Mach37 Alum Hill Top Security Wins Virginia Velocity Tour NoVA Award

hill-top-security-virginia-velocity-tour-winner-full

Hill Top Security CEO and Mach37 Alumnus Tom Gilmore, second from left, accepting the Virginia Velocity Tour Award for Northern Virginia, September 2016

The Mach37 family was busy last Thursday. We announced our Fall 2016 Cohort and a new Mach37 platinum sponsor, SAP National Security Services. On the same day, spring 2016 cohort alumnus Hill Top Security won the Virginia Velocity Tour Northern Virginia Region pitch competition and the $25,000 top prize. Hill Top CEO and Founder Tom Gilmore accepted the award at the Fall Cohort Introduction dinner Thursday evening in front of a crowd of more than 250 Mach37 supporters. We recently interviewed Tom on our Mach37 blog and it is clear that the company is already making an impact.

Mach37 Alumnae Represented Two-thirds of the NoVA Finalists

However, Hill Top wasn’t the only Mach37 standout in the pitch competition. Four of the six finalists in the cybersecurity and government technology category were Mach37 alumnae. Eunomic, SheVirah and Tensor Wrench all pitched alongside Hill Top. Two other companies focused on government technology SpotMyBus and J&F Alliance Group also competed. The competition judges came from the University of Virginia, Revolution Ventures, Amplifier Ventures and TandemNSI. It was great to see so many Mach37 alumnae getting recognition for their technology and business growth.

2016-09-22-va-velocity-tour-24-smaller

Hill Top Security CEO Tom Gilmore Presenting to Virginia Velocity Tour Judges

Virginia Velocity Tour Background

va-velocity-tour-logoThe Virginia Velocity Tour is overseen by the Virginia Secretary of Commerce and Trade and planned in partnership with our friends at Village Capital. We appreciate that Virginia Governor Terry McAuliffe, Secretary of Commerce and Trade Todd Haymore and Village Capital’s Ross Baird are so supportive of the start-up community across the state. Twenty-nine finalists competed for top honors in five regions.

At Mach37, we work with entrepreneurs from all over the world. Two of the five companies in our current cohort are from Europe and we also have entrepreneurs joining us from Nevada and North Carolina. We maintain a global outlook regarding cybersecurity, but we also appreciate introducing these companies to the business-friendly climate in Virginia. The Virginia Velocity Tour is another example of the start-up support that founders receive from the state and can access as part of the Mach37 family. Congratulations again to Tom and the entire Hill Top team.

A Tale of Four Cities (with apologies to Dickens)

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two Cities

Since the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.

Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?

In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:

Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.

Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.

And so, the four cities.

Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.

Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.

San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, Slide2although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.

Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummetSlide4ed, leading to a rapid rise in median valuations.

Slide1By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. Slide3There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.

A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? ST AptsOr Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.

A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:

“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”

That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…

Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.

Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”

The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.

The Innovation Kill Chain

Caution: Satire Ahead

There is a dangerous threat to our economy and way of life springing up in seemingly every industry. Almost half the Fortune 500 were booted from the list between 1999 and 2009. Some prognosticators say this threat could result in even more than half of the Fortune 500 going away over the next decade, with a conservative economic impact of more than $2 trillion to our current productive capacity. What is this threat? Disruptive Innovation and the provocateurs inflicting it upon us, the Disruptive Innovators, or Dis-sInners as I like to call them.

Fortunately we are not helpless in the face of this scourge; we can fight back. The reason is that these Dis-sInners proceed, no matter the industry, in a very well-known set of steps before they can succeed. If we can disrupt their insidious designs at any step along the way, they will fail, and this is what I call “The Innovation Kill Chain.”

The seven steps of a typical Dis-sInner attack are as follows:

