People + Tenacity
Penacity, LLC’s cybersecurity and low-voltage electronic experts provide holistic solutions
One trillion dollars.
This is the aggregate cost of cybercrime that organizations worldwide surpassed in 2020, according to a report published by the Center for Strategic and International Studies—an amount that more than tripled in less than a decade. This total doesn’t include harder-to-quantify costs, such as lost business opportunities, wasted resources and the negative impact that lost data and downtime can have on employee morale. After surveying 1,500 companies, reviewing publicly available data and interviewing cybersecurity officials, the report’s authors concluded that most organizations lack an understanding of cyber risk and a plan to monitor, manage and mitigate it.
This is where Hanover, Maryland-based Penacity, LLC’s team of cybersecurity and low-voltage electronic experts can step in to assist. The company’s core staff of 20 employees and network of nearly two dozen independent contractors provide penetration testing, managed security solutions, cybersecurity and incident response services, CMMC and NIST 800-171 compliance consulting, structured cabling design, installation and commissioning, and training and simulations for clients across the U.S.
“The word ‘Penacity’ comes from ‘people with tenacity,’” says Timothy H. Schilbach, who founded the company in 2016. “We are that—and more. We’ve kind of seen it all, whether that’s been with this company or other organizations. We understand complex problems and believe they have some sort of solution.” Timothy and members of Penacity’s leadership team each have between 25 and 35 years of experience in their respective areas of expertise.
Pathway to the Present
Timothy’s pathway to his present role as President and CEO of Penacity has provided him with a full-spectrum view of the cybersecurity and data communications industry. He co-founded, grew and sold two companies before launching Penacity: Concentric Tech Solutions, LLC (CTS), which began as a web hosting and design firm in the late 1990s and expanded into telecommunications, and Sarum LLC, an information security company that consulted for federal government entities, including the Defense Threat Reduction Agency (DTRA) and the Centers for Medicare & Medicaid Services (CMS).
“The CMS processes billing and dispenses benefits for medical providers and patients who are part of the Medicare/Medicaid program,” Timothy says. “The largest of these medical providers would send 20 semitrucks of mail per month to doctors’ offices and people’s houses. When new legislation required providers to realign their organization with the U.S. government’s updated cybersecurity framework, we helped with this transition.”
After he and his business partner sold Sarum, LLC, Timothy drew upon his formal education and his experience as an active member of the Army National Guard to serve for several years as a Cyber Warfare Officer for the U.S. Cyber Command. Timothy earned a Doctorate of Science in electrical engineering from the University of Phoenix and a Doctor of Engineering degree in Electrical and Electronics Engineering from Johns Hopkins Whiting School of Engineering in Baltimore. He has participated in and led the National Guard’s response to natural disasters, including catastrophic floods and hurricanes.
Tracking down cybercriminals, terrorists and other bad actors and witnessing the havoc Mother Nature can wreak has prepared Timothy well for what he says is the most daunting part of Penacity’s work: “identifying all the potential points of failure.”
Assessing Risks, Developing Action Plans
The first step that Penacity’s team takes is to conduct a penetration test to assess an organization’s risk level. “We also uncover any unauthorized disclosure of sensitive information or alteration of proprietary data, review an organization’s cyber hygiene habits (the tools and practices it uses to protect the health of its networks and digital assets), and evaluate its building and systems infrastructure, business operations and human resource policies,” Timothy explains. “Our penetration tests include some social engineering. For example, we’ll ask: ‘Does the organization have a great training program? Are the employees disgruntled?’ Unhappy or exhausted employees can cause security and safety risks.”
Based on this initial assessment, Timothy says, Penacity’s team develops a risk-mitigation or “get-well” plan. “Then we walk clients through a maturity model. The initial tasks are the easiest to complete; they progress in scope and complexity as the company grows.”
Chance Meeting Inspires Vertical Integration
According to Christopher Hill, Director of Structured Cabling and Safety Services, a chance meeting and a shared recognition of the critical relationship between the built environment and cybersecurity inspired the expansion of Penacity’s services to include the design, installation and commissioning of structured cabling systems.
