Henderson knows inherently that his people are a huge asset, and works to educate them not solely on security, but about the business they work for. He will step down in January as CEO, but will remain as CFO. Current President and CTO John McNeely ill take over as CEO. Henderson recently spent some time with Senior Editor Jennifer Bosavage to discuss growing sales, motivating employees and trends in the security market.

VARBusiness: You saw excellent growth from roughly $26 million in 2005 to almost $39 million in 2006. What do you think was the main impetus for that growth?

Henderson: The main reason was our business in federal product contracts. We have the NASA SEWP [Solutions for Enterprise-Wide Procurement], which helped a lot. Last year, only 17 companies had that contract. That's a five-year contract that gave us a lot of opportunity. We had growth in other areas too. Both consulting and product sales have had good growth. Fast growth is not really our goal -- our goal is steady and profitable growth. We want to grow mostly locally and internally. If we do steady profitable growth, then, when opportunities come, we will be able to take advantage of them.

VARBusiness: So your philosophy is, more or less, that slow and steady wins the race?

Henderson: We always focus on there being profit on what we do in a controllable fashion. We have 27 employees. And we don't outsource anything. We are a small business; we closely control what we do. We're not against outsourcing, but it's not appropriate for what we do. Temps are ok for unusual surges. But usually our temps become full-time employees. Because we're only 27 employees, every person has to make an important contribution. The smarter people we hire the better we'll do. We try to get good people that are flexible to change. Our procedures need to be able change frequently.

We may be a little contrarian, yes. But we have a steady management philosophy. There is nothing wrong with an entrepreneurial company that starts up -- I have done that before and don't want to do it again. I want to build a company that will stay, and jobs that will stay. We are also in the process of becoming an employee-owned company. It's a long process; we started it about a year and a half ago. We plan to become 5 percent to 10 percent employee owned in 2008. That's our philosophy.

VARBusiness: Not many companies embrace employee ownership.

Henderson: It's not a predominant way to build a company. But some employee-owned companies are very good companies.

It's motivational to offer employees ownership and to enjoy what you do. The more employees understand the whole picture, the more they enjoy what they do. Employees are always going to make assumptions about profitability -- that are always going to be wrong. Employee ownership eliminates wrong assumptions. Why not educate them on the facts? There's an element of altruism, I suppose, but there is common sense in it. Yet, even while you are showing [employee ownership] is profitable, there are just some who can't stand to share ownership.

NEXT: The ever-changing security landscape VARBusiness: What are the greatest challenges within security today?

Henderson: The continuous new ways hackers think of to cause problems. A lot of it is not technical. Businesses are still not doing the basics they should be and that were identified five years ago. Beyond that, there are new challenges on a continuing basis.

There are a lot of challenges that relate to maintaining our business and continuing our business in the industry. There's a lot of M&A going on, which means we are competing with larger entities with a lot more resources. There are also challenges as far as new technologies; you have to keep up so you can advise clients. And, to some extent, every small and midsize business faces training new employees and maintaining control of finances.

VARBusiness: How do you engage a company that may not fully understand the importance of security audits, etc.?

Henderson: Some customers have low expectations: Some know they have compliance issues and think that they'll be fixed by doing a security audit, but even after the audit, they still don't fix things. We look at telling people what they need, but then it's up to the people. A lot of it is that these companies have limited resources to operate. For them, operating on a daily basis is more important than improving security. But it's evolving: Large companies did things five years ago that midsize ones are now looking at, like information risk management.

Information risk management, is a process in which instead of saying, "We need firewall," a company looks at its information system and analyzes risk overall. You have data, some sensitive, some not so. Let's apply money where the risky stuff is, like social security numbers, health records, and so on. It's a process of looking at risk, and looking at how to protect the very sensitive stuff. It's a systematic approach. Looking more broadly at systems rather than saying we need to protect everything at the same level. Compliance regulation has driven this to a large extent. Banking regulations, health regulations [to a lesser extent] and payment card regulations are forcing companies to improve what they are doing on security front.

VARBusiness: What is the outlook for the next 12 months? What are the hot spots in the industry?

Henderson: We see continuous growth for vulnerability testing, but I there is a trend toward more encryption of data at risk and data in transition. Data loss prevention (DLP) is a really growing area that only a few vendors have solutions for. Data portability is a big issue: How do you control your data. Often, unintentional problems are created by people just trying to do their jobs. Sending data via email without encrypting it, for example. People within your company are trying to do their jobs efficiently, but they often put data at risk. It's a huge problem that's going to get bigger and bigger. More solutions are needed.

There is definitely no lack of opportunity in security. There may sometimes be a lack of solutions -- or of funds to pay for those solutions -- but never a lack of opportunity.