By Rin-rin Yu / Photography by Rachel Smith
Maria Horton looks after her clients as if they were patients in a hospital — some are well visits, some are not so well. She peers into their systems and runs risk assessments of their technological health, helps protect their data in the cloud and prevents them from being attacked. Even her company’s methodologies are reminiscent of healthcare: one is named “Cure” and another is called “Get Well.”
That connection is far from random: Before she became founder and CEO of Virginia-based cybersecurity company EmeSec, Inc., Horton had professional training and experience as a nurse, handling crisis situations and prescribing preventative measures with calm and refined bedside manners. In fact, Horton’s career in cybersecurity began in the unlikely setting of a busy emergency-room ICU unit for the U.S. Navy. And though she traded her scrubs and stethoscope for a business suit and a desk years ago, she often finds the two disciplines intersecting.
“There is a natural alignment between the way I was educated and the way I perform today in cloud security engineering,” Horton says.
For example, much like healthcare, cybersecurity benefits from a look at the patient’s — or company’s — whole system. “It’s like hiring a nutritionist to improve your status as you’re moving into a new environment,” she says. “You wouldn’t necessarily just take the pill or the treatment. You need the holistic point of view.”
At first glance, Horton doesn’t appear like the cyber-minded strategist she is. Even with her serious rectangular glasses, she’s more like your friendly, smiley next-door neighbor with some interesting tidbits for discussion, whether about something she read in the news or on the neighborhood listserv. Reading is something she clearly does a lot to garner ideas — she reads not just articles but the advertisements next to them, just to see what the latest trends are, what companies are selling, why and how.
Horton is excited about the successes she’s had, but doesn’t dwell on their impressiveness. She has a lot of ideas and goals, and you can practically hear her brain whirring along as she talks about them.
“I like my job,” she quips, straightening her jacket. “Can you tell?”
From sutures to cyber
Horton is not the kind of person who settles — she’s always two steps ahead, strategizing and planning, whether it’s for her clients, her business, or for her own career. “I’m always thinking [about] what’s the next interesting thing that’s going to come off the horizon that I want to be engaged in and participate in the dialogue, and train my people to tackle and handle,” she says.
Back in the early ‘80s, Horton was studying at the Union Town Hospital School of Nursing in Union Town, PA. At the time, personal computers were just starting to appear on the consumer scene. However, sensing technology would be an integral part of all fields and of people’s everyday lives, she requested something no other nursing student had thought of before: She asked to take a computer course.
Horton’s curious, forward-thinking nature was evident even in the early days. When the school questioned why she would want to take a course unrelated to her studies, she replied frankly, “Because that’s what the next thing is going to be, right?”
Horton joined the Navy after finishing school, and became a skilled emergency room nurse with experience handling crisis situations and triage. Through her nursing career, she watched as technology surged its way into daily life and into the hospital setting. In 1997, she completed her master’s degree in nursing, with a thesis on telemedicine. Her research on this practice of providing healthcare remotely by use of IT and telecommunication was the first nationwide study of its kind. It was research, she says, that grounded her in understanding facts and creating reproducible results, a skill she’s applied in all her work.
It also marked her transition from pure nursing to healthcare-related IT, applying processes such as online appointments and prescription refills, digital imaging, and security and privacy. She moved up the ranks into the position of chief information officer of the National Naval Medical Center (now Walter Reed National Military Medical Center) and was promoted to a U.S. Navy commander.
She recalls how 9/11 occurred so close to home with the Pentagon nearby, introducing terrorism as a real threat to the U.S. Simultaneously, the challenges of compliance with the Health Insurance Portability and Accountability Act (HIPAA) began to shape up. HIPAA establishes national standards for the protection of medical records. “From those experiences, I knew that privacy and security would be fundamental to everything we do in the future,” she says.
In 2003, after 20 years in the Navy, she retired and decided to start EmeSec.“I took my retirement check and I basically said: ‘Ah. I’m going to start a company.’”
EmeSec was born out of a combination of Horton’s expertise in privacy and technology, her decision to enter a field at a time when “nobody talked about cybersecurity,” and her concern as a mother of three about how her children’s information would be protected. She incorporated EmeSec in March of 2003 and won her first contract that July.
At first, Horton worked with a few consultants and placed everyone on 1099 contracts. “I wasn’t sure in the first full year that I would create enough revenue to be able to employ anyone,” she says. But growth was steady immediately. On New Year’s Day 2005, she brought herself and several others on as full-time employees. By 2006, EmeSec had exceeded $2 million in revenue, making it what Horton considers her first banner year.
