The MACH37 blog has moved to a new location. Please follow us at: https://mach37blog.wordpress.com/
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two Cities
Since the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.
Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?
In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:
- Tech Wildcatters in Dallas, TX
- TechNexus in Chicago, IL
- Wearable World IoT in San Francisco
- And our own MACH37 here at CIT in Virginia, part of the Washington DC region
Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.
Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.
And so, the four cities.
Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.
Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.
San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.
Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummeted, leading to a rapid rise in median valuations.
By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.
A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? Or Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.
A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:
“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”
That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…
Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.
Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”
The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.
When most people think of cybersecurity, they think of IT departments protecting corporate networks, or individuals at home on their personal computers. But cybersecurity is differentiating rapidly as more people realize its actual goal is to improve the reliability of some other business process or product, and not an end in itself. Since these business processes vary widely from one industry to another it makes sense to talk about the unique issues and approaches faced by individual market verticals. One such vertical: Cyber Insurance.
The October 1 edition of the excellent Security Leaders dinner series conducted by @mach37cyber, cohosted by Mach37, AOL, and Marsh & Mclennan at the AOL Fishbowl, was a highly interactive, highly informative panel discussion with insurance industry and related legal professionals on the topic of Cyber Insurance. Cyber Insurance is designed to cover some of the costs in the aftermath of a cybersecurity incident, including items such as forensics to determine what happened and the extent of the damage, public relations to communicate with customers and other stakeholders, costs such as credit monitoring involved in the remediation, and legal costs for defending lawsuits that arise as a result of a breach or loss of data. These costs for businesses that experience a cyber incident continue to increase rapidly.
It is clear that cyber insurance is still a very nascent but rapidly growing industry that faces some difficult challenges. Unlike more familiar life insurance, car insurance or hazard insurance, there is no long claims history to determine actuarial risk. There is no agreed set of standards or guidelines, analogous to “stop smoking”, that are guaranteed to reduce risk for most customers. Every insurance need is essentially custom to the situation (the panelists all agreed businesses should pay attention to coverages and exclusions such as “acts of war”), with businesses handling health information or PII facing very different imperatives than those handling primarily credit card or other financial transactions. And the way that business is conducted, with online brokers promising several competitive quotes within a few hours, means that the due diligence to determine a business cyber posture or even whether they are already breached when the policy is written, is not practical. The remedy for the latter is an increasing reliance on third-party audits or certifications regarding the business practices of businesses seeking insurance.
Insurance claims start when an insured business has knowledge that something has happened, so for data breaches this means the company must be at least sophisticated enough to know that something is wrong. But as one panelist indicated, the most commonly reported incident is “hack” (not a very sophisticated description) counting for about 1/3, while lost laptops and even lost paper still account for significant portions of claims. The insurance company can help bring in forensics and other experts to determine the extent of losses and help stop further losses, and then supports later steps in the remediation and recovery process.
In discussions after the panel, a couple interesting questions came up. First, is cyber insurance more like car insurance (where different skill levels are reflected in different accident rates, allowing lower premiums for good drivers) or more like life insurance (where every insured person experiences exactly one death and premiums are essentially financing the cost of activities around dying, requiring higher premiums for those with a shorter expected time period to do the financing)? Ideally this would look more like car insurance, with a set of specific steps to reduce chances of an accident, but most people seemed to believe it is currently more like life insurance, financing for that first event after which businesses take more extensive steps on their own to prevent a recurrence.
A second interesting question was whether people in the crowd would want to be in this insurance business (an admittedly skewed sample, since the audience was mostly techies). The large majority of people I spoke with said “no”, since it seems almost the luck of the draw which companies will survive in the market; if your business base doesn’t experience many costly claims then you’re probably ok, but the market dynamics make that extremely difficult to determine.
The third interesting post-panel question revolved around the asymmetry in risk and damage in this ecosystem as a whole. The best example here is the loss of PII from a business with cyber insurance. While a business with poor cybersecurity practices certainly incurs costs related to a breach, the harm also falls extensively on the individuals whose PII has been compromised. But the harm to the business is mitigated by the insurance, while the harm to individuals is less well covered (hence, lawsuits). Credit monitoring is sort of like jail time…once you reach three or four life sentences, adding additional coverage doesn’t really help very much. One could hope the cyber insurance industry is taking steps to help mitigate risks for businesses seeking good practices, while not protecting businesses who seek only to profit at individual expense.
Finally, there are a variety of interesting conclusions for early stage companies looking to sell cybersecurity products to businesses in the age of cyber insurance. For entrepreneurs involved with forensics or risk management, it may be that the insurers are your primary market rather than companies directly. In the era of risk management, businesses are no longer seeking to drive their risk to zero. Instead this becomes a cost tradeoff; at what point does additional technology cost more than the insurance to protect the same level of risk. For a cybersecurity vendor not only are you competing with other equivalent vendors for a share of the fixed security pie, now you are competing with a range of alternatives some of which are not even technology-based.
