[T]he Essex Junction start-up NuHarbor has only been around since 2014, but it already has 40 employees and national clients including the U.S. Department of Energy and American Airlines. Entrepreneur magazine this month listed NuHarbor among its 360 “Most Entrepreneurial Companies in America.”
NuHarbor, which provides cybersecurity services, was started by programmer Justin Fimlaid, 39, who grew up on his family’s 150-acre cattle farm on the New Hampshire seacoast and played semi-pro soccer before studying accounting and programming at the University of New Hampshire. His wife Kelly’s PhD program at the University of Vermont brought the couple to Vermont, where Fimlaid worked in security compliance risk management, e-discovery forensics and fraud prevention at Keurig Green Mountain in Waterbury until 2014, when he left to start NuHarbor on his own.
NuHarbor is the only Vermont company on the 2019 Entrepreneur list, which seeks to identify successful private companies that are well-rounded, said Entrepreneur editor Jason Feifer in a prepared statement. “NuHarbor is creating new tech jobs, cultivating information security leaders, and providing crucial security services to local businesses and organizations,” Feifer said.
NuHarbor also growing fast; Fimlaid expects to move the company to a larger space in Colchester this winter and double last year’s revenues in 2019. He said NuHarbor will add 30 to 40 security engineer jobs in Vermont in the next five years.
Fimlaid spent some time talking to VTDigger about NuHarbor. The interview has been edited for length and clarity.
VTDigger: Is NuHarbor different from other information security companies?
Justin Fimlaid: The security market is primarily filled by product companies. You can buy firewalls, scanners, anti-virus solutions, email gateways that inspect your email, stuff like that.
The service companies are all niche providers who do one type of testing, or do security operations, or do forensics. All these things should be working in tandem.
The idea of end-to-end services seems to resonate with people. It’s kind of like the cradle-to-grave approach. If you have an information asset or a technology asset you are looking to protect, we can help you build your security program to protect it.
We can build the castle around it, we can tell you how to construct the castle, the moat, the whole thing, so you’ll be safe — and over time we can tell you how to maintain the castle.
And if something happens, and your castle gets breached, you have raiders in your castle, we can help you get them out. We’re your single partner; you don’t have to go out to multiple companies to solve this challenge.
VTD: How did you come to start NuHarbor?
JF: In early 2013 Keurig had just gone through a management change, especially on the IT side; the old guard was starting to retire, the new guard was coming in, and they had a requirement I would use someone from the Big Four accounting firms to do some security work. They charged us an egregious amount.
Philosophically speaking you would never hire your security guy to advise on someone’s accounting, so why are we having our accountants advise on security?
They sent me a bunch of kids that were just out of college. I was coaching them through some of this. With some of it, I had a vested interest in seeing the right outcome. But here was this consulting firm and I was making them better.
For 2013 I was still with Keurig, but I started to incorporate and prepare marketing ideas and business plans on and off for a year. Then, I had just really had enough; I was really, really done with Keurig; and so in the beginning of 2014 I decided I was leaving no matter what. I wasn’t sure if NuHarbor was really going to be a thing. I had been kind of testing the market for ideas, I had conversations with companies in Boston; I knew the idea was viable based on conversations I had.
VTD: How did you get the financing to start your company?
JF: On my own. I just bootstrapped the company. I have had a lot of people approach me to invest, but we’ve been self-funded since the beginning and it has worked out well.
I learned a lot about how to position the company and I got an account with Department of Energy. DOE found me online, and when they called I finally had the message right. It happened fast: within a week contracts started coming in and I realized the job is in Washington, D.C., and I was living in Huntington at the time. We had maybe three months of living expenses.
Within two weeks, I was living in D.C. No money was coming in; my wife was pregnant and getting a PhD, so I lived on canned tuna, a loaf of bread, soba noodles, and made a commitment that this had to work. I only had two suits. My truck had broken down and the dog had a torn ACL.
I had heard “no” so many times.
Then I closed some additional business in D.C., a check came in from DOE, and at that time the state of Vermont had also issued an RFP that we ended up winning to do security work for the Secretary of State. That was in the tail end of 2014. So we hired our first employee in August 2014, and then hired a second employee to help with the project in Vermont, and all of the sales and marketing stuff I had been doing started to come through, so with three employees we were very busy.
By January 2015 we had hired another six people, and we rented an office.
There have been times when we have hit our head on the ceiling from a growth standpoint. When I look back on it in hindsight it’s probably more of a blessing because that controls our growth. There are times we have to tether our growth just to make sure we don’t grow in an uncontrolled way.
