From Novell to Next-Gen Security: How Novacoast Built a CISO-First Machine
Paul Anderson didn’t start Novacoast to chase buzzwords or ride the latest hype cycle. He started it because, as an engineer in the mid‑90s, he noticed something simple and profound: customers trusted the people who solved their problems.
“I worked for a couple of companies that were classically sales driven,” he remembered. “I was an engineer… and I just thought, what I saw is that the loyalty lied between the customer and the engineering talent that was fixing their problems, not between the customer and either the sales environment or the company as a whole. And I wanted to start a company that was really more just engineering based and solution oriented.”
That mindset – engineering first, outcomes first, hype last – is exactly what today’s CISOs are desperate to find in partners. Novacoast’s journey from a scrappy Novell shop to a global managed security and OT/AI security provider is a blueprint in what it looks like to grow with your customers, not just sell to them.
And it started with nearly going out of business.
Surviving the Crash That Almost Killed the Company
By the end of 1999, Novacoast had grown to about 70 employees. Then Y2K ended – and so did the spending.
“In 2000, post Y2K, that was probably one of the worst times in our history,” Paul said. “All the business dried up because everybody had spent their money upgrading systems for Y2K. And I probably dropped to about 30 employees in 2000. It was a hard, hard time. I didn’t take a paycheck for almost a year.”
CISOs who’ve lived through budget freezes, vendor purges, and leadership changes will recognize this story: when the spending spree ends, you find out who’s actually delivering value.
For Novacoast, the rebound came through excellence, not marketing. Paul earned Novell’s Master CNE of the Year – suddenly, doors opened.
“That was the year I got the Master CNE of the Year from Novell,” he said. “So all of a sudden we start showing up on lots of radars. I started picking up business around the country because Novell was starting their decline, and I was one of those kind of third-party people that they’d introduce to a customer anywhere – Minneapolis or New York – just because either the customer was starting to move away and they didn’t have a reliable partner to defend their position, or something else was going on and me or somebody else from Novacoast was brought in to kind of champion Novell and help them keep the customer.”
The pattern is important for security leaders: when platforms shift and vendors consolidate, your real partners don’t disappear – they help you navigate the transition. They defend your current state when that’s what you need, and they quietly prepare you for what’s next.
Planting the Security Seeds Before Security Was Cool
As the Novell-centric world began to flatten, Novacoast could have doubled down on what it knew. Instead, one of its leaders, Adam Gray, started doing something that would change their trajectory.
“At that time, we had two things going on,” Paul explained. “We had the Novell business, which was what we were living on. And then Adam was kind of dabbling in a smattering of security companies, which were small back then. It wasn’t the thing it obviously is today.”
Most CISOs have seen this movie from the other side: niche security vendors slowly get acquired by giants. Novacoast didn’t just watch that; they used it.
“Over time, the Novell business started to level off, and the security stuff just took off like gangbusters,” Paul said. “Most of the companies that Adam was partnering with as security vendors were acquired by Symantec. So all of a sudden, as Novell is declining, we’re becoming one of the top Symantec partners in the world – at least in the U.S.”
While Symantec and others were duking it out over endpoints and management tools, Novacoast stayed focused on what they did best: deploying, integrating, and running complex environments on behalf of customers. They weren’t trying to be the product; they were trying to be the team you trusted with the product.
Quiet IP: Building Tools That Actually Get Used
Novacoast’s culture shows up clearly in how they think about intellectual property. Unlike many firms that rush to slap logos on everything and chase product valuations, Novacoast built software with a different goal.
“We’ve always, for our history – even when we were 50 employees – we probably had 10 developers,” Paul said. “Once we got up to like 100 or so, we’ve always had 40, 50, 60 developers on staff. And still today there’s probably 60 or so traditional developers on staff.”
What were they building? Not shelfware.
“A lot of [our IP] is geared towards IP that we run internally, not stuff that we bring to market,” he explained. “We do a few million dollars a year in IP that we either develop for a vendor or for a customer specifically. We tend to not… bring [it] to market ourselves. We were really good at developing stuff, not good at marketing it.”
For CISOs, this cuts to the heart of an everyday problem: you’re drowning in dashboards and starving for integration. The tools that actually move the needle are often the glue – the automations and workflows that sit between products, SOC, and business processes. That’s the layer Novacoast chose to specialize in.
Today, much of that IP is focused squarely on their security operations centers.
“A lot of the intellectual property that we develop today is streamlining those SOC operations and creating tooling that the analysts use to manage a vendor’s product or a customer’s environment,” Paul said. That’s a very different philosophy from the “yet another portal” mindset.
