Mach37 Alum Hill Top Security Wins Virginia Velocity Tour NoVA Award


Hill Top Security CEO and Mach37 Alumnus Tom Gilmore, second from left, accepting the Virginia Velocity Tour Award for Northern Virginia, September 2016

The Mach37 family was busy last Thursday. We announced our Fall 2016 Cohort and a new Mach37 platinum sponsor, SAP National Security Services. On the same day, spring 2016 cohort alumnus Hill Top Security won the Virginia Velocity Tour Northern Virginia Region pitch competition and the $25,000 top prize. Hill Top CEO and Founder Tom Gilmore accepted the award at the Fall Cohort Introduction dinner Thursday evening in front of a crowd of more than 250 Mach37 supporters. We recently interviewed Tom on our Mach37 blog and it is clear that the company is already making an impact.

Mach37 Alumnae Represented Two-thirds of the NoVA Finalists

However, Hill Top wasn’t the only Mach37 standout in the pitch competition. Four of the six finalists in the cybersecurity and government technology category were Mach37 alumnae. Eunomic, SheVirah and Tensor Wrench all pitched alongside Hill Top. Two other companies focused on government technology SpotMyBus and J&F Alliance Group also competed. The competition judges came from the University of Virginia, Revolution Ventures, Amplifier Ventures and TandemNSI. It was great to see so many Mach37 alumnae getting recognition for their technology and business growth.


Hill Top Security CEO Tom Gilmore Presenting to Virginia Velocity Tour Judges

Virginia Velocity Tour Background

va-velocity-tour-logoThe Virginia Velocity Tour is overseen by the Virginia Secretary of Commerce and Trade and planned in partnership with our friends at Village Capital. We appreciate that Virginia Governor Terry McAuliffe, Secretary of Commerce and Trade Todd Haymore and Village Capital’s Ross Baird are so supportive of the start-up community across the state. Twenty-nine finalists competed for top honors in five regions.

At Mach37, we work with entrepreneurs from all over the world. Two of the five companies in our current cohort are from Europe and we also have entrepreneurs joining us from Nevada and North Carolina. We maintain a global outlook regarding cybersecurity, but we also appreciate introducing these companies to the business-friendly climate in Virginia. The Virginia Velocity Tour is another example of the start-up support that founders receive from the state and can access as part of the Mach37 family. Congratulations again to Tom and the entire Hill Top team.

Mach37 Spring Class 2016 Interview: Hilltop Security


2016-06-14 - M37 Demo Day - 08 - HTSI - DSC_3364

Tom Gilmore, Hill Top Security CEO


What opportunity did you recognize that led to the founding of Hill Top Security?

HTSITom Gilmore:
 We saw that most organizations were faced with a shortage of skilled security personnel and that any strategy built around creating more security analysts was not going to be effective. In addition, security personnel are overwhelmed with security alerts and spend too much time processing false-positive alerts. We also believed that the time to detect a breach which is on average 206 days is a direct result of these problems and that time could be dramatically decreased with automation and better tools.

What specific value does addressing that problem provide for your customers?

Gilmore: We provide customers with a security incident response platform that ingests data and performs complex event processing to save analysts time allowing them to move to detection and response activities faster.

Why aren’t current solutions addressing this problem effectively?

Gilmore: Most solutions on the market today are focused on prevention, or detection, or response. Our product is designed to do all three and also provides analysts with the ability to work in a single environment instead of having to login and operate every security tool independently.

What makes your approach different and better from existing approaches?

Gilmore: Solutions on the market now are very narrowly focused and fragmented creating more work and reducing efficiency. Our product is designed to enhance and improve the utility of our customer’s current resources. By interconnecting all the devices and systems that make up the security architecture, we are able to increase the value of the data being generated by enriching the data with such things as business impact analysis, business rules, and risk assessments.

What about your team’s background puts you in a unique position to succeed?

Gilmore: We have a team that has experience in national and military intelligence, cyber security, and industrial engineering. I personally have one start-up under my belt that made the Inc. 500 and exited. Neil Wright spent 7 years designing UPS’s global package handling system and Steve Baker has over 30 years of national security and intelligence experience working in such places as the White House National Security Council.

