As General Dynamics and Boeing move away from commercial cybersecurity, Raytheon and Northrop Grumman are making significant investments in the area, hoping it can spur growth as federal spending wanes.
The approaches reflect a divergence among the largest defense contractors, who often make similar strategic moves.
All four of those contractors have sought work providing cybersecurity for commercial companies, viewing it as a chance to apply what they learned working with top-secret government agencies to vulnerable industries from utilities providers to banks.
But Boeing and General Dynamics have in recent months decided the outlook for this market is not as rosy as anticipated.
In January, Boeing sold staff and technology licenses from Narus, a cybersecurity business Boeing bought in 2010, to Symantec.
"We are going through a process in my business about making sure that we're focused on the things that we're really good at and not trying to be soup to nuts," Dewey Houck, vice president of electronic and information solutions in Boeing's network and space systems unit, told InsideDefense.com at the time.
Working with commercial customers "takes a lot of sales folks and it takes a lot of time and effort," Houck added. Instead, Boeing plans to "focus on customers that are in our traditional sweet spot," meaning government and defense agencies.
General Dynamics this month agreed to sell Fidelis Security Systems, a cybersecurity business it acquired in 2012, to Marlin Equity Partners.
Lucy Ryan, a GD spokeswoman, told InsideDefense.com in a statement that Fidelis "serves a commercial customer base, not in our core, and is better served with a commercially focused owner."
General Dynamics, for its part, "will continue to focus on our comprehensive and robust cyber business, serving the U.S. intelligence community; Department of Defense; Department of Homeland Security; and federal/civilian and law enforcement agencies," Ryan added.
Yet, even as these companies move away from commercial cybersecurity, others are intensifying their focus. Raytheon, for instance, announced this week a significant bet on commercial cyber, teaming up with a private-equity firm to acquire Websense and create a new cybersecurity business.
Raytheon executives said the new business would be able to offer a much greater breadth of services to a wide range of customers, from government agencies to commercial enterprises.
Under the deal, Raytheon will contribute $1.9 billion to the joint venture, including a $600 million intercompany loan, as well as the assets and intellectual property of its existing Raytheon Cyber Products business, valued at $400 million.
Northrop Grumman too has pushed more heavily into this market, creating a separate unit, dubbed Acuity Solutions Corp., to focus on commercial cybersecurity.
Industry observers say the contrasting strategies reflect the competitiveness of the cybersecurity market. Some companies, they say, are finding it not worth the trouble; those that want to compete are realizing they must boost their efforts.
"The competition in the private-side markets is fierce," said David Bodenheimer, a partner at Crowell & Moring who specializes in cybersecurity. "You have the established security companies like Symantec, you have the consulting companies like [PricewaterhouseCoopers] and you have the specialty companies like Mandiant competing up and down the cyber market, from the forensics to the breach notification to the upfront preventive technical safeguards. It is a very expansive group of competitors out there."
Bodenheimer and Loren Thompson, a defense industry consultant, both said the market is huge and international, far larger than cybersecurity for federal agencies alone.
"It's a way of applying their skills to an international marketplace in which commercial and civil customers could be just as important as defense customers," Thompson told InsideDefense.com.
But some companies are finding it unappealing.
"The divergence in company approaches to cyber reflects the fact that there's a shakeout underway," Thompson added. "Some companies think they built enough of a business that they can be one of the survivors, and they would include mainly Lockheed [Martin], Northrop and Raytheon. Other companies have decided it's not worth the fight to stay in because either they won't get enough business or the margins won't be appealing."
Marc Marlin, managing director at Kipps DeSanto, told InsideDefense.com the repositioning in cybersecurity is also part of larger strategic changes within the defense industry.
"There's so many ways to play this game, and it's very difficult to be all things to all people in playing this cyber game," he said. "All the different companies need to look at themselves and say, 'OK, what do we do really, really well and how do I want to play in this game?'"
Those companies redoubling their efforts in winning commercial cybersecurity work are typically turning to a new platform. Raytheon, for instance, created a joint venture, while Northrop put together a subsidiary company.
Northrop is "really, really good at doing business with the U.S. government," Ken Uffelman, acting president of Acuity Solutions, told InsideDefense.com last month. "If you look at the commercial market space, that’s exactly what they don’t do."
The contractor decided, he added, "if we were going to do this, we really needed to have a business platform."
Raytheon executives said this week the combination it unveiled combines Websense's existing strong position within the commercial marketplace with Raytheon's defense expertise.
"Today's enterprises are more vulnerable than ever," David Wajsgras, president of Raytheon's intelligence, information and services business, said during a Monday call with analysts. "These attacks are becoming increasingly more sophisticated."