“I grew up in Alaska and worked on construction projects with family and friends from the age of 7,” Christopher recalls. “By the time I was 16, I’d become a painting/drywall and carpentry apprentice. I also studied mechanical drawing and loved designing buildings, bridges—anything. After graduating, I joined the union as a journeyman but did not make any money at this, so I started my own company. From there, I trained and obtained licenses in the major trades and as a general contractor. This experience allowed me to grow my company into one that designed, built, remodeled and performed maintenance on residential and commercial properties.”
Then, Christopher and Timothy met at the wedding of a mutual friend. “We hit it off,” Christopher says. “We talked about how it made sense to couple structured cabling with a cybersecurity company to provide a holistic solution for clients. I was looking for a new adventure, so I moved to Maryland and joined the Penacity team.”
“Our research shows that in the U.S. alone, organizations lose between a half billion and $5 billion a year from damage caused by electrostatic discharge.” Christopher Hill, Director of Structured Cabling and Safety Services, Penacity, LLC
Avoiding Rat’s Nests
The structured cabling team that Christopher leads focuses on reducing security threats to voice and network communications systems that are posed by the design, construction, operations and maintenance of the built environment.
“Just search for ‘cable rat’s nest’ images online and you’ll see how dangerous some situations can be,” Christopher says. “We’ve found cables tangled so tightly we couldn’t stick our hand into a rack for fear of damaging or disconnecting something—or getting electrocuted if a cable wasn’t grounded. Making sure cables are neatly organized, labeled, bundled and separated makes maintenance and repairs or upgrades a lot easier to accomplish. It’s ideal to start with systems that have been designed and installed properly.”
He uses a data center project that Penacity’s team completed in Salt Lake City, Utah, to illustrate this point. “This was part of a data center migration to a new building,” he says. “We installed the Cat6A and fiber-optic cabling as well as the rack system. We staged every nut and bolt to provide stable supports and meet safety codes. The way the wires are set up inside the cables for each rack matters. These have to be twisted just so to optimize data transfer. Pulling the cables too tight or untwisting them could cause computers to run more slowly and the data transfer to be intermittent. There is a whole science behind this,” Christopher says.
One of the costliest threats to the safety and performance of data communications systems is also commonplace. “Our research shows that in the U.S. alone, organizations lose between a half billion and $5 billion a year from damage caused by electrostatic discharge (ESD),” Christopher explains. “It’s remarkably easy to build up static electricity. Depending on the circumstances, walking across a room and picking up a piece of paper can generate enough electricity to fry a computer or electronic device.”
Christopher’s extensive, well-rounded experience in the construction industry makes identifying such risks routine, which is fortunate for clients who are unaware of safety or security issues that have arisen as their data communications systems have evolved.
“Recently, I was working with a company that needed to upgrade their fiber-optic cabling,” Christopher says. “They were providing COVID-19-related lab services and needed to move from one suite to occupying three. This work had to be done in two weeks, and they could only shut down on Christmas Day. After I put a bid together, I toured the site. Nothing was up to code. The systems weren’t grounded properly. They weren’t protected against ESD. I provided an additional estimate to cover what it would take to correct these issues. We wound up correcting failed code, safety and firewall issues as well as upgrading the fiber-optic cabling. We got everything ordered and staged, then accomplished the transfer in one day. The customer was grateful that my training helped me spot the deficiencies that would have otherwise gone unnoticed and could have caused a lot of damage down the road.”
Even when companies are aware of these types of risks, Christopher says they may be unwilling or unable to invest in reducing them. “The cost of paint-stripping grounding washers and screws to ensure a clean contact is $200 per 100, versus $20 per 100 for non-grounded. Dielectric grease is also being skipped as it is time consuming to apply this grease on every washer and screw installed where metal should be protected from the elements.”
Small, Medium and Monumental
“The largest project Chris and I have collaborated on is for the Social Security Administration (SSA),” Timothy says. “Our role was to identify all single points of failure within this federal agency, which is the biggest aggregator of data in the United States. We flew to every facility and talked to all the senior leaders. We walked through massive data centers—some that were the size of 20 football fields—and reviewed everything on the physical side, from improper wiring and grounding to the convergence of low-voltage cabling with other building systems. We even looked at weather phenomena because extreme climatic conditions can impact resiliency. The SSA had us identify all the issues and make recommendations for remediation. Then they hired someone else to fix the issues, so the fox wasn’t watching the henhouse.”
