The MACH37 blog has moved to a new location. Please follow us at: https://mach37blog.wordpress.com/
Earlier this month, we announced the acquisition of Cyber Algorithms by Thycotic. Given this is the first exit from the Mach37 portfolio, I wanted to take a few minutes to reflect on its significance to us and our investment strategy.
Mach37’s investment in Cyber Algorithms is a perfect example of our unapologetic bias toward investing in technical founders who embody world-class cybersecurity talent. As I articulated in my July 30, 2014 blog, Why Mach37 Loves the Hacker Community,
“the dirty little secret in start-updom is that while it can take years of technical and analytical experience to inspire truly disruptive security innovation, technical founders can buy, borrow, partner with or be taught the second set of target skills within a few months.”
When we first met Tim Brennan, we knew immediately he had that world-class talent. Together, Tim and his co-founder Josiah Smith could deliver their advanced capabilities to address a large-scale problem.
Tim and Josiah did an incredible job of conceiving, developing, and validating a security analytic product from concept through acquisition. And, for them, getting it done didn’t mean they needed millions in investment capital and a large team of executives. Rather, they diligently embedded an advanced capability into a software product and engaged their target market to demonstrate product-market fit. By executing basic blocking and tackling, good things came to them – very quickly.
Thycotic is one of the most promising and rapidly growing strategic acquirors of cybersecurity capabilities in our region and we are excited that Cyber Algorithms has become part of their team. Congratulations Tim and Josiah.
Last month, DCInno’s Eric Hal Schwartz, in his DC’s Cybersecurity Startup Scene Is Hot. Can It Get Hotter? article gave Virgil Security (and Mach37) the following shout out:
If venture investors are on fire for cybersecurity opportunities, a group of D.C.-based accelerators are cropping up to supply the fuel. Mach37 graduates around half a dozen startups from its program twice a year, with notable successes like Virgil Security, which partnered with Twilio, one of the fastest-growing cloud computing companies around, in April.
Last week, Virgil Security closed a $4 million Series A investment. I’ve long contended that funding news isn’t really news, but what makes it interesting this time is that we’re a Mach37 company – the first Mach37 company to close a Series A round. And that is news! Let me explain why…
Our lead investor was KEC Ventures out of NYC. Oher institutional investors included Charge Ventures in NYC, Bloomberg Beta out of San Francisco, Sparkland Capital from both Silicon Valley and China, plus NextGen Venture Partners which, while originally DC-based, now has a national footprint. Notable individual investors included Ray Rothrock and Matt Grimm. Ray Rothrock is practically the godfather of West Coast cybersecurity investing; he led the Series A and Series B investments in PGP Corporation back in the day, and, more recently, led the Series A investments in CloudFlare. Matt Grimm was, until recently, a partner at the San Francisco-based Mithril Capital Management.
Our ability to draw national and international funding to a Northern Virginia startup further validates Virginia’s investment-driven model for economic development. The combined vision of former CIT leader Pete Jobse, Delegate Tag Greason, and the Northern Virginia Technology Council (NVTC), plus the sustained support offered by Governor Terry McAuliffe, the Virginia’s Secretary of Technology Karen Jackson, and the Center for Innovative Technology (CIT) brought Mach37 into existence. Without the opportunity that Mach37 provided us to distill our underlying business case, Virgil Security would potentially simply not exist today. Because of all of their efforts, the $50,000 that Mach37 invested in Virgil in the fall of 2014 just drew 80 times that in private investment – with most of it coming from outside the DC area but with much of it to be spent in the DC area!
Our ability to draw this investment into the greater DC area also helps demonstrate that Virginia’s recent focus on cybersecurity is aligned with the future we need to create. And we’re trying hard to do our part.
Our mission at Virgil Security is to #SecureTheFuture. For Virgil, that means ensuring that the future is cryptographically secure, but, for all of us, that means ensuring that the future is economically secure. To help further both goals, Virgil Security is working with the University of Virginia’s College at Wise to create a curriculum which will better enable Virginia graduates to find and fill the tens of thousands of unfilled cybersecurity jobs in Virginia, the hundreds of thousands in the United States, and the million plus around the world.
So, while funding news isn’t normally news, I think this particular bit of funding news represents something bigger. And in our view, it’s a story worth sharing.
– Michael W. Wellman
Roy Stephan, PierceMatrix CEO and Founder
What opportunity did you recognize that led to the founding of PierceMatrix?