Cybersecurity insurance will continue to grow as a dynamic force in this market. It is unclear exactly how those dynamics will evolve however, so prudent companies should continue to watch this industry vertical carefully.
Caution: Satire Ahead
There is a dangerous threat to our economy and way of life springing up in seemingly every industry. Almost half the Fortune 500 were booted from the list between 1999 and 2009. Some prognosticators say this threat could result in even more than half of the Fortune 500 going away over the next decade, with a conservative economic impact of more than $2 trillion to our current productive capacity. What is this threat? Disruptive Innovation and the provocateurs inflicting it upon us, the Disruptive Innovators, or Dis-sInners as I like to call them.
Fortunately we are not helpless in the face of this scourge; we can fight back. The reason is that these Dis-sInners proceed, no matter the industry, in a very well-known set of steps before they can succeed. If we can disrupt their insidious designs at any step along the way, they will fail, and this is what I call “The Innovation Kill Chain.”
The seven steps of a typical Dis-sInner attack are as follows:
- First, they will conduct surveillance, to understand their target, evaluate competitive strengths and weaknesses, and position for the eventual attack. While this stage is hard to detect, we can take comfort that our highly efficient current business structure is very difficult to disrupt.
- At stage 2 the Dis-sInner will typically expose themselves by creating a legal paper trail (articles of incorporation and similar) that reveal both their true identity and business intent. Paranoid companies could develop a standing research capability to discover and track these perpetrators, but it is hardly worth the effort since they will never amount to a true threat to our overwhelming market share.
- The third step in the Innovation Kill Chain involves the Dis-sInners planning to undermine the value of your core Intellectual Property. Here the well-prepared defender can become more proactive by filing extensive patent coverage that will allow for future lawsuits should the Up-Startup ever amount to anything. Remember, you have deep pockets and they don’t, so it does not matter whether there is actual economic value in your IP portfolio; all that matters is the ability to create expensive legal proceedings at critical times.
- Inevitably, some Dis-sInners actually start building prototype products and begin looking for “beta customers”. By all means, this is your opportunity to appear forward leaning while still containing the threat. The most successful defenders step forward at every request…but then stretch out the process through the various tricks of bureaucracy we all know so well. Should a Dis-sInner persist, extensive product feedback involving meaningless features and tangential use cases is often an effective counter-measure.
- Only a few of the most Advanced Persistent Threats will make it to the point of seeking funding, but for these we recommend the essential Enterprise FiresaleWall. Your Corporate Venture Fund can be a key player in this process. Remember, that these early-stage APTs have not yet taken over key parts of your market, and a well-timed lowball offer can often shortcut their efforts at Escalation of Visibility.
- It is inevitable that your market position will eventually be breached. There are only two types of market leaders, those that know they have been disrupted and those that don’t yet know it. This is where a top notch Chief Innovation Prevention Officer (CIPO) earns their keep. “Off the street and on the shelf” are truly words to live by. Early warning can give you plenty of time to squeeze every last penny out of those previously lucrative markets. And your best customers will surely want to stay with a market leader, even in the face of punitive long term contracts.
- Once a breach has occurred it is time for forensics and damage control. Here, behavioral indicators can be useful in ferreting out the Inside Your Market Threat. Do not succumb to the temptation to point fingers and re-organize; instead watch the Up-Startup and match their every move. One very effective defense, particularly in the Government space, is to partner with the enemy! As a prime contractor, you will have locked up the Dis-sInner market potential and control their destiny through the amount of business you let trickle-down their way.
Knowing your adversary, and the common steps they take in seeking to disrupt your business is the most effective way to stay prepared and stay ahead of this insidious threat.
A number of investors from around the country tell us they have a problem. When considering early stage investments in cybersecurity companies, whether at Mach37 or elsewhere, investors have a hard time telling the companies apart. One issue is that companies abstract away the technical jargon for their investor pitches, and at the buzzword level they really DO sound similar. However we know from the Mach37 portfolio, where we pay attention to competitive issues within cohorts and are always looking for new ideas, that each company is unique. The challenge then is making those differences clear in an easily comprehensible way. We were searching for a way to depict the entire portfolio on a one page graph with a modest number of categories; here it is.
Across the bottom are the target users for each product, color coded and grouped into the corresponding market segments across the top. The technology categories on the vertical axis are based on our “Understanding the Technology” white paper, with a few additional categories added. This segmentation clearly gives a nice spread of the Mach37 companies, and corresponds well with our intuitive understanding of how the portfolio is beginning to meet the market needs. It also provides an interesting working definition of a company pivot, which we are beginning to see in a couple instances: a pivot is reflected by a company moving from one place on the graph to another.
We are interested in your feedback. Does this provide a useful differentiation of companies in the space? Do the categories make sense? How does your portfolio stack up? Could a similar depiction work for other verticals with a different set of technology categories and users?
