For two decades, Matt Holland operated in a secret world: first for the Communications Security Establishment, Canada’s cyberspy agency, then building a startup that sold software to the country and its intelligence allies. His specialty was writing code for “offensive security missions,” which he describes cryptically as “breaking into an organization’s IT system on some scale.”
In 2018, defence giant L3 Technologies bought Mr. Holland’s self-funded Linchpin Labs and an affiliate for US$200-million. It left him rich but unknown outside his clandestine sector.
Now Mr. Holland has a new mission: protecting small businesses against ransomware gangs and other purveyors of costly, increasingly pervasive cybercrimes. Over the past six years, he and co-founder Andrew Loschmann have built Ottawa’s Field Effect Software Inc. into a fast-growing cybersecurity contender.
On Tuesday, the company is set to announce it has raised US$30-million, its first outside funding, led by Princeton, N.J.-based growth equity firm Edison Partners. It’s a sign of validation in an era when startups are struggling to raise money.
Field Effect currently has 175 employees, roughly US$20-million in revenue, and hundreds of small and medium-sized clients who use its Covalence software to protect themselves digitally and its Cyber Range program to train workers on cyber dos and don’ts. Mr. Holland has spent tens of millions personally to bankroll the company.
Telus Corp. (T-T) promotes Field Effect to clients of its managed security services business through a channel partnership deal; it’s the top-selling production in the Telus unit with 100-plus takers, said Carey Frey, the telco’s chief security officer.
“We’ve put it into businesses and it detected ransomware they didn’t know was there within minutes,” Mr. Frey said.
Field Effect has relied on word of mouth, channel partners and spending a miserly 10 per cent of revenues on marketing. Self-promotion doesn’t come naturally to the founders.
“It’s certainly a contrast from the first half of our careers where you did everything you could not to speak about what you’re doing,” said Mr. Loschmann, the chief operating officer, who worked at CSE and Linchpin. Asked for a pithy “elevator pitch,” Mr. Holland instead provided a rambling description of the product, company and vision: “I’m not very good at this,” he admitted.
Cybersecurity is a red-hot career choice – why aren’t more women working in this space?
It’s something they’ll have to fix to compete with industry giants and expand in the United States, which accounts for 25 per cent of Field Effect revenue. In addition to the funding it has raised, Field Effect is looking to tap Edison’s network of sales and marketing experts to build its promotional muscle. Mr. Holland “came to market with an understanding of what he wanted from a partner in addition to capital,” Edison general partner Lenard Marcus said. U.S. expansion “will be a big part of our plans.”
Mr. Holland got into cyberespionage after a work term at CSE in 1999 while studying computer science at University of New Brunswick. The Prince Edward Island native returned in 2000, joining CSE’s Tailored Access Operations group. He became one of the best in the trade at understanding operating systems, how to defend and exploit them, ex-colleague Shane Parrish said: “We did the same thing; he was just way better at it. It’s like saying you played hockey with Wayne Gretzky.”
Then came the Sept. 11 attacks. TAO’s profile within CSE swelled, and Mr. Holland barely looked up from his work for years. Ex-CSE head John Adams once told The Globe and Mail: “We’ve got some bright young kids” in computer network operations “where they can literally go out and target the world.”
Mr. Holland was motivated by the mission but grew frustrated by the bureaucracy. He left in 2007 to start Linchpin, recruiting ex-colleagues to build software for Canada and its “Five Eyes” intelligence-sharing allies – the U.S., Britain, Australia and New Zealand – to run cyberintelligence ops. Field Effect spun out of Linchpin in 2016 and Mr. Holland joined full-time a year after the sale, determined to build another company to tackle a big problem.
Cyberattacks have only grown in scope and scale during the pandemic. There were three times as many ransomware attacks against U.S. organizations in 2021 as in 2020. More than half of Canadian IT decision makers surveyed by Angus Reid in 2020 said their organization had sustained an attack. Recent victims include hospitals, governments at all levels, and corporate giants.
Mr. Holland has a dim view of cybersecurity vendors fighting the onslaught. He feels many overpromise and offer limited, complex solutions that IT experts at large companies must cobble together and manage. That leaves few options for small companies with limited IT staff and budgets.
So Field Effect set out to create an all-encompassing, affordable and simple product for small businesses offering the kind of protection large companies get. Covalence combines a range of internally built capabilities for monitoring a client’s network, computing devices, connected sensors and cloud operations.
“It’s unbelievably simple to deploy,” said Mathew Irwin, a partner with early client Welch LLP, an Ottawa accounting firm. “Their user reports are friendly for us lame accountants who don’t know anything about their world.”
Field Effect staff and computers constantly monitor clients, and pro-actively send out messages, including basic instructions, when they detect problems.
“It’s like having a team of ninjas always there helping you,” Mr. Holland said. Many are intelligence veterans including Erik Egsgard, who uncovered seven “zero day” vulnerabilities in Microsoft Windows in 2021 that could expose users to cyberattacks, which the software giant promptly fixed.
The company rarely loses a customer, but winning new ones is a challenge. Marketing to small businesses is notoriously tough, more so in cybersecurity, where “everybody fully acknowledges the extent” of the problem “but getting people to be pro-active about it continues to be a challenge,” said Jeff Bender, chief executive officer with Harris Computer, which sells Field Effect to clients.
Building awareness will take Mr. Holland out of his comfort zone; he’d prefer to win clients with a better product. But he knows that to stand out, he’ll have to do what his rivals routinely do: crank out press releases, publish white papers, sponsor analyst reports and conferences, and so on.
Marketing “is a big push from here on,” he said. “Our biggest challenge is building a brand.”