Columbia cybersecurity firm gets boost from Silicon Valley

Ron Gula is CEO of Tenable Network Security.
Ron Gula is CEO of Tenable Network Security. (Barbara Haddock Taylor, Baltimore Sun)

The venture capitalists at Accel Partners fly around the world to find hot companies ripe for investment. The Silicon Valley-based firm was the first major investor in Facebook years ago, and its portfolio is a Who's Who of fast-growing technology enterprises.

But a few years ago, a little company in Columbia called Tenable Network Security Inc. caught the eye of Accel's executives. They followed Tenable closely as it steadily emerged as a top player in cybersecurity.

Then, in September, the bombshell: Accel decided to pump $50 million into Tenable, a staggering amount even by venture capital standards and the biggest investment that Accel has ever made in a North American company. Tenable accounted for nearly one-third of all venture investments in Maryland companies in the third quarter.

"Tenable is incredibly under the radar," said John Locke, a vice president with Accel. "They're one of the more attractive enterprise software companies that we've ever seen, and we're talking to tens of thousands of companies every year."

Tenable has quietly built a booming business selling network security products and services to the U.S. government and companies around the world. It's profitable. It has thousands of clients. And it's in an enviable market: Government and private companies, which use the Internet for communications and e-commerce, are willing to pay top dollar for round-the-clock security.

The market for vulnerability management software and services is growing steadily. Worldwide revenues in the sector were $3.4 billion in 2010, according to IDC Research, which expects revenues to exceed $5.7 billion by 2015.

"There's a real opportunity for companies," said John Slye, a federal industry research analyst with GovWin, a Herndon, Va.-based market intelligence and software company. "We're not just looking at what the government is spending. We're trying to get to what is in play for the rest of the addressable market."

Accel sees Tenable as poised to dominate that market. Its investment in Tenable was five times more than its original Facebook stake. And the firm wished it could have invested more for a bigger stake, but Tenable wasn't offering more, according to Accel's Locke.

Accel offered the $50 million infusion at an undisclosed valuation of the company.

Accel became a minority partner in the business, while Tenable got a large infusion of capital that it plans to use for hiring and expanding in the next two to three years.

Tenable didn't need Accel's money, but took it to grow more quickly and develop more security products, according to Ron Gula, Tenable's CEO. Prior to the Accel money, Tenable's only outside source of investment came from the Maryland Department of Business and Economic Development, which gave the company $100,000 shortly after its founding.

Gula said the company paid that money back years ago to DBED, which in recent years has heavily promoted the state as a hub for cybersecurity companies.

If the company needs more money to grow, an IPO might be in its future, Gula said.

"Network security is a big problem and it's gotten a lot more complex over the last three years," said Gula, noting the widespread use of smartphones and Internet applications that now run in the "cloud."

Tenable was founded by three computer experts. Gula, a former information security expert at the National Security Agency at Fort Meade, used to run so-called "penetration tests" at the agency, where he probed government networks and tried to find vulnerabilities.

He partnered with Renaud Deraison, a Frenchman who built a tool called Nessus, known as a "vulnerability scanner" that can check computer networks for weak spots. Rounding out the team was a third co-founder, Jack Huffard, who has years of experience in the network security industry and is Tenable's president and chief operating officer.

The trio launched the company in 2002. In the lingo of startup entrepreneurs, they "boot-strapped" the company with their own money. But, unlike many startups, they started making money almost immediately. They quickly turned a profit and have steadily grown every year, now employing 200 people, 130 in Columbia.

In the past three years, the company's sales have grown 260 percent, Gula said. Since the firm is private, it doesn't disclose revenue or profit, he said.

Tenable is targeting the "vulnerability management" market, which analysts believe to be growing. Network security has evolved over the last decade, as a wide range of companies have developed tools that help firms detect and prevent intruders on a computer network.

But the market has evolved over the past five years, as more companies are dealing with a plethora of new risks and threats. Employees increasingly using their personal devices, such as laptops, smartphones or personal computers, on a company's network — part of the so-called "bring your own device" trend. Information technology professionals have to account for, and track, the activities of these devices.

The federal government has also imposed tighter guidelines on its agencies to monitor for network attacks and vulnerabilities, and many industry observers expect the standards to become even tighter in coming years. Where the industry standard for companies is to do a full network security scan once a quarter, Gula sees the federal government leading the way to push for such scans every 72 hours.

Eventually, the standard will be continuous, real-time monitoring of networks, a task that will require the kind of software that Tenable sells, which can make sense of a torrent of data points coming in every minute. Tenable bills it as its "Passive Vulnerability Scanner."

Such continuous monitoring software is "like the Doppler radar of network management," said GovWin's Slye.

In a presentation at the CyberMaryland conference in Baltimore earlier this month, Slye noted that the future of cybersecurity will hinge on real-time network security solutions. For instance, the Defense Department wants to know the external and internal threats to its network at every moment, from an unauthorized service member downloading classified data, to a nation-state launching a prolonged cyber attack.

The White House is pushing for an update to the Federal Information Security Act of 2002 that would move from paper-based reports to the continuous computer monitoring of the government's networks.

Tenable's sales to U.S. government agencies account for about a quarter of the company's revenues, said Gula. The rest comes from commercial customers in diverse industries, such as health care, energy, and finance, and governments outside the U.S., he said.

The company sells a low-cost version of its network-scanning software for $1,500 a year; that configuration essentially offers a basic overview of a company's network vulnerabilities.

But for companies with 1,000 to 5,000 employees, Tenable's software packages can range from $100,000 to $250,000, Gula said.

"We really believe there's this emerging market coming," said Gula. "And we're positioned to be there."