The Mach37 Security Leader Dinner series has become a premier forum for discussing important topics in Information Security. On October 23, Philip Reitinger was the guest speaker. Although these discussions are non-attribution, and the philosophical musings, views, and opinions expressed are solely those of the author, a few of the ideas in this post are paraphrased from Mr. Reitinger’s prepared remarks, and are used with his permission. Some other ideas presented are crowdsourced from the community discussion or represent my own ideas on various topics.
Can we win the information security war? Currently the answer is no, and the situation is getting worse rather than better. It is getting worse for three reasons: complexity, connectivity, and criticality. The internet is so complex that nobody fully understands it, yet we are connecting everything to it, including all of our personal data and most critical infrastructure. At least we are finally paying attention to the issue, and our defensive technology is improving, so should we expect to be able to win in the long run? If winning means reasonable expectations of privacy, and reasonable expectations of protection for transactional information and intellectual property then the answer should be yes. So what would it take?
First, the internet was designed for connectivity rather than security, so there are some fundamental flaws to be fixed. There is some hope that the transition to IPv6 will address many of these issues, if not subverted by the providers. Baseline strong encryption of all internet traffic with no back doors is currently feasible. Strong authentication, providing some assurance that you are who you claim to be as we interact remotely, is on the horizon.
Second, the “edge of the network” is now every device, and the information and core computing resources (processor, storage, network interface) need to be encrypted and hardened. The move to stronger security by major device providers is a good step in this direction. Next comes automation. Procedures that involve highly skilled operators continuously monitoring for dangerous traffic simply cannot scale; they are orders of magnitude too slow and too expensive. The information security community is developing more automated processes and techniques which will help improve this situation.
Finally for the U.S. comes the legal and social changes necessary to support the technological changes. Unlike some parts of the world, we have criminalized much of the behavior of the “hacker” community in identifying issues and fixes in various information services, even among that large majority of the community willing to use their skills for positive purposes; we need to find ways to enlist their support rather than suppress it. We have also built an ecosystem where service and application providers of all types have been given free license to trade on individual’s data at the expense of privacy. Fixing these major legal/cultural loopholes is a key step in fixing the underlying security flaws, giving incentives for security rather than ignoring it.
So, in spite of the complexity, connectivity and criticality issues that widen the gap if all we do is play catch up, the answer is yes, we are still in a position to win…IF we put our minds and technology to the task…IF we are able to change some of the legal and structural problems…and IF we accept a relative rather than absolute version of what it means to win.
EPILOGUE (Call to Action): Phil Reitinger summarized the state of information security by re-telling the old tale of the two campers. As they get ready for bed, one starts putting on his sneakers, and the second one says “why bother; if a bear comes during the night, you won’t be able to outrun it”. To which the speedy camper replies “I don’t need to outrun the bear, I just need to outrun you”. We are very much under this type of extraordinary evolutionary pressure in cyberspace. The weak will continue as prey, and the predators will continue to roam. To survive in this new age the call to action is simple: Put on your sneakers and start running. Maybe if we all do it we might even starve a few dragons and bears along the way.
[Loosely adapted from an actual conversation with an investor at a networking event]
“So, what do you do here?”
[standing large] “I’m the CTO for Mach37”
“No, I know your title, I want to know what you do”
[uh-oh, better obfuscate] “I’m the Chief Envisionator of Strategery for Cyber-Futures”.
“I don’t even know what that means. What I really want to know is what you do on a day to day basis to add value to this organization”
Being the CTO or Technical Co-Founder of a startup company is a role that requires extraordinary flexibility and humility. Sure, the early days are obvious. You’re the developer of the first product, the first Product Manager, and critical for Marketing, Fund-raising, running the new business, and whatever else it takes to get that business going.
With a little success though, an early round of funding, and employees five, six and seven are a Product Manager and two developers…what now? Still not too hard to envision, your role is less hands-on with the Product and more involved with the roadmap and the intellectual property and mediating customer feedback from sales and marketing with your development team.
As success grows, and you add a VP of Technology to manage the technical team, your role continues to morph. Your CEO Co-founder has kept his roles and grown with them, while you have been busy giving your early roles away. So, what do you do? Is there still a place for you in the company you helped start?
The answer comes down to Leadership. You are a Co-founder because you helped create the vision of product and market and the problems you knew you could solve. The technical team looks to your leadership even though you are not so directly connected as you once were. You know the market and you know many of the key customers. You play a key role managing the business while the CEO is out raising money.
How that translates into day-to-day action varies with your personality, the company and the situation. I have found that letting other people take responsibility for the more detailed daily operations frees up time to build the longer term initiatives, those critical new areas for company growth that take time and patience to nurture. I enjoy being out in the community, a visible representative and spokesperson for the company. Thought leader in the market? Sure, that too.
So, what do you do? Lead. Figure out what that means, and earn your place every day as a leader in the company you worked so hard to start.
David Ihrie is CTO of MACH37 and has been the lead technical person for six startup companies. He has a BS in EE/CS and an MS in Management specializing in the Management of Technological Innovation, both from MIT.