Company conducts ‘global warfare’ against invisible cyber threats

Tinted glass in the front door. A sign-less facade. Steel beams hidden in walls to ward off vehicle attacks. Computers stacked to the ceiling in an old bank vault. Military veterans capable of breaking into buildings—with their hands and with computers—who bark “Yes, sir” to requests.

Nothing about the obscure downtown headquarters of Rook Security Inc. is normal. Except, that is, its obsession with computer security.

Workers at Rook Security’s operations center watch for hackers and other cyber criminals. (IBJ photo/Eric Learned)

Corporate chief executives, shaken to their cores by fears of hackers, are enlisting Rook and an explosion of companies like it to monitor and chase cyber criminals across international borders and in some cases recover stolen intellectual property.

Founded and owned by Lafayette native J.J. Thompson, Rook has seen revenue double each of the past three years—growth that has boosted employment to 31.

“If we’re not the size of Interactive Intelligence in five years,” Thompson said about the publicly traded company of almost 2,000 employees, “then it’s because I let my team down.”

Founded in 2008, the firm is among a growing contingent of cyber-security startups challenging such mainstream names as Symantec and McAfee.

What’s driving the trend? The hackers are winning.

Thompson

The increasingly digital world has created more data for cyber criminals to steal or attack. And the hackers—once seen as little more than pranksters—have evolved into organized criminals, said Frank Dickson, a principal for the network security group at research firm Frost & Sullivan.

“We used to have viruses, and viruses were things that people would create to wreak havoc, and it was, ‘Ha ha, look at me. I made you look bad,’” Dickson said. “Then we got into this visibility thing, where you’d take over a website, or post a phony message that said, ‘Free my country’ or, ‘Don’t eat meat.’”

“In the last couple years, things have changed. It’s about organized crime.”

High-profile security issues such as Target Corp.’s breach of millions of customers’ information in late 2013 have fueled a frenzy in the past couple of years.

Fast growth

Security technology is forecast to grow to an $86 billion business worldwide by 2016 from an estimated $67.2 billion in 2013, according to a June report by Gartner Research.

“The landscape is so rapidly changing, and there is such an unmet need out there, that there is definitely space for a company like Rook,” said Scott Shackelford, a senior fellow at the Center for Applied Cybersecurity Research at Indiana University.

Thompson noticed an uptick in business after cyber-security firm Mandiant in February 2013 grabbed national attention with a report proving that a Chinese cyber-espionage group was stealing information from U.S. companies and government agencies.

Headlines of similar problems continued to hold the general public’s attention, causing CEOs and board directors to start listening to what their IT and security departments had told them for years, said Dickson, of Frost & Sullivan. They needed to invest more in security.

A big part of the reason behind the lag, he theorized, was that the security people did not speak in terms others would understand.

“One of the fundamental issues we have with security is, when people are marketing security tools, they are focusing on threats—this is bad, this is bad, this is bad,” he said. “… CEOs don’t make [decisions] based on threats. They make them based on return of investments.”

Thompson pushed Rook’s biggest strength as its ability to bridge the gap by describing security needs in terms everyone at a company will understand.

Even if those needs aren’t what a potential client wants to hear.

Thompson said too many corporate executives thought their IT staffs were exaggerating the problem because they were requesting millions of dollars in upgrades.

“That all sounded like the sky was falling to these boards,” he said, “so they didn’t continue investing in it.”

Small, but mighty

Rook by no means is in league with the major Silicon Valley corporations. But it is growing quickly.

The company finished 2013 with $3.9 million in revenue, up from $1.4 million in 2012, and $600,000 in 2011, Thompson said.

The growth has meant staffing up—especially after switching to a 24/7 operation.

Fifteen people will start in the next two weeks, lifting employment to about 45. Thompson shied away from projecting head count at the end of the year, but said the number could reach as high as 75 if sales keep pace.

Several of the workers are former military.

During Thompson’s interview with IBJ, he occasionally broke from his conversation to call out an order to employees, who always responded with a quick, “Yes, sir!”

Rook needs the military attitude because of its stringent protocol, extreme pressure and need for quick action, Thompson said, since Rook is fighting “global warfare.”

The firm is amid renovations that will more than quadruple its existing 1,500 square feet.