From On-Site Engineers to a Global SOC Fabric
What started as onsite engineers embedded with large customers evolved into a formal managed security operation.
“We had been putting security engineers on site for like a Morgan Stanley for years, which you could call managed security,” Paul noted. “But opening the SOC was a transition for us.”
Fast forward to today, and that transition is complete.
“We have five SOCs – three in the U.S., one in the UK, one in Ireland – and that’s a good third of our revenue,” Paul said. “There’s probably 140 to 150 analysts that work in one of those SOCs.”
For CISOs, scale is only half the story. The more pressing question is: can your partner actually adapt to your risk profile, geography, and regulatory needs?
Novacoast is already handling customers in APAC, and Paul is blunt about what comes next: “We’re actively looking to get an APAC presence. We’ll probably, in 2026, have a SOC or at least an on-the-ground presence, probably in Australia, because that’ll give us an English-speaking nation to chase that Asia business.”
The playbook is clear: go where the customers are, hire localized talent, and back them with a distributed SOC fabric tuned by internal tools and IP. For CISOs responsible for global operations, that’s the kind of growth path you want from a long-term partner.
Federal, CMMC, and the Business End of Compliance
Compliance isn’t strategy, but it’s also not optional. For organizations touching the defense industrial base, CMMC is quickly moving from “later” to “now.”
Novacoast anticipated that.
“We have Novacoast Federal as a wholly owned subsidiary that we started in 2016,” Paul said. “That’s a pretty big, growing portion of our business. Since last year it’s probably 12 to 15 million in revenue, and it’s all services, almost no product.”
Layered on top of that is their CMMC trajectory.
“The first big thing for us is CMMC,” he explained. “We’re in the very final stages of being a C3PAO. We have four or five auditors on staff now who have gone through various levels of the finalization for their certifications. So we’ll be a C3PAO… that lets us do those audits and certifications for anybody supplying services to the DoD.”
For CISOs in or adjacent to the defense ecosystem, this matters. A partner who can help you both implement controls and understand how they’ll be interpreted during assessment is invaluable. It’s not just “we read the standard” – it’s “we operate in this world every day.”
OT Security: Where the Attack Surface Gets Physical
If there’s one domain that keeps modern CISOs awake at night, it’s operational technology – the plants, pumps, valves, and grids that used to be “someone else’s problem” and are now very much everyone’s.
Novacoast has leaned into this space hard.
“The second big thing is OT – operational technology security,” Paul said. “We hired a guy last year that worked for CISA for the government, and we’ve been building out this offering to do assessments, deployments of technology into OT environments, like wastewater treatment plants and all those boring things that nobody cares [about].”
They may sound boring, but they’re exactly the sort of targets sophisticated adversaries prefer.
Paul is frank about where the risk really is: “I met with the City of Lompoc probably a year ago, and they support Vandenberg Air Force Base for wastewater and stuff like that. They don’t have the security infrastructure. And if you wanted to attack an Air Force base, just go after the little city. And that exists all over the country – cities that are supplying critical services to the base that’s local to them.”
Novacoast is positioning itself alongside the likes of Dragos in this space, but with a twist: they already have the SOC backbone to turn assessments into managed, ongoing protection.
“We already have the SOC infrastructure. We have U.S.-based employees. We can manage your city of LA water treatment facility from one of our SOCs. You don’t have to add that security staff,” Paul said.
For CISOs responsible for both IT and OT, that single-operations model – one SOC, multiple domains – can be the difference between fragmented visibility and a coherent, defendable story for the board.
AI Security Without the Hype
No CISO can escape AI conversations right now. The challenge isn’t whether to use AI – it’s how to use it safely and sanely.
Novacoast has approached AI like it approached security years ago: through deployments, not buzz.
“Obviously AI – we’re doing a ton of AI deployments,” Paul said. The focus is practical: “Deploying AI security tools that let you secure your AI infrastructure. Or, if you’re using AI to develop code, do code analysis on it before it gets released.”
For CISOs, two key problems surface here:
- Protecting AI infrastructure and data from abuse, leakage, and compromise
- Ensuring AI-assisted development doesn’t silently inject risk into production
Novacoast is positioning itself in both dimensions – tooling, integration, and operational oversight. Again, the operating word is “managed”: they’re not just handing you tools, they’re embedding them into existing analysis and response workflows.
Go-to-Market by Educating, Not Pitching
Vendors often claim to be “trusted advisors,” but very few invest in truly neutral educational programs for security leaders. Novacoast made that a core part of its go-to-market motion.
“In 2019, Novacoast started our own event company called Innovate, and it’s grown like crazy,” Paul said. “We do two Innovate Summits a year, one in the spring and one in the fall, and we get about 130 CISOs to attend and about 80 vendors sponsor it.”