While the monumental size of this project is impressive, Timothy takes equal pride in Penacity’s ability to serve small to midsize companies. “We can scale an enterprise-level cybersecurity defense down so that a company of three or four people can afford our services. We also participate in the Buy Maryland Cybersecurity (BMC) Tax Credit program, which provides a 50 percent savings for Maryland-based companies that purchase cybersecurity-related services.”
A Complementary Acquisition
In March 2020, Timothy acquired AboutWeb, LLC, a company that provides IT personnel and software development services. Trayci Koppie, Penacity’s Chief Growth Officer, says Penacity and AboutWeb are completely separate but complementary. With more than 34 years of experience in all aspects of the IT industry, she is especially adept at assembling the experts and resources required to meet each client’s needs.
“I met Timothy when AboutWeb recommended that I hire him for a project I was leading for ITS Services, Inc. (now part of Perspecta, Inc.),” Trayci says. “Since then, we’ve worked together in different capacities for over 15 years. Penacity focuses on cybersecurity with low-voltage cabling services being an extension of this. AboutWeb develops some of the custom tools and software Penacity’s clients require and can provide IT consulting services and staffing support.”
She uses AboutWeb’s Touchstone software as an example. “Penacity helps clients achieve CMMC and NIST compliance, and AboutWeb’s TouchStone software can facilitate these efforts by making it easy to organize and access data—and to provide the correct paperwork for auditors. Penacity is a CMMC Registered Practitioner (RP), which means we can help our clients prepare for an audit. We are working toward becoming a third-party auditing organization (3PAO) so that in the future we’ll be authorized to conduct the audits.”
She explains that CMMC stands for Cybersecurity Maturity Model Certification, a U.S. federal government program designed to ensure the security and integrity of digital devices. Suppliers who want to work with agencies such as the Department of Defense (DOD) must be CMMC-compliant. NIST is the acronym for National Institute of Standards and Technology, a non-regulatory government agency that develops technology, metrics and standards for keeping federally protected information secure. NIST compliance is mandatory for all companies that work within the federal supply chain.
Investing in People
Since Penacity’s leaders place a premium on attracting and retaining talented staff, Timothy says the company invests heavily in its employees by providing paid, in-house training opportunities and generous compensation packages and benefits. It also focuses the majority of its outreach efforts on expanding the pool of qualified job applicants.
“There is a worldwide deficit of trained and educated people needed to fill 3.5 million cybersecurity positions that are currently available,” Timothy says. He and others at Penacity address this concern by volunteering as guest lecturers and advisory board members for local community colleges. “We serve on the Cyber Security Advisory Board for the Community College of Baltimore County (CCBC) and do a lot of outreach to CCBC’s Women in Technology organization.”
Penacity also hosts a six-month internship program and, as a Service-Disabled Veteran-Owned Small Business (SDVOSB), provides IT training and job opportunities for returning veterans via the company’s Cyberwarriors Program. In 2020, Penacity added the award-winning AboutWeb Cares program to the range of educational outreach organizations it supports. AboutWeb Cares provides paid training and IT employment opportunities to people from economically disadvantaged areas.
“We are working to establish our headquarters as a training facility for Building Industry Consulting Services International (BICSI), which is globally recognized for its information and communications technology (ICT) cabling installation curricula, as well as other certification programs,” Christopher adds. “This would open new pathways for residents in the Washington, D.C., Virginia and Maryland area to gain access to low-voltage training and certification.”
Penacity is also a premier/charter member of the Cybersecurity Association of Maryland (CAMI), participates on CAMI’s Cyber SWAT Team, which assists Maryland-based businesses experiencing a data breach or cyberattack, sponsors the annual Zaching Against Cancer Foundation golf outing and donates to families going through hard times during the holidays.
“We believe in being kind, helping others and empowering people by giving them the opportunity to discover their talents,” Timothy says. And while his company’s name is a blend of two words, there’s no question which one he emphasizes. “Without people, there is no company. Investing in each other to achieve success is success. Period.”