Intentionally easy to miss, the business is tucked in the back of a low-profile office building. Guests have to bang on the glass for someone to let them in.

Once in, visitors are greeted by workers, and by an array of standard tech office fare—open spaces, a basketball hoop, beer in the break room.

In the center of the office, a computer bank faces three massive monitors covering most of a wall, where staff keep watch over their clients’ networks and look for vulnerabilities, data breaches or any other complications.

An old bank, which has an intentionally vague façade, houses Rook Security’s state-of-the-art setup. The firm is in the process of more than quadrupling its space. (IBJ photo/Eric Learned)

In an adjoining room, the masked vigilante V from the movie “V for Vendetta” watches over the office. The posters are actually for Anonymous, the collection of hacker-activist groups that uses the graphic novel and movie character as its chief mascot.

In the deepest corner of the office, the bank vault is wired to the ceiling with state-of-the-art computers and monitoring equipment. The room houses the “threat intelligence” team—the group that watches and tracks down cyber criminals who go after Rook clients.

Back from the brink

Thompson’s optimism is a far cry from what it was a few years ago, when Rook was on the verge of bankruptcy.

The company began in San Jose, Calif., where Thompson had moved for a job at another security startup.

“You love tech? Go where the tech mecca is. So I did,” he said.

He left a year later to start his own business. That included canceling a $700-per-month lease on his SUV and swapping it for a cheaper vehicle to free up cash to pay the bills.

“My competition is showing up in 7 Series Bimmers to take executives out to lunch,” he reminisced, “and I show up in this junky Jeep.”

In California, Rook grew to almost 20 employees. But Thompson decided in early 2009 to move the business back to his home state so he could be closer to family.

It wasn’t a smart move, business-wise, considering most of his clients were on the West Coast. Rook lost the accounts.

“It got down to just me,” he said. “It was a bad time.”

By sheer luck, Thompson said, a Silicon Valley friend was helping organize a cyber-security conference in Indianapolis in 2009. Thompson talked his friend into giving him a speaker’s spot.

The presentation caught the attention of an executive at the global advertising and marketing conglomerate Omnicom Group.

Darrin Reynolds, Omnicom’s chief privacy officer, said the company was finding most of the major security services too boilerplate to address the multinational corporation’s complex needs.

He had posed the same technical question—about addressing vulnerabilities in the global network—to several cyber-security companies in a row before he heard Thompson’s speech.

“I gave everybody a shot to solve it, and nobody could,” Reynolds said.

So he met with Thompson and posed the same dilemma.

“He was thoughtful, said, ‘I’ll get back to you,’” Reynolds said about the meeting. “… We later met and discussed. It was like the veils falling from in front of my face.”

Rook solved Omnicom’s problem and snagged a contract with one of the largest corporations in the country.

Since then, Rook has focused on Fortune 1,000 companies, with little concentration on tailoring services to specific industries.

“Protecting data is protecting data,” Thompson said.

The company doesn’t disclose other clients because of confidentiality agreements. But some rank among the 25 largest law firms, the five largest consumer packaged goods businesses, and three largest firewall companies.

Thompson described his firm’s lack of focus on serving a specific industry as “an absolute disadvantage.”

“But we’re doubling our revenue every year.”

Cyber sleuths

Rook rarely hunts down a hacker, Thompson acknowledged, because the process is expensive. But when necessary—as when a company faces a massive loss if it doesn’t recover its data, something like intellectual property—Rook has a “threat intelligence team” of a half-dozen who digitally chase hackers across the globe, depending on how far clients want Rook to follow the pursuit.

Usually, Rook simply stops hackers at the digital door.

The malware and other tactics used by cyber criminals leave enough traces that the company can sniff out who was trying to get into a customer’s system, Thompson said.

“Did they rattle the windows before they broke the window, or did they just break the window?” he used as an analogy. “It’s like a serial killer. People have the same M.O.”

On top of monitoring computers, Rook tests physical vulnerabilities at a business.

One reason Rook hires a lot of ex-military people, Thompson said, is because he needs workers who know how to break into a brick-and-mortar building.

“In the real world, if someone wants to gain access to a facility and steal something, physical or data, they’re not going to play by the rules,” he said.•