What one aspect of the Mach37 programs did you personally find most beneficial?

Gilmore: Learning the intricacies of being a successful product company. Having come from a government services background, making that transition can be very difficult and Mach37 helps you define what that will look like and develop a plan to get there.

Learn more about Hill Top Security here.

Mach37 Spring Class 2016 Interview: NormShield


2016-06-14 - M37 Demo Day - 05 - Norm Shield - DSC_3389

Mohamoud Jibrell, NormShield CEO


What opportunity did you recognize that led to the founding of NormShield?

ns-logo-transMohamoud Jibrell: Through our many years of experience in the cyber security industry we recognized that organizations rely on mostly manual methods to validate their security posture and they do not have visibility to existing vulnerabilities that hackers can exploit. We also recognized that most security tools are not designed for the mid-market. They assumed a greater sophistication of user and more manpower than is typically available to mid-market CIOs. So, we founded NormShield to fill those gaps: automate cyber security processes, provide visibility and services that are currently not available and align the solution with the needs of the mid-market.

What specific value does addressing that problem provide for your customers?

Jibrell: Visibility. That, in one word, is the specific value that we provide more of than any our competitors. NormShield provides better visibility to existing vulnerabilities and significantly reduces the risk of hacker exploitation. We do this by continuously gathering cyber threat data from multiple sources and by monitoring our customers’ assets. We then analyze and present the data and actionable information to our customers using our cloud platform. That visibility helps companies take action to reduce risk.

Why aren’t current solutions addressing this problem effectively?

Jibrell: Current products are designed for large enterprises and are narrowly focused. Mid-market businesses don’t have the financial or human resources to run dozens or even a handful of information security products to protect their assets. Current solutions assume large enterprise users with large staffs that can specialize in specific infosec tools. NormShield’s single, integrated solution provides the necessary security coverage while minimizing the human labor and skill requirements. I was a mid-market CIO and I understand the security needs, but also recognize the constraints. We built a tool to fit that user profile.

What makes your approach different and better from existing approaches?

Jibrell: We provide a unified single solution that addresses multiple needs. Competitors offer multiple products to address the same set of problems. But using multiple products is a lot more difficult to administer and it also brings a lot of management overhead. We commonly see security teams, IT teams and risk teams work independently with different agendas and metrics. Acquisition of multiple products is also more expensive and it is not something that most mid-market companies can afford. All of these factors combined lead to inefficient and ineffective processes that slow down the threat response and vulnerability management and expose companies to preventable cyber attacks.

What about your team’s background puts you in a unique position to succeed?

Jibrell: We have a diverse team with deep expertise in ethical hacking, enterprise software development and IT management. I myself have 16 years of CIO experience under my belt. Our combined experience in the industry gives us the network and knowledge we need to succeed.

What one aspect of the Mach37 programs did you personally find most beneficial?

Jibrell: The support we got with sales, marketing and product strategy was extremely beneficial. We were also introduced to many different potential customers through Mach37, which allowed us to expand our network and get a jumpstart on reaching our goals.

Learn more about Normshield here.

Stay East Young Man

I recently read the New York Times article, “The Pentagon as Silicon Valley’s Incubator,” by Somini Sengupta, which highlights a welcomed trend in cyber security investing that most of us in the industry are watching unfold.  The article highlights the enhanced relationship between Silicon Valley venture capital firms and DoD and Intelligence Community cyber security stakeholders.  The article also underscores my assertion that the DC-Maryland-Virginia Cyber Beltway is the center of mass for global cyber security expertise (see Blog Post: dated   August 2013, “The Cyber Beltway’s Innovation Dislocation“).

We at MACH37 are thrilled that Silicon Valley and other venture capital rich regions are bridging the gap with the Cyber Beltway.  We continue to strongly support initiatives focused on achieving such gains, such as the Security Innovation Network, which has made tremendous strides in bringing both communities together.

However, Sengupta’s article illuminates a related and troubling trend – the migration of cyber entrepreneurs from the Cyber Beltway to Silicon Valley.