We have applied for a Vermont Employment Growth Incentive (VEGI) grant to help offset our training costs.
VTD: Along with the DOE and the state of Vermont, who were your first customers?
JF: Some of our earlier customers were small organizations in Boston. We had some small nonprofits where I would go in and work with them for the day, two days. The main threat in common was protection of credit card data. They had member lists they wanted to keep guarded.
With other organizations, there were challenges around credit card industry compliance, regulations they had to adhere to.
VTD: How do you get paid?
JF: We’re not profit-driven; we are purpose-driven. We as an organization above anything else have to do the right thing for our customers. We have to add value; we have to make enough money to make payroll obviously, but our goal is to make security accessible. We try to make it fair and equitable for both parties. As a partnership, for us it’s a pay-as-you-go type of thing. We do a lot of stuff based on time and materials; that’s the majority of our business.
Project-based work can be fairly expensive, so we have started to get into an ongoing monitoring type of service, and entry level for that is $1,000 a month to $1,500 a month. We kind of go up from there for larger organizations. It comes down to how much we’re actually monitoring. For a small business we’re not monitoring much. For larger organizations we’re monitoring their global footprint.
VTD: What part of the company is in Vermont?
JF: The whole monitoring group is in Essex Junction. In our Boston and D.C. offices, they are mostly doing project-based work or having to be on site at federal clients. We have sales reps there and New York. The idea of having people in territory reduces the amount of time I have to send Vermonters on a plane to travel.
We’re a little more established in D.C. because that’s ultimately where NuHarbor ended up getting started.
VTD: What’s next?
JF: We have outgrown our space in Essex Junction and are likely issuing a letter of intent for a place in Colchester. We’re going to lease a place and build out our security operation there.
This year we’re expecting to get close to doubling last year’s revenues. Last year was a big investment year for us; we put a ton of money back into the organization as far as trying to onboard systems. We retooled some of our services, brought on a whole bunch of new staff; we hired maybe 10 to 15 people last year and had some attrition as well.
VTD: Do you have any trouble finding workers?
JF: A couple years ago we realized that security talent doesn’t exist at the scale we need it. We tapped out Vermont security talent in the first six months, in 2015. There are still some pockets of talent, but they are pretty happy at the companies they are at.
If we’re really committed to Vermont and committed to scaling and growing the company, we have to train people ourselves. Engineers are very analytical and can get uncomfortable quickly in an unfamiliar setting. So we find people with the right aptitude and attitude, and we invest heavily into their skill set. We give them six months of training, six months of shadowing opportunities, and then the expectation is that within 18 months they’ll be working autonomously.
VTD: How do you know they are going to stick around?
JF: I don’t. If the goal is truly to be the best security firm that we can possibly be, if they stay here and I don’t train them I’m not going to fulfill that vision. If we train them and they do really, really well, it only helps fulfill the vision. If they leave, that’s a business risk. Every business faces that.
VTD: Has that happened?
JF: For sure. People leave for a whole variety of reasons. It’s a challenge. But it’s kind of their personal decision, right?
VTD: Who are your big customers these days?
JF: We still have contracts with the DOE; some of the folks here have top security clearance with them. We’re starting to do more work with the state of California. We have multi-billion-dollar hedge funds in New York and Boston. And here in Vermont, we work with the state and with small businesses with five to 10 people.
VTD: Do you plan to keep the business in Vermont?
JF: There are a lot of places where we could do this. I wouldn’t say the access to talent or customers is any better or any worse. We basically do a lot of our work remotely.
From a sales standpoint, we can still have a national reach from Vermont. And we can still bring jobs back here.
It’s super expensive to do business here. Contrast it to North Carolina, where the corporate income tax is 2.5 percent. It’s 8.5 percent here.
But things like the VEGI grant start to make that a little more competitive.
The biggest driver at this point is the people who are in Vermont want to be here. It’s not for everybody, but for the people who are here and like Vermont, it gives those folks an opportunity to live where they want to live, enjoy the lifestyle they want, and also give them intellectually challenging work.
A lot of our business is done outside of Vermont, which means a lot of times we’ve got to put folks on planes. But Burlington airport has flights to D.C. three times a day, flights to Chicago a couple times a day. If we were in D.C., there would be more businesses locally we could start to go after, but that’s part of our strategy too; we hope to grow out some of those regions. Boston is a growing market for us, and we expect D.C. to be.