Today, EmeSec is making about $7 million and boasts more than 30 employees in two offices in Reston and Chantilly. It has won certification as a woman-owned and service-disabled veteran-owned small business, and its clients are about 90 percent government and 10 percent commercial, with the commercial area growing actively.
An evolving space
As demand for cloud security grows, the government has developed a set of regulations for cloud service providers. EmeSec is one of just a handful of third-party assessment organizations designated to help cloud service providers apply for accreditation with FedRAMP (Federal Risk and Authorization Management Program), a government program that standardizes cloud security, products and services. EmeSec also provides cyber risk management, business management services as they relate to cybersecurity, and regulatory compliance services. EmeSec’s strong background in FedRAMP gives it an upper hand when it comes to understanding what other companies need to be compliant, Horton says.
But while Horton says she loves working as a government contractor, the reality is that much of the cloud-space work is moving in the commercial direction, which explains the recent growth in EmeSec’s commercial clientele. “We want to make sure we can support our government clients where it makes sense operationally from the cloud, but support our commercial clients in the cloud space,” she says. “That’s the frontier, figuring out what’s going to be next and how it’s going to be employed.”
Horton is thinking beyond the latest apps, the self-driving cars, the connectivity of kitchens and automated medical devices. She regularly reads outside her field and borrows concepts from the financial markets, investments and venture capitalists. She’s fascinated by futurists, and by behavioral analysis. “When you marry up technology and people, you not only look at behavior from how they perform, but how you can goad them to perform.”
It’s not easy, Horton points out, to be one of more than 425 companies that claim to do cyber in Northern Virginia alone. The key is to stand out and find a niche. EmeSec’s niche, Horton says, lies in cloud security using international standards, which means keeping up with constantly shifting technology and threats.
“We’re looking at it very differently,” Horton says of the cyber landscape. “Many people are offering the same services. [People] still think cloud and cybersecurity are the same things as IT implementation and integration from 20 years ago. They’re not thinking how new systems are operating. Some cyber companies are taking a purely technical point of view when they need to take a business point of view.”
With the stiff competition in the industry, clients have their pick of pricing and efficiency, which means EmeSec has to work constantly to remain competitive. Horton’s goal for 2016 is to see “what else we can offer to make cloud and cybersecurity more efficient and effective,” perhaps through automation in some areas.
Horton also sees EmeSec further nestling into the niche of small- and medium-sized companies who may not be able to afford good advice in the regulatory space. She believes those kinds of companies are a growing part of the cybersecurity conversation that can no longer be ignored. For example, just because a company is small doesn’t mean its cyber protection has to be smaller than that of a larger entity. A small company may not have the same amount of budget and human resources to fix a problem that may occur or to build a defense system. Yet a large part of protecting small and medium-sized companies has to do with employee education and training on a number of issues, from recognizing phishing emails to establishing a crisis plan.
Horton understands that EmeSec takes on part of a small company’s risk when it enters into a contract to protect its information and data. But realistically, just as there are no magic solutions to solve all the world’s problems, companies “don’t need the 100-percent solution. They need the 80-percent solution that protects the biggest risk. Then go to the next 80-percent solution,” she says, noting that nothing is 100 percent risk-free. “I think we forget that sometimes. Everybody wants a silver bullet.” But even big companies suffer breaches, all the time, despite all the attention, money and resources dedicated to protecting their networks.
For example, health insurer Anthem was breached in 2015, with nearly 80 million records exposed, including the CEO’s. Sony Pictures suffered a high-profile attack the same year, in which thousands of emails and other sensitive information were released. Even the government is vulnerable, with an attack on the Office of Personnel Management compromising millions of records last summer.
Being transparent to clients, to the industry and to employees, is important to thriving in a competitive space like cybersecurity, Horton believes. EmeSec has to be feisty, nimble, sharp, and constantly building on its experiences and changes to the industry. “As a small-business owner, you’re really the last rugged individualist sometimes,” Horton says.
Horton has learned a lot along the way, particularly in client management. As an example, she relates the story of a client company that had conducted its own risk assessment, but wanted EmeSec to do another. “I completed the report and pointed out they had some holes in what they thought was a really good assessment,” she says. “It didn’t occur to me that I was hurting the client because they wanted me to be their cheerleader. And all of a sudden, I went, ‘Oh! They wanted me to bless their risk assessment.’” In the end, the company asked her to help improve the areas she found weak. Now, she says, she’ll set expectations up front and make sure she understands what the clients want to accomplish.
Horton expects 2016 to be a year of changes, at least in EmeSec’s shift toward commercial clientele. Currently, EmeSec uses a methodology called “Cure” to help companies resolve and mitigate risk. Horton anticipates extending that service and supporting the teams, particularly at smaller companies, who don’t have every resource in-house to manage their own cloud support and security.