Specifically, Sengupta references two cyber security start-ups, Morta and Synack, both of whom recently pulled up chocks and moved to Silicon Valley to secure venture investment.  Sengupta also references several other high profile cyber security policy stakeholders who migrated West to join other cyber security startups.

I can imagine why VC’s would desire to keep first time entrepreneurs close to home.  It’s difficult for VC’s to effectively mentor and manage young and inexperienced entrepreneurs when they are separated by over 2,850 miles.  I can also imagine why former policy stakeholders would be drawn to the luster of the fast-paced Silicon Valley start-up environment.  I am sure that echoes of Horace Greeley’s “Go West Young Man” add to the excitement and romance of their first entrepreneurial experience.

However, if VC’s have already recognized the unmatched density of cyber security expertise residing within the Cyber Beltway, it makes little sense to me that they would desire for these entrepreneurs to leave the rich intellectual ecosystem that originally inspired them.

In the cyber security space, perhaps more than any other technology sector, intellectual capital has a very short shelf-life.  In order for cyber security companies to thrive beyond the releases of their initial alphas and betas, their founders and technologists must continue to innovate.  In order to do so, they must maintain an awareness of the state of the cyber threat as well as the state of their competitive environments.

By pulling these entrepreneurs out of the cyber intellectual epicenter, their VC’s are inadvertently undermining their ability to compete over the long term.  Outside the Cyber Beltway, these entrepreneurs are going to lose a step and will find it more difficult to, not only keep up with the threat, but also to seize and defend a competitive market position.

To be certain, in Silicon Valley, these entrepreneurs are going to find a wealth of expertise in new venture development, software engineering, and enterprise solution sales and marketing.  But they will also find a dearth of cyber security expertise.  There are lots of folks out West who know how to build a highly scalable database to search through and correlate log and threat data, but very few of them have any idea what they are actually looking for.

Let me suggest an alternative approach.  Stay East Young Man (and Woman).

If VC’s want to give their cyber security entrepreneurs every advantage to succeed, leave them inside the Cyber Beltway.  If the entrepreneur is a first timer, establish your firm’s presence here and surround the entrepreneur with experienced talent.  By allowing the entrepreneur to remain immersed in the ecosystem that originally inspired her, her venture will continue to innovate, keeping pace with the cyber threat and competitive environment.  Several venture firms with strong cyber security track records such as NEA, Grotech, New Atlantic, Valhalla, Harbert, Columbia Capital, Paladin and Alsop Louie understand the importance of this immersion and are either already established or are in the process of building a more sustained presence within the Cyber Beltway.

MACH37 is working hard to make it easier for both cyber entrepreneurs and venture capitalists to build cyber security companies inside the Cyber Beltway.  We augment our entrepreneurs’ existing cyber security skill sets with the critical product management, development, sales and marketing and venture development capabilities they will need to succeed.  We pair them with seasoned entrepreneurs, cyber technologists, market analysts and venture advisors who are committed to helping them be successful.  We drive their ventures through concept validation, target market customer acceptance, and alpha commitment and provide them and their investors with the strong market-driven foundations they will need to achieve the success we are all driving towards.

Creating a Market-Focused and Product-Oriented Company is Not a Part-Time Job

While there are many factors impeding the successful insertion of disruptive cybersecurity concepts into the current market, I want to explore the underestimation of the focus required to build an enterprise that is market-driven and product-oriented.

The business ecosystem inside the DMV’s Cyber Beltway is heavily prejudiced toward the development of bespoke solutions targeted toward single customers.  This ecosystem is dominated by large systems integrators and government contractors who employ low-risk business models based on time and materials billing and very limited internally-funded research and development investment. There is nothing wrong with this business model, as evidenced by the hundreds of wealthy government contracting business owners that our region has created throughout the past decade.  However, this model thrives on labor-intensive integration and operational support and, by its very nature, is antithetical to disruptive innovation.

