The U.S. presents opportunities for Canadian cyber security firms. So why aren't more of them approaching? Danny Bradbury finds out.
Whoever handles government relations at CGI Federal must be due a hefty bonus this year. The company won prime position on a new Blanket Purchase Agreement to provide cyber security diagnostic tools to the U.S. Department of Homeland Security (DHS). But it wasn't just a win for CGI Federal, a Fairfax, Va.-based information technology and business services provider – it was a win for business north of the border. The company's parent, CGI, is based in Montréal.
It isn't often that you hear about Canadian companies winning large federal government contracts in the U.S. for cyber security products and services. Why not, and is this something that can be rectified?
The Canadian cyber security sector is largely apathetic when it comes to the U.S. “It's not something we have much experience with,” says Joe Madge, head of government relations for Cistel, an IT and management consulting firm. He's bid on perhaps five contracts, he says. Cistel ranks among the top 10 security companies in the Branham300, a well-regarded list of technology companies in Canada.
Another is Toronto-based Visual Defence, which sells integrated security solutions. A project manager there told this reporter that the firm hasn't been able to bid on any U.S. government contracts.
“We don't do any business south of the border,” says Mike Blackwell, chief operating officer at the Graycon Group, an IT consulting firm also on Branham's top security firms list.
Cyber security is often a hard sell because companies are loath to invest in technology that doesn't deliver an immediate ROI. But, as the U.S. market is 10 times the size of Canada's, one would think that companies like these would be willing to spread the net as wide as possible. What gives?
“We have a finite size team and we don't have the cycles to take on that work,” says Curtis Nickel, CEO and founder of Canadian security integrator Contava. “Growth into the U.S. would just take our focus off of what we're doing here.” His company specializes in applying logical IT products to a physical security vertical, in areas such as access control and key management. That market is big enough north of the border, he says.
In spite of the geographical divide, at least one company in Canada finds it easier to sell into the U.S. market. Route1, based in Toronto, sells identity management and service delivery products for mobile enterprise users. The vast majority of its sales come from federal government contracts in the U.S., says CEO Tony Busseri.
“Our federal and provincial governments, along with a lot of corporate Canada, are at least five years behind what is going on with the U.S. federal government,” he complains.
He criticizes the Canadian government for being slow on the uptake with security technology, citing a contract that he won with U.S. Customs and Border Protection, which is now using his company's technology. However, even though Canada and the U.S. signed an agreement in February 2011, the Shared Vision for Perimeter Security and Economic Competitiveness, the Canadian Border Services Agency is still not using the technology, he says.
“The way the Canadian federal government procures now under this shared services model is, from my perspective, not as effective and not as transparent,” Busseri warns.
Contavo's Nickel agrees about the transparency. “If they want you to be doing business with them, they facilitate an agreement that works for both parties,” he says of the Canadian government. “But they present that agreement as the barrier for the reason they can't do business with you. You first have to earn their trust.”
Whereas it is difficult to get in front of a suitable Canadian government official, the U.S. government presents an overwhelming array of touchpoints, says Busseri. There is, he says, an entrepreneurial ethos that encourages new talent and products, which can be shown to government officials at countless conferences and other events.
How do these companies sell into the U.S. market? One common model is via a GSA Schedule, which is an initiative run by the U.S. General Services Administration. In fact, 10 percent of federal government spending runs through this program. Being listed on a GSA Schedule means that a product or service is then available for purchase from various government agencies in the U.S.
“Initially, a lot of our work was through partners who were already approved to work with the U.S. government,” says Tyler Lessard, chief marketing officer at Toronto-based Fixmo, which sells mobile security, data protection and compliance products. “We worked with them to get onto their GSA Schedules.”
The company spent time establishing strong links to the U.S. And, CEO Rick Segal is a U.S. citizen with strong ties to the U.S. Air Force and a former director of the NSA is chair of its board. None of this hurts, Lessard points out.
Still, the firm has to go through the same certification procedures as everyone else. For instance, the encryption capabilities of its product meant that it had to get FIPS certification – a process that takes between six to nine months on average. “Each vendor will be different depending on the products and what they're doing,” Lessard says, adding that companies wanting to tackle the U.S. market need personnel who understand those government processes.
Fixmo gained expertise in this area by creating a U.S. subsidiary, which Lessard says helped it to establish its own GSA Schedule. “We found that for our activities with federal defense agencies, having a U.S. subsidiary was an important aspect of that,” Lessard says. The company needed U.S. citizens with security clearance to do business for those organizations. Outside of those kinds of contacts, U.S. subsidiaries are not as important, he says.
This notion of having people on the ground is particularly important for companies selling into the services sector. Typically, Fixmo would rely on local partners or its own U.S. staff when services formed part of a U.S. government contract.
“It would be very rare for a U.S. federal agency to outsource service to a Canadian company,” he says. “But, buying product? Yes.”
GSA Schedules aren't the only way to sell into U.S. government departments. The U.S. Navy uses a Continuity of Services Contract, held with HP. Additionally, the U.S. Department of Homeland Security buys through a contract vehicle called First Source II, under which a selection of reseller and systems integration partners bid on contracts posted by the agency in what Busseri describes as a reverse auction.
Again, however, partnerships are an important part of this process. And, partners with an existing inroad into government are invaluable, experts agree, as they can help a company to establish credibility – as can well-connected board members from U.S.-based venture capital firms.
Not that there's much U.S. government business to be done at the time of writing. Lessard called
SC Magazine from the Gartner Symposium IT Expo in Orlando, Fla., in the middle of a government shutdown that had rolled into its second week – with no sign of resolving.
“Federal government is normally a very large presence here, and one reason we're here is to meet with them,” he says. “Unfortunately, many of them weren't able to make the trip. It's unfortunate, and it has ripples throughout the industry.”
For all the entrepreneurialism, the opportunities, the procurement lists and the partnerships, when the Capitol grinds to a halt, so do U.S. public sector purchasers. Canadian businesses have a great opportunity to sell into the U.S. government – but only when there is a government to sell to. n