highly specialized services to hundreds of big businesses, the defense and intelligence establishments, and others that are in constant need of testing their information systems for proof of resistance to hackers.

Today’s burgeoning niche services have become business requirements arising from different needs. In some cases, the need arises unexpectedly where such services have not yet being incubated, matured, or fused into organizational business units and are outside the reach of the entity requiring immediately service. Organizing for service delivery then becomes a long-term project, and the immediate recourse is to small businesses that have the established capabilities to organize and deliver them. In cybersecurity field practice, we have seen countless such situations where the big companies working as prime contractors are not able to provide certain niche services but rely on small business subcontractors or independent consultants to provide them. Inherently, niche expertise is a mainstay in small business day-to-day existence.

Given the above, it could be argued that the key means in cybersecurity development strategy is to focus on the strengths and core competencies of small businesses that will enhance the overall security posture of our nation. There will be much value in examining ways to strengthen cybersecurity efforts in the United States—especially examination of the dynamic that drives innovation and spurs growth in small businesses with good track records and viable potentials. This could very well be the spark that unleashes the innovative fire in small businesses engaged in cybersecurity practice.

Despite the very strong and positive contributions of small businesses in strengthening cybersecurity efforts in the United States, there are still obstacles in realizing the full potential of small business entrepreneurship. Like individual entrepreneurs and big businesses, they require government support.

With a supportive environment and a fully committed program, both legislative and otherwise, small businesses can continue to grow, expand, and drive cybersecurity efforts toward new heights. Such a program should provide high-quality initiatives that are supported by a legislative mandate and should stipulate a certain percentage of small business share of all federal contracts awarded for cybersecurity. Low-interest loans to support innovation or niche projects will strengthen the managerial skills of prospective and current small businesses and assist them in selling their products and services to the government. The program should also facilitate access to information, counseling, and new cyber research initiatives.

No comments:

Post a Comment