When budding cybersecurity entrepreneurs who have grown up in this ecosystem decide to start their own businesses, the siren’s song of SBIR grants, federally-funded research projects and government consulting contracts becomes extremely alluring.  In contrast to the twenty-something social networking and iPhone app entrepreneurs populating other techno-regions, entrepreneurs in the Cyber Beltway typically have families, mortgages and car payments.   The majority of them are lured toward services models out of financial necessity.

Yet they continue to dream about making a disruptive impact.

Last week alone, I met with five different entrepreneurs, all aspiring to take to market innovative cybersecurity product ideas.  Several of them outlined plans to invest cash flow generated from their consulting operations to build a product and deliver it to market.  In most cases, the product team consists of one or two developers working on a product concept part-time.  Consistently, these entrepreneurs believe they can bootstrap their way to a generally available product release within 12 months, avoid the dilution of a sizeable venture round and retire on the sale of their product business at a 10x multiple of projected revenues.

Here’s my advice:  Pick one or the other.  You can’t do both effectively.

Building a product business will take 100% of your focus.  Validating the concept, building the team, and raising the capital necessary to build an organization to support your market entry will take more than all of your time.  Getting your concept to market will require significant outside investment made over a number of years. Even if bootstrapping initial development enables you to reach the market first, without the capital to seize market share and create competitive barriers to entry, better capitalized competitors are going to own the market you have created.

Yes, it takes guts to make the leap, especially if your services business is already showing promise.  But if you want to make a disruptive impact, 100% commitment to the endeavor is simply table stakes.  You won’t be able to find the necessary financial backing otherwise.

At MACH37™, we are working hard to make taking this leap easier for our entrepreneurs. We have built a 90-day program to enable our entrepreneurs to fully validate and hone their concepts by working with our network of cybersecurity customers, serial entrepreneurs and industry experts.  We provide them with capital, allowing them to focus over a tailored 90-day program and build the effective business case that will support additional seed investment from us and third-party investors. We teach them how to be market-focused and how to build products that address what their customers need, instead of what the entrepreneur wants them to have.

The Cyber Beltway’s Innovation Dislocation

Last week, I had the opportunity to participate in the AGC Partners “Disruption: Innovation at the Edge of Cybersecurity” event in Las Vegas.  My panel explored how cybersecurity entrepreneurs become inspired to innovate and what dislocations are preventing them from disrupting the cybersecurity marketspace.  As I thought about what ingredients are required to insert disruptive concepts into the current market, it occurred to me that within the Northern Virginia, Fort Meade and DC Metropolitan “Cyber Beltway,” the problem is something beyond a lack of creative inspiration.

On the contrary, at MACH37 I see at least three new product ideas a week coming from young entrepreneurs, members of the intelligence community, small cybersecurity services companies, university researchers and FFRDCs located within the Cyber Beltway.  To be sure, cybersecurity companies operating in the Cyber Beltway enjoy privileged insights into the cyber threat landscape.    These companies often support the offensive side of cyber operations, have an intelligence analysis DNA, have been doing big data since before it was called big data and enjoy unique access to the intellectual property derived from thousands of classified and unclassified incident response and remediation activities.  Individuals working within these companies know better than most how the cyber threat operates and how to rapidly collect and analyze artifacts to discover a cybersecurity breach within an enterprise network.

However, in spite of this treasure trove of intellectual property, we aren’t seeing the conveyor belt of disruptive cybersecurity products entering the market from this region that we should expect.  Why is that?

While our region’s cybersecurity technologists are filled with creative ideas, the ecosystem forces downstream from their creative genius are undermining their ability to disrupt the market.  In general, their innovations:

·      Are driven out of academic curiosity rather than emerging market need

·      Lack the entrepreneurial sponsorship required to build a viable business case for the innovative concept

·      Lack the financial backing necessary to deliver, support and take to market an enterprise-worthy solution

Over the next several blog posts, I intend to explore the dislocations in our local ecosystem.  My hypothesis is that none of these are terminal and that we at MACH37, with the help of others in the industry, can positively address the current gaps and create an environment that not only fosters the creation of potentially disruptive cybersecurity concepts, but also supports the many other, perhaps more practical, ingredients required to bring positive disruption to the cybersecurity market.