Crucially, it’s not framed as a Novacoast commercial.
“It’s not a Novacoast event. A lot of people that come don’t even know who Novacoast is,” Paul noted. “It’s a CISO education event.”
Beyond the two flagship summits, they’re scaling this model aggressively.
“On the calendar for ’26, I think we have 20 regional events scheduled for the year,” he said. “Either evening events or single day events that we do in various cities. We get millions and millions of dollars in lead gen from that – and it makes money.”
For CISOs, that last point matters. An educational ecosystem that sustains itself financially is more likely to endure – and to resist devolving into thinly veiled sales pitches.
The Talent Strategy CISOs Wish More Vendors Had
Every CISO knows that tools don’t run themselves. The hardest part of any security program is people: finding them, growing them, and keeping them long enough to build real institutional knowledge.
Novacoast’s answer to that problem is one of the most compelling parts of their story.
“There’s a million things we suck at,” Paul said with a laugh, “but we’ve done a few things really well, and one is talent acquisition that leads to people staying for their entire careers.”
The numbers back that up.
“We have just a disproportionate amount of people that work for Novacoast that were their first job out of college, sometimes even high school,” he explained. “It’s the names you know – forever – we’re all still here. I think the shortest on my executive team, the shortest tenured person, is 15 or 16 years.”
That continuity is not just a feel-good metric. For CISOs, it means:
- Analysts who understand your environment over years, not months
- Architects who remember why certain decisions were made three CISOs ago
- Leadership that has lived through multiple security and technology waves and can contextualize risk over time
“Maybe you start as an analyst, maybe you start as a help desk employee,” Paul said. “We offer you a career path so you never have to leave.”
In a market where many MSSP and MDR teams churn out after 18 months, that philosophy is a strategic differentiator.
What This Means for CISOs
Underneath the anecdotes and war stories, Novacoast’s journey surfaces a set of principles that map cleanly to what modern CISOs need from strategic partners:
- Engineering-first, not quota-first. Start from solving real problems, not pushing product.
- Survive platform shifts by following customer outcomes. From Novell to Symantec to today’s multi-vendor, multi-cloud world, the constant is customer trust.
- Invest in internal IP that makes operations better, not just portfolios bigger. Dashboards don’t defend you – well-integrated workflows do.
- Treat OT, AI, and compliance as operational disciplines, not side projects. CMMC, OT, and AI are baked into how they operate, not just tabs on a website.
- Anchor growth in education and community. When your go-to-market engine is CISO education, you learn faster than you sell – and that’s a good thing.
- Build teams for decades, not quarters. Long-tenured practitioners are the compound interest of security operations.
For security leaders under constant pressure to “do more with less,” partners like this can quietly become force multipliers – helping you stretch talent, amplify your SOC, and navigate regulatory and technological shifts without having to rebuild your strategy every 18 months.
A CISO-Focused Call to Action
If you’re a CISO looking at your next three years, your challenges probably rhyme with Paul Anderson’s story:
- You’re watching one set of core technologies mature or decline while a new stack – AI, OT, modern identity and data protection – demands attention.
- You’re trying to decide which partners will still be in the trenches with you after the next downturn, platform shift, or breach headline.
- You’re staring at a SOC that needs to be faster, smarter, and more integrated, without doubling headcount.
This is the moment to audit your partner ecosystem as rigorously as any internal control set.
Ask yourself:
- Which of my partners are truly engineering-first?
- Who is investing in OT, AI, and compliance as deeply operational capabilities, not marketing themes?
- Where am I relying on teams that churn faster than my own staff?
- Who is willing to be measured on outcomes – detection quality, time-to-response, resilience – not just SLAs and slideware?
Then, look for partners whose history shows they’ve already navigated long arcs of change and come out more relevant to their customers, not less.
Paul joked, “There’s a million things we [in cybersecurity] worry about, but we’ve done the key things that matter really well.” For CISOs, the things Novacoast has chosen to do well – engineering, long-term talent, operational IP, OT and AI security, and CMMC-grade rigor – are exactly where the next decade of security battles will be fought.
Your call to action is simple: don’t wait for the next Y2K moment, the next regulatory shoe to drop, or the next infrastructure crisis to expose weak links in your partner strategy.
Start the conversations now – with your current providers, with your peers, and with firms that have proven they can evolve alongside their customers. In a landscape defined by noise, the quiet, engineering-driven partners who stay through the hard years are the ones most likely to be there when it matters most. Visit Novacoast online at https://www.novacoast.com/.
About the Author
Pete Green is the CISO / CTO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.
Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.
Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.
He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.