  1. First, they will conduct surveillance, to understand their target, evaluate competitive strengths and weaknesses, and position for the eventual attack. While this stage is hard to detect, we can take comfort that our highly efficient current business structure is very difficult to disrupt.
  2. At stage 2 the Dis-sInner will typically expose themselves by creating a legal paper trail (articles of incorporation and similar) that reveal both their true identity and business intent. Paranoid companies could develop a standing research capability to discover and track these perpetrators, but it is hardly worth the effort since they will never amount to a true threat to our overwhelming market share.
  3. The third step in the Innovation Kill Chain involves the Dis-sInners planning to undermine the value of your core Intellectual Property. Here the well-prepared defender can become more proactive by filing extensive patent coverage that will allow for future lawsuits should the Up-Startup ever amount to anything. Remember, you have deep pockets and they don’t, so it does not matter whether there is actual economic value in your IP portfolio; all that matters is the ability to create expensive legal proceedings at critical times.
  4. Inevitably, some Dis-sInners actually start building prototype products and begin looking for “beta customers”. By all means, this is your opportunity to appear forward leaning while still containing the threat. The most successful defenders step forward at every request…but then stretch out the process through the various tricks of bureaucracy we all know so well. Should a Dis-sInner persist, extensive product feedback involving meaningless features and tangential use cases is often an effective counter-measure.
  5. Only a few of the most Advanced Persistent Threats will make it to the point of seeking funding, but for these we recommend the essential Enterprise FiresaleWall. Your Corporate Venture Fund can be a key player in this process. Remember, that these early-stage APTs have not yet taken over key parts of your market, and a well-timed lowball offer can often shortcut their efforts at Escalation of Visibility.
  6. It is inevitable that your market position will eventually be breached. There are only two types of market leaders, those that know they have been disrupted and those that don’t yet know it. This is where a top notch Chief Innovation Prevention Officer (CIPO) earns their keep. “Off the street and on the shelf” are truly words to live by. Early warning can give you plenty of time to squeeze every last penny out of those previously lucrative markets. And your best customers will surely want to stay with a market leader, even in the face of punitive long term contracts.
  7. Once a breach has occurred it is time for forensics and damage control. Here, behavioral indicators can be useful in ferreting out the Inside Your Market Threat. Do not succumb to the temptation to point fingers and re-organize; instead watch the Up-Startup and match their every move. One very effective defense, particularly in the Government space, is to partner with the enemy! As a prime contractor, you will have locked up the Dis-sInner market potential and control their destiny through the amount of business you let trickle-down their way.

Knowing your adversary, and the common steps they take in seeking to disrupt your business is the most effective way to stay prepared and stay ahead of this insidious threat.

CTO SmackChat: So, what do you do?

[Loosely adapted from an actual conversation with an investor at a networking event]

“So, what do you do here?”
[standing large] “I’m the CTO for Mach37”
“No, I know your title, I want to know what you do”
[uh-oh, better obfuscate] “I’m the Chief Envisionator of Strategery for Cyber-Futures”.
“I don’t even know what that means. What I really want to know is what you do on a day to day basis to add value to this organization”
—–
Being the CTO or Technical Co-Founder of a startup company is a role that requires extraordinary flexibility and humility. Sure, the early days are obvious. You’re the developer of the first product, the first Product Manager, and critical for Marketing, Fund-raising, running the new business, and whatever else it takes to get that business going.

With a little success though, an early round of funding, and employees five, six and seven are a Product Manager and two developers…what now? Still not too hard to envision, your role is less hands-on with the Product and more involved with the roadmap and the intellectual property and mediating customer feedback from sales and marketing with your development team.

As success grows, and you add a VP of Technology to manage the technical team, your role continues to morph. Your CEO Co-founder has kept his roles and grown with them, while you have been busy giving your early roles away. So, what do you do? Is there still a place for you in the company you helped start?

The answer comes down to Leadership. You are a Co-founder because you helped create the vision of product and market and the problems you knew you could solve. The technical team looks to your leadership even though you are not so directly connected as you once were. You know the market and you know many of the key customers. You play a key role managing the business while the CEO is out raising money.

How that translates into day-to-day action varies with your personality, the company and the situation. I have found that letting other people take responsibility for the more detailed daily operations frees up time to build the longer term initiatives, those critical new areas for company growth that take time and patience to nurture. I enjoy being out in the community, a visible representative and spokesperson for the company. Thought leader in the market? Sure, that too.

So, what do you do? Lead. Figure out what that means, and earn your place every day as a leader in the company you worked so hard to start.

David Ihrie is CTO of MACH37 and has been the lead technical person for six startup companies. He has a BS in EE/CS and an MS in Management specializing in the Management of Technological Innovation, both from MIT.

CTO SmackChat: The Dreaded “Pivot”

Your startup is a success! Family and friends have seen you through to the point where an angel investor got excited, and your first alpha customer really likes where you are heading. The beta tests are under way and the feedback is coming in.

One customer says he would be interested in buying if your product could provide two additional capabilities not in the beta version. Another indicates her problem is not exactly the one you are addressing but she sees how it could apply by changing the domain slightly and taking some additional inputs into account. Some feedback says it seems similar to what they are already using. There is a request to show the output on a map background. And, your marketing guru says that several customers are really struggling to solve a problem that one component of your solution could make dramatically easier. Should you pivot, or stay the course? Add features or simplify? Expand to related problem areas? What feedback do you rely on to make those decisions?

A couple things are clear. As a startup your resources are stretched way too thin simply trying to address one market. Expanding to a second problem area before succeeding in the first one makes it much more likely that neither will succeed. The second notion is integrity of a core product offering. If every customer has a different set of implemented features, your business is really a service business built around customizing features rather than a product business.

