Trace3 CISO Says 2023 Security Sales On Track To Hit $1B

‘We started out as a small player in the security business to a major contender,’ says Bryan Kissinger, SVP of security solutions and CISO at Trace3. ‘Now we compete with PwC, Deloitte, Accenture and other large security consulting firms. We are competing against them, we’re winning against them and I think you’re only going to see us become bigger and more competitive.’

S olution provider Trace3 is in “hyper growth” mode, grabbing market share and continuing to expand its geographical footprint. In fact, the company expects to see $1 billion in security revenue by the end of this year.

“We’ll probably be a $2.5 billion dollar company this year overall,” Bryan Kissinger, SVP of security solutions and CISO at Irvine, Calif.-based Trace3, told CRN.

Last year, Trace3, No. 36 on CRN’s 2022 Solutions Provider 500 list, generated $530 million in security revenue, he said. In the last three years, security revenue has grown more than 50 percent year over year.

“We started out as a small player in the security business to a major contender,” he said. “Now we compete with PwC, Deloitte, Accenture and other large security consulting firms. We are competing against them, we’re winning against them and I think you’re only going to see us become bigger and more competitive.”

He believes Trace3 stands out from the competition in many ways, including its “elite” engineering talent and link to innovation and emerging technology.

“Those firms I don’t really feel like are as connected to the venture capital world as we are,” he said. “We’re sort of famous for bringing new and interesting emerging technology to market. What we always tell our customers is give us a complex hard problem that you’re trying to solve with technology and let us figure it out for you. I think that’s a real differentiator for us.

“We want the hard problems that are unsolved,” he added. “Let us use innovation, emerging technology and our elite engineering talent to solve it for you.”

In April, Trace3 acquired Houston-based Set Solutions, which will allow the combined company to deepen cybersecurity capabilities in turn driving greater success for commercial and enterprise clients.

“We’re looking to do one to two acquisitions a year, and I would expect one of those to be a security company and another one maybe to be a data or a cloud company,” Kissinger said.

CRN spoke exclusively with Kissinger about the hyper growth in their security business, challenges they face and what’s to come for Trace3.

I want to talk about the recent acquisition of Set Solutions and how it will help deepen Trace3’s cybersecurity capabilities. Can you double down on that?

There’s a lot of complementary solutions that we’re picking up. We have a pretty broad set of security capabilities at Trace3, and Set Solutions actually adds to that bench and that capability especially around offensive security, infrastructure security, cloud security, governance, risk and compliance. They’re helping us to deepen our bench in those areas, and we’re going to complement them in their market by providing some solutions that they’ve not really been as deep in as we have over the years. So it’s a really nice group of synergies.

When it comes to cybersecurity, what is your customers’ biggest ask? What is their biggest challenge?

Number one, they don’t want to just be sold something. They want a partner who’s going to help them mature their cybersecurity program and technology environment. In some cases, they’re looking to us to help them rationalize their technology architecture. Everybody this year, especially with the macroeconomic climate, is looking to save money, reduce complexity and reduce administrative overhead. So we’ve really been focusing on how do we help them do that with newer, more capable technology that actually eliminates some costs and some overhead in their environment.

At Trace3, we always play the long game. We’re not out there to do a transaction with a customer, like anyone can sell you a firewall. That’s not the business that we want to be in or are in. We’d rather understand your long-term business and technology goals, be a partner for the ride and help you get there. Hopefully we can make your technology environment more secure. If you’re objective is to reduce risk, which everyone’s is, and control costs we can help you do that. We’re not here with a vacuum cleaner that we want you to buy from us.

When it comes to cybersecurity, what do you want more of from your vendor partners?

I think what makes a good partner, and I actually get this question a lot as I’m on partner advisory boards, it’s really going to market together and understanding how Trace3 and the partner is that value add for our customers. We have a lot of great partners that understand that message and they truly are embedded with us and our customers to make their environment less risky and more efficient. The partnerships that are less successful are the ones where they just try to give us a quota and they want us to go out and push their solution. Trace3’s strength in the market is that we’re objective, and we really want to bring the right partner the right solution depending on the business outcome our customer is trying to get.

As SVP and CISO, what is your biggest challenge?

We have a very dynamic workforce, it’s almost 100 percent remote. We have a lot of personally-owned devices since we’re all over the country, and all over the world as we’re traveling. As the internal CISO, it’s really providing the functionality and access that every one of our teammates needs but doing it in a secure way. That’s always a continuum for any security leader. If you want everything to be secure, just unplug everything from the wall and don’t let anybody connect anything, but you’re not going to be very efficient or successful. So it’s somewhere between that and creating wide open wild, wild west functionality is where you always try and operate. I think that’s really the art form of being a good security leader, is how you manage functionality against security.

You mentioned compliance earlier. Are customers really receptive to compliance and cyber insurance?

You know, in a lot of ways they have to be. We work with a lot of regulated customers whether they’re in the healthcare industry or the financial services industry. It’s not really a choice of, ‘Well, I don’t know if I want to be compliant or not,’ or, ‘I don’t know if I want to have cyber insurance or not.’ It’s more of a must have or a must do these days. At Trace3 we have cyber insurance as almost all companies do today and we’re actually undertaking some compliance actions voluntarily to get some third-party attestations around our security program. Almost all of our customers are on some sort of compliance and regulatory journey and a part of that effort is having a comprehensive cyber insurance policy.

What cyber trends are you watching in the market right now?

Phishing continues to be the number one threat vector. We’re actually seeing a lot of smishing which is the text-based attacks. They’re impossible to prevent because you can’t obviously block somebody from sending a text to your phone. Once it comes in, you can block them and report them as junk but if they’re coming in from a new phone number, it’s going to come in. We’re almost seeing weekly fake texts, supposedly being our CEO or some other C-level executive, asking somebody to give them a call or to go buy gift cards or do something like that. So phishing and smishing are certainly the highest attack vectors. While most of us don’t fall for it, they only need a small percentage of people to fall for it to make it profitable.

Going away from the social engineering, it’s cloud security. Most of our companies and customers are in the cloud or are moving rapidly to the cloud. So it’s how are you protecting applications and data and things that are happening in cloud environments, because that’s a very different technology to manage than an on-premise data center legacy type of environment.

In terms of security solutions, what can we expect to see from Trace3?

You can expect to see our continued growth and breadth of capabilities. We’ve grown from about $100 million in revenue a few years ago to over $500 million last year, and we’re expected to do about a billion or more in security business revenue this year. So we are really doubling down on our security business. In fact, security is now our number one business area within the company. I can expect in a few years you might think of Tracer3 as a security solutions business. What we used to be known for is an infrastructure reseller, but you’re going to start to know Trace3 as a security solutions provider whether that’s professional services, advisory services or products or solutions. We’re going to keep acquiring companies, the acquisition of Set Solutions really solidified our presence in the Texas market. We’re looking to do one to two acquisitions a year, and I would expect one of those to be a security company and another one maybe to be a data or a cloud company.

We’re really focusing on the business areas that are big growth for our customers, and we want to mimic that with the way that we’re positioning our business.