Another service is cyber enablement, which helps companies link together results and solutions so they can engineer, design and fit the pieces together to move forward in the Internet of Things. EmeSec also assesses the virtual and physical space for clients who are moving from one location to another, and helps reduce risk and liability.
Then there’s EmeSec’s “Get Well” methodology, which helps companies looking to improve their cybersecurity status before a breach could even occur. They are the proactive ones, making sure they’re not liable to government, to other companies or to customers for potential data breaches, and prioritizing their risk mitigation and resolution. Get Well is for those who “put themselves in the best possible light,” says Horton, who “want to keep their customers for a long time.”
With a view to the future, EmeSec also has been actively marketing itself and working with partners on proposals. Horton blogs regularly, attends conferences, and speaks often about her lessons learned as a small-business owner.
Although 2016 is just getting started, Horton is confident it will be a banner year. And as cybersecurity keeps moving forward, she believes EmeSec will move along with it. To her, success is purely measured by her enthusiasm. “There are so many exciting things in technology. … You can’t go backwards. You have to
Rin-rin Yu is a freelance writer based in Washington, DC. Contact us at firstname.lastname@example.org.
SECURING A NEW BRAND
EmeSec’s original brand was focused on the field of information service and engineering. But as the company saw cloud-first and mobile strategies emerge, it began shifting its own services toward consulting on those areas.
“‘Old EmeSec’ wasn’t wrong, but didn’t necessarily reflect the promise and changes of cloud, privacy and the new company reputation we wanted to communicate,” says Horton.
EmeSec decided it was time to undergo a brand transformation. It needed to both refresh its image and illustrate its focus on dynamic, cutting-edge technologies. EmeSec worked with an outside firm, but used its own in-house team to generate ideas, frame messaging and shape its image. Horton believes that mixing outside experts with in-house knowledge ensured the most accurate representation of the company’s ideas and vision, which “also helps capture the interest of the market immediately.”
EmeSec launched a new website and logo last year, which features the company name nestled within a cloud. The rebrand, Horton says, has been paying off. EmeSec received immediate recognition from its existing clients and from the industry at large, and the new brand helps the company “communicate our cloud expertise directly and unequivocally.”
CONNECTIVITY AND THREATS
EmeSec focuses on cloud security, particularly as the interconnectivity and growth in the Internet of Things (IoT) create more vulnerability and weak spots in network systems. Home thermostats can be run by smartphone apps, as can keyless cars, swimming pool equipment, medical devices and music speakers. Bathrooms can be operated by keypad. Self-driving cars communicate with a variety of factors to operate safely. Entire company websites and businesses are hosted from cloud servers that store sensitive personal and business information.
But the IoT doesn’t just affect the things — it affects the way people work and go about their daily lives. With the cloud, more and more people work outside the office — at home, from a coffee shop, from an airplane, from the beach. They conduct video conferences and upload large files into the cloud, to be downloaded on the other end.
This trend can be unnerving when businesses try to unravel the complexity of the web and the relationships it creates. For that reason, companies like EmeSec are in high demand to protect businesses, their customers and third-party vendors from vulnerabilities.
“Imagine how scary it is for my customers when they don’t have somebody they trust to provide them real pragmatic, high-value answers,” Horton says. “There are a lot of high-end, small and medium-sized companies in the NOVA area that cannot afford to get good advice in the regulatory space. I think that’s our real niche play, because cyber liability is everywhere.”
THE BOOK OF HORTON
Maria Horton doesn’t view her career as one linear path. Rather, she thinks of life as a series of chapters, where she has already completed the childhood chapter and the nursing chapter, and is in the midst of the entrepreneur/cybersecurity chapter.
Each chapter is shaped by a series of challenges, and the various paths she takes to overcome them and move forward to the next one. It’s a personal philosophy, she says. “My entire life has been: Can I meet my full potential?”
As a nurse, she saw a clear path towards technology, and knew that the only way to boost her own career was to leave nursing. Doing so, she says, gave her “a multitude of choices” as well as a strong foundation in IT. After retiring from the Navy, the natural transition was to create EmeSec.
The entrepreneurial chapter is probably the most freeform part of Horton’s life so far. She compares being an entrepreneur to being a mountain climber. “You are taking a risk, and you’re making judgments. It’s exhilarating and risky, and you’re learning things along the way.”
When Horton thinks about the next chapter, she considers the prospect of being a mentor and a sounding board for others who are growing their own companies. She thinks about working with a nonprofit. “I’m not, by any means, the most successful,” she says. “But I have been very fortunate to move laterally and horizontally, and at the same time [be] climbing and finding new life experiences. I find that’s really important.”