An abundance of cyber security laws, regulations, and compliance mandates permeate organizational technology strategies and processes. Although security experts rightly argue that compliance doesn’t equal security, compliance remains a tangible, relatable, fixable problem in the eyes of non-security executives and board members. To the security practitioner, compliance is a low bar that eats up valuable resources, in some cases, up to 40% of the overall IT budget. And though security teams would like to see a shift to greater focus on security that exceeds compliance mandates, these requirements, along with many emerging standards body frameworks, continue to mushroom and consume.
The reality is that exceeding baseline compliance requirements means that companies will pass an audit with flying colors, and security teams aim for that target whenever possible. Unfortunately, internal resources are often scarce, and not every company can afford to bring in the Big Four to help steer the company in a more security-forward direction. While multitudinous small and medium-sized security consultancies exist, companies tell us they worry that the smaller shops can’t cover the breadth and depth of their cyber security compliance and assessment needs.
Coalfire, a cyber security advisory and consulting firm based in Westminster, CO, falls somewhere in the middle of the aforementioned extremes. In the cyber security market since 2001, Coalfire employs more than 700 security professionals and serves more than 18,000 commercial and government customers. During a recent briefing, the company’s CMO and Strategy Officer, Patrick Kehoe, explained Coalfire’s market approach. “In an industry with 20% attrition,” said Kehoe, “we made a decision a while back to double down on our culture and invest in our people. The result is that we’re able to hire and retain the best and brightest security talent. Because our employee turnover is really low, we can better serve our clients, and 97% of customers would refer Coalfire.”
Happy clients are a good endorsement for a company, but what makes their teams so successful? Kehoe shared that their consulting team maintains more than 40 industry certifications, from PCI to HIPAA; CISA to CISM; a bevy of solution-specific certs such as AWS Certified Solutions Architect, Splunk Certified Architect, and Palo Alto Networks Certified Network Security Engineer; and many more. “Investing in our people means to us that our team is constantly learning and keeping up their skills, and that translates to satisfied clients,” he said.
But that’s not where the differentiation ends. Coalfire offers services in five major areas: Cyber Risk Advisory, Cyber Security Compliance and Assessment, Secure Cloud, Technical Testing (Coalfire Labs), and their most rapidly growing service, Solutions Engineering. In addition, the company’s CoalfireOne℠ platform is an automated technical underpinning to their services offerings that allows customers to centrally manage security, risk, and compliance activities.
Still, the answer to “Why Coalfire” when so many consultancies exist needed to be addressed more clearly. Kehoe explained that the company’s 25% year-on-year growth has been driven by their consultants’ expertise in and focus on cloud and cloud security. Their top clients include all the major cloud service providers and many smaller ones as well, with 7 out of the top 10 SaaS providers and 9 of top 10 IaaS providers relying on Coalfire’s advice. “We have differentiated intellectual capital than other consultancies,” said Kehoe, “because we assess the cloud providers’ capabilities and test their technical fortitude daily.”
Another area of substantial growth for Coalfire is through their Solutions Engineering group. As applications have become the foundation upon which businesses operate, business leaders have started to realize that securely designed and implemented applications are critical. Coalfire’s engineers are helping customers build and assess software and diagnose and mitigate found vulnerabilities. From writing infrastructure-as-code to architecture reviews and continuous monitoring, Kehoe says they’re seeing more requests for expert engineering than ever before.
With so many cyber security advisors and consultants to choose from, it might seem like picking the right firm is near impossible. Capabilities overlap, and even the smallest firms will tout their experts’ skills and accomplishments. Coalfire’s huge team has the breadth to address everything from compliance audits to risk framework mapping to securely building the latest and greatest application, without the huge cost associated with larger consulting firms. At the same time, their consultants are afforded the opportunity to go deep on technical expertise, especially when it comes to cloud. Given how tied in Coalfire is to the cloud community, would-be customers may be hard pressed to find another advisory firm with equal abilities.
As budgets get tighter in the coming months, we at TAG Cyber see businesses having to make tough choices about their security programs. Compliance may (unfortunately) once again be the argument that wins dollars and cents. However, cyber security remains a top-line concern, especially as workers are more distributed than ever before and thus cyber risk takes on new meaning. A company like Coalfire than can address end-to-end security and compliance needs is an excellent choice for business that want best-of-breed without budget-breaking cost. Their annual growth is more than impressive, which speaks well to client satisfaction.