With only a 50-person team, partners Danny Timmins and Eugene Ng have led IT security provider NCI to $20 million in revenue, high customer retention rates, and numerous industry awards. The Mississauga, Ontario-based company focuses on architecting third-party solutions, cloud cybersecurity management services, and governance risk and compliancy services. Here is a look at how.
3 foundational members
Not long after Ryan Krukoski and Eugene Ng founded NCI in the late 2000s, the two began working with Timmins, who was providing networking and routing services. Combining forces to meet the growing demand in cybersecurity seemed a natural progression. Ng and Krukoski focused on service implementation, while Timmins oversaw the administration and business initiatives. Together they strategized the company direction over a beer and pizza. “We basically wrote a plan, like they talk about in books, on a paper napkin and decided this is what we’d like to do over the next five years,” Timmins says.
Timmins credits much of NCI’s success to his team, whose alignment with company values proves critical. “The importance of having not just talented people but good people in your business is key,” he says. “They don’t need to have the same skills and capabilities you have, but they have to have the same values that you have.”
NCI employs three distinctive teams within its organization: third-party solutions, cloud and managed cybersecurity services, and governance risk and compliancy services. Within those domains, the company provides offensive penetration testing, threat-risk assessments, and managed security services, including regular 24-7 maintenance. “A big part of our business is PCI compliance, to make sure that organizations are taking payment cards securely,” Ng says.
At the outset, NCI did not have a prospecting strategy or objective. “When we first started, I think we were just going out and knocking on as many doors as we could,” Timmins says. Eventually, the company found its footing with continuous wins in the public-safety community and municipality sectors. While bigger competitors targeted larger enterprises, NCI set its sights on a demographic getting passed by—the midmarket. “As we continue to focus on that market, we also are winning large enterprise business today because we’re bigger, we have a better name in the industry, and because of the good work we’ve done in the midmarket,” Timmins says.
“My goal within the organization today is twofold,” Timmins says. “Firstly, directing the business for the future, and secondly, to focus on the day-to-day operations. I’m trying to get us to a place where I can focus more of my time on strategy and growth.” In addition to his president and CEO responsibilities, Timmins also oversees the finance, sales, human resources (along with Ng), and services departments.
10 awards and counting
The work coming from NCI has not gone unnoticed. Company shelves boast numerous awards, including Profit 100/200 (three times), the Branham300 award (four years in a row), the CRN Top 25, the Top 250 Canadian Technology Companies, the Top 20 Movers & Shakers list in Canada (2011), and the Top 10 Canadian ICT Security Companies in Canada (2011). However, one award stands out for Timmins and Ng—the CRN award. “[It means that] customers speak about you highly—that your service is good, that you deliver a good cybersecurity service,” Timmins says. “I think we’re most proud of that award.”
Coming off of a restructuring in 2012, Timmins and Ng wanted to provide something unique and meaningful that would set NCI apart. They found their answer in 2013, when Ng used an industry-accepted framework to build a quantitative gap analysis to compare an organization’s current state to what is a recommended security strategy for all organizations. “We believe that the majority of organizations do not have a very good understanding of what their cybersecurity posture is,” Timmins says.
He and Ng want to change that. “We work through a worksheet with them and develop a dashboard to evaluate their high-risk areas and help them to determine rough cost and effort for implementations,” Ng says. While many large-scale enterprise organizations have conducted such exercises for some time, large to smaller organizations don’t have the security skill set or maturity to accommodate this. It was what the industry lacked.