But the harder trap for most entrepreneurial technologists is falling in love with your own ideas. After all, you thought it up, and your whole career has been built on confidence in your technical ideas. You probably know better than the customer what is really possible from a technical standpoint, and what the hard problems are that you know how to solve. In the end though, the right answer is always what customers will pay for. And in our example above I would be inclined to listen to the marketing guru who seems to be close to some potentially paying customers: perhaps it is time to change the product idea, get rid of a bunch of the features that are not helping differentiate it, and focus on the one core bit that could help several customers solve a critical problem.

There is no science behind when to pivot and when to stay the course. An important indicator is slow or flat sales (or interest) combined with some customer pull along a different development vector than the one you are following. As the divergence grows that market signal gets stronger that the pivot is upon you, but in the end you need to make a judgment call and work with your own company leadership to ensure it is the right one.

You Don’t Scale

The more that information security incidents are in the news, the more often we hear that there aren’t enough people to do all of the work necessary to batten down the hatches against everyone who’d like to compromise our systems and networks. The U.S. Government has been particularly vocal in discussing a shortage of security talent, but it’s not uncommon to hear this refrain in business circles as well.

If these folks are as difficult to find, hire, and retain as we’re told, then we only have a few choices:

  • Train them internally;
  • Automate as many security processes as possible;
  • Do things to make the people you have more effective

Most people choose door #2 as a way to get what’s behind door #3.

There is a common criticism of information security practitioners: that we depend too much on technology, even when the core problems may not be technical ones. Those critics have a point: effective security isn’t something one can buy in a box and then proclaim victory afterward. However, in the face of limited talent, deploying a new technology may be the most straightforward way to attempt to address some risks.The reason is simple: many of the best security products tend to embody some very specific, reproducible, automation-friendly aspect of security expertise and perform it tirelessly, over and over.  You may have the best internal security people in the world, or the best  world-renowned consultants, but the bottom line is that humans don’t scale particularly well.

This is true whether you’re the security manager with the responsibility to keep your network safe 24 hours a day, or the consultant who parachutes in to save the day when things look bleak. The former can only hire so many staff members, and the latter can only be billed for a finite number of hours in a day/week/year.

If experts are in short supply, then one of the most scalable options is to encapsulate the expertise of rare, highly paid people and build it into a mechanism that can attempt to apply that expertise to real environments, be they network traffic flows, host configurations, or software updates.

There has yet to exist a security product that solved all of the world’s (or even one enterprise’s) problems, but if we look at some things that made a difference in the state of the art when they arrived, they tend to fall into a few categories:

  • They allow less-senior people to do some work that used to be the province of a few
  • They help people to make better sense of information they (usually) already had somewhere
  • They help less-technical users to avoid inadvertently hurting themselves
  • They fundamentally changed some aspect of how we work or build systems to make them inherently more secure*

*This is where the most value is created, but it’s also the most difficult.

If you’ve gone to the trouble of building something to solve a problem for yourself, and believe that other people have the same problem, that’s called a market opportunity.

What Type of Entrepreneur Are You?

480786_Horse-Trader copy

MACH37 typically invests in companies at their inception.  With a lack of meaningful company history, our decisions are always based heavily on our assessment of the entrepreneurs behind ideas that we like.  Consequently, we are often asked what we look for in MACH37 entrepreneurs.

While they come in all shapes and sizes, it has been my experience that there are principally two types of entrepreneurs:  “horse traders” and “horse breeders”.

Horse traders are driven to create wealth for themselves by exploiting market inefficiencies.   Their businesses are transaction oriented and rely on simple buy low and sell high principles.  In technology, they often find success in understanding an application of an existing capability, negotiating attractive rights to that technology, then rapidly commercializing (or flipping) it.  Horse traders are not typically technical and often lack a vision beyond the first implementation of their technologies.

“Horse breeders” are wholly different.  They innovate to develop new breeds of capability – disrupting the status quo with better alternatives.  Their innovations often eliminate market inefficiencies rather than exploit them.  During this process, they create wealth for themselves and others by ultimately making the economic pie bigger.  Horse breeders are often technophiles, but they also include musicians, artists, athletes, and anyone is who is driven by a passion for creating something that can make a significant positive impact.

MACH37 looks for horse breeders.  Not only because they are far more fun to work with, but also because horse breeders create value where it never existed before – an underpinning of disruptive innovation.  MACH37’s sole focus is to empower this type of entrepreneurship with the knowledge, exposure, access and validation (by the security buyer and venture communities) necessary to successfully take disruptive cyber security innovations to market.

If you think you are a horse breeder, send us an email or submit an application for the next cohort session.