Roy Stephan: The opportunity for small and medium businesses to understand security on a global level. Large companies and governments can throw thousands of security professionals at a problem, and most security tools are designed for those organizations. With PierceMatrix we provide a unique workflow that offer SMBs a more comprehensive view of their security, including helping them identify malicious actors on their network and remove them.
What specific value does addressing that problem provide for your customers?
Stephan: By understanding how global threats are affecting them, PierceMatrix users can lower their security risk and lower their liability. Any business that is not reviewing its log files is carrying excess liability because the firewall logs (and other security devices) are documenting suspected attacks. PierceMatrix helps companies reduce that liability by automatically reading logs and helping with prioritization and remediation.
Why aren’t current solutions addressing this problem effectively?
Stephan: Most of the products in security are focused on solving niche problems for large businesses. There are very few that recognize the importance of educating and assisting small and medium businesses. Gartner selected us a Cool Vendor because of our unique approach to reducing data and helping small businesses focus their efforts. The industry standard is generating large volumes of new data for the user to sift through internally. This is just not an option for small and medium sized businesses that don’t have skilled resources available.
What makes your approach different and better from existing approaches?
Stephan: Our approach is to bring SMBs a cloud-based security model that bridges several capabilities including SIEM, TIP, Incident response and remediation. In particular, we provide an understanding of threats already present in your log files, as well as incident tracking and remediation through an automatable button.
What about your team’s background puts you in a unique position to succeed?
Stephan: The PierceMatrix team combines Artificial Intelligence and security expertise. These are two separate fields of study, but an essential combination to address today’s information security challenges. The CEO has 20 years of experience in building companies and divisions in the security world, and the CTO has 20 years of experience building artificial intelligence for the US military, FAA, and AT&T.
What are some of the milestones you have passed since graduating from Mach37?
Stephan: When we graduated M37 we had an early beta product. Now we have a functioning system with customers in the ISP, MSP, Finance, and Defense Industrial Base markets. We were recently selected as a Gartner Cool Vendor, as well as being selected as one of the top 6 emerging technologies for FinTech by the Partnership for New York City.
What one aspect of the Mach37 programs did you personally find most beneficial?
Stephan: Helping me run a business. I have built products, divisions, even companies as a technologist, but M37 taught me how to build out the non-tech aspects such as finance, HR, sales, legal, etc.
Learn more about PierceMatrix here.
When we launched Mach37 three years ago, we acknowledged at the time that we were essentially running an experiment. At our inception, we believed that an accelerator could effectively harness the rich cybersecurity talent pool in the DC-Maryland-Virginia region (DMV) to create an ecosystem capable of supporting large-scale commercially-focused cybersecurity product companies. There were plenty of skeptics, including many in the institutional venture community, who believe you can’t scale a cybersecurity product company in the DMV. At the time, I privately admitted that we had no idea if we would succeed, and anticipated it would take us at least five years to really know if we are any good at this.
Three years later, I am confident that I have burned through any goodwill I had with my friends in the community and that I am deeply indebted to just about every person I know in the industry. But, it seems like our modest experiment is working out way better than most people ever expected, including us. Our small $50,000 investment in each of our 35 companies has been leveraged over eight times on average by private seed investors. What started out as one or two person companies have grown into ten and twenty person companies. Currently, our portfolio employs over 100 full-time equivalent employees, and we expect that number to increase dramatically over the next year as they receive institutional venture funding.
To be certain, all of us here at Mach37 know that there is still a lot of work left to do to transform what has been a government-centric business ecosystem into a thriving commercially-focused cybersecurity business epicenter. However, now I believe that this transformation is inevitable.
As we pass through the three-year milestone, I wanted to share a few important lessons we have learned from the experience:
Lesson #1: Accelerators can effect major changes to business ecosystems. Part of Mach37’s mandate was to cultivate an ecosystem that could transform the cybersecurity intellectual capital native to the DMV into a conveyor belt of successful security product companies. The conventional wisdom in 2013 was that we didn’t have a critical mass of talented individuals in our region that understood how to build security product companies. However, it looks like our brute force approach is working.
We started by building a mentor network of security professionals one mentor at a time. (Thank you George Schu for leading the way as Mach37’s first mentor.) What began as a small group of believers evolved into an unmatched 240+ person network of security business experts – all committed to our mission to launch the next generation of security product companies.
