Meet the Atlanta Cyber Week Influencers: NexDefense Co-Founder and Board Member Derek Harp on Shopping for Cybersecurity Services

by Derek Harp

Finding the right provider of cybersecurity services requires significant time and effort. The considerations are many, the complexities great and the pressure often tremendous. Large enterprises have dedicated staff to resolve these puzzles, but what are the small and medium-sized businesses to do? With limited or nonexistent staff wholly focused on cybersecurity, business leaders can find that just getting the process started can be quite challenging.

Traditional project management dictates that project requirements be established at inception through an analysis of stakeholder goals, clearly capturing and detailing what the project must accomplish and the problem(s) it must solve. Knowing the cybersecurity concerns of a company, unfortunately, requires knowledge not only of that business, its operations, IT and industrial control systems (ICS); it also calls for an understanding of the constantly-evolving security landscape. Both are necessary to evaluate where the company’s cyber vulnerabilities are and what it will take to eliminate them or otherwise protect them from exploitation. Will a company need security software, appliances, staff or some combination of these? Companies without sufficient expertise internally may have to engage a security consultant before even starting the larger project of resolving the actual security needs.

The “shopping” process itself can be daunting. The IT security services marketplace has become crowded and volatile, with new providers appearing frequently and disappearing at almost the same rate, whether by shuttering, being acquired or pivoting their core business focus. Which providers are right for your particular company? Will they have the resources you need in the location(s) you need them? And how do you determine which have the right skills, enough availability and the best answer to that mother of all restraints – the right price?

The first pass – building the list of possible providers – may be pretty easy; online searching will likely turn up plenty to choose from, depending on your business focus. Culling that initial pool takes more information and deeper analysis. Talking with sales representatives will be the only way to get some of the answers needed, but it is also the most time-consuming activity. Drafting a targeted list of questions before making any calls can help a great deal. A company’s specific cybersecurity needs will determine a lot of what you’re asking, but there are a few general questions to consider:

  • How long have the providers been in business, and what’s their track record like? Are they stable in size, growing or shrinking? Are they new to your area?
  • Do they have experience working with companies of your size, in your industry or perhaps your business model?
  • Can you talk with current or past clients about work with them?
  • Can they provide all of the security services you need?
  • Are they focused on exactly what you need or do they provide other things as well?
  • If the security services you need are only part of what they do, is that good or bad?
  • Are the people who meet with you to spec your project the same ones who will complete it? Should they be?
  • What’s the turnover rate of their employees?
  • How do they keep their security practitioners up-to-date on technology and current risks? How much time do they allocate to ongoing professional development?

For most of us, the critical factor outside of our control which limits our cybersecurity options is location. In 2014, we moved NexDefense, Inc, an early stage cybersecurity business to Atlanta, specifically because of some key strengths in cybersecurity. The advantages of shopping for security services in the Atlanta region are plentiful, and they keep growing as the city continues to develop as a cybersecurity hub. Atlanta has a cybersecurity history reaching back multiple decades; even before Chris Klaus, Tom Noonan and their team started building the bellwether, Internet Security Systems, in 1995. Despite cybersecurity being in its infancy, ISS was able to grow and thrive in Atlanta, and when IBM acquired ISS as a new security division, they kept it in Atlanta. The growth of ISS generated awareness and interest in the business of cybersecurity in Atlanta and beyond, and many cybersecurity companies can point to ISS’s influence on their own origins.

A lot has changed in Atlanta over the past 22 years, and cybersecurity has been a big part of that development. There are more than 110 cybersecurity companies headquartered in Atlanta or elsewhere in Georgia, and we have a strong presence of global enterprises here with cybersecurity services as part of their offerings. The Georgia Institute of Technology has 11 labs and centers dedicated to cybersecurity, with nearly 500 scientists, faculty and students involved with cybersecurity research. Through the efforts of Georgia Tech, Georgia State University, Georgia State University, Kennesaw State University and Augusta University, more than 180 undergrad and 150 graduate degree-bearing cybersecurity workers entered the Atlanta cybersecurity talent pool over the past five years, and enrollment in cybersecurity degree programs has been rising rapidly. The establishment of the new U.S. Army Cyber Command at Fort Gordon will only add to the stream of highly-trained cybersecurity professionals available in the greater Atlanta region.

There’s also a long list of cybersecurity events, such as the Atlanta Cyber Security Summit, Cybercon, the ICS Cyber Security Conference and SecureWorld, which provide training, networking and information ranging from highly technical all the way down to basic introduction, enabling people in the field to advance their skills, knowledge and careers. Several of these conferences draw attendance from around the world. There are also many groups with local chapters here, such as ISSA, ISACA and the Control Systems Cyber Security Association International (which actually started here in Atlanta), which serve as forums for those working in cybersecurity and conduits to professional development.

The burgeoning cybersecurity ecosystem in Atlanta means that there is a local provider who is a good fit (maybe more than one) whatever your cybersecurity needs are, and there are multiple resources available help companies find the information they need in order to select the best cybersecurity provider.

Want to learn more about how to choose the right cybersecurity vendors for your business? Visit to learn more about the events of Atlanta Cyber Week happening October 2-6, 2017.