From there, the momentum increased. Since 2013, over 80 security and software business experts volunteered to teach our entrepreneurs critical skills that will enable them to be successful. Over 70 seed investors have fueled our companies, allowing them to mature and finally begin capturing the attention of the institutional venture community. And, the vital leadership and financial support offered by our sponsors at Amazon Web Services and General Dynamics has been humbling and validates the demand for security innovation from some of the most successful companies in our region.
Perhaps the skeptics were right that the DMV doesn’t have as many talented security product business experts as other more established regions. But, what I have learned to value much more than the quantity of experts is that members of the security community in our region rarely say “No.”
Lesson #2: The DMV has an unmatched volume of technical security innovation that is driven by government-centric missions. However, security innovation also comes from diverse populations around the world. As most people recognize, there are more talented security technology professionals in the DMV than any place else on Earth. In general, the security ecosystems supported by the DoD, Department of Homeland Security, and the Intelligence Community are driving significant demand for security innovation. Mach37 has been able to effectively leverage this regional asset. Founders from Huntress, Atomicorp, Disrupt6, Fast Orientation, Tensor Wrench, Eunomic, Cyber Algorithms, Anatrope, vThreat, and Hilltop all have been operating at the leading edge of security within this ecosystem for many years.
However, we failed to anticipate the large volume of high-quality security entrepreneurs that would come to the DMV from many diverse ecosystems. To date, of our portfolio of 35 companies, over 40% came from outside the DMV. Notably, Mach37 has received applications from 24 different countries (and counting) and we expect to increase our volume of investments in entrepreneurs from outside of the United States in coming cohorts. Additionally, since inception, Mach37 has funded 17 of 35 companies (nearly 50%) with a founder that is either from an ethnically underrepresented group, from the LGBT community, a woman, or a service disabled veteran.
Lesson #3: You CAN raise seed capital in the DMV. To be honest, three years ago, we were concerned about the limited volume of seed capital available to product companies in our region. We just weren’t sure it would support the volume of innovative product companies we intended to launch. However, about 70% of our graduates consistently raise capital beyond our initial investment. To be sure, we have reached out to seed investors from other geographies and, thankfully, their appetite to fund security companies in the DMV exceeded our expectations.
Further, the often-publicized concerns around the impending “winter” in security investment appear to me to be overwrought, at least in the DMV. Maybe it’s because we have never been spoiled with an abundance of early-stage capital and “winter” doesn’t feel any different to us. Perhaps it’s because the uninitiated investors who are fleeing the sector were never investing in our region to begin with. Or, maybe it’s because investors who understand security continue to invest in the DMV, in spite of the emergence of “winter” in other regions. Whatever the reason, the rate at which Mach37 companies continue to receive funding is increasing and it still feels pretty warm to us.
Below is a guest post by Karthik Bhat, founder and CEO of SecureDB, a MACH37 portfolio company. SecureDB’s Encryption as a Service product makes implementing encryption into applications fast, easy, and inexpensive for businesses of all sizes – from startups to Fortune 500. Learn more about SecureDB at https://securedb.co/.
– Ledger West, Associate Partner, MACH37
Over the last few years, a wide variety of internal functions of business – HR, Payroll, CRM, e-signature, Benefits Management, Health Insurance, Project Management etc. have moved to respective SaaS companies. With more and more enterprises handing over their sensitive data to SaaS providers, there is a tremendous need to protect this data in the cloud using encryption. Any responsible cloud provider should be encrypting this sensitive customer data along with all proper key management practices.
However, the biggest challenge of cloud-encryption is: who owns the keys? Quite a number of companies will be okay with their SaaS provider owning and managing the encryption keys. Many will not.
The need of the hour is for the cloud platforms and SaaS companies to allow their customers to bring their own encryption keys – Bring Your Own Keys (BYOK). This way, customers can rely on SaaS companies without any apprehensions about data-leaks. BYOK will ensure that a SaaS company’s access to customers business data is always controlled. Thus, cloud providers and SaaS companies can continue focusing on the core value that they provide to the enterprises, without sweating much about security of sensitive customer data.
Why BYOK is Important?
The beauty of the BYOK is that enterprises have full control over the life cycle of the keys (generation, usage, backup, rotation etc.). The enterprise can also assign specific permissions on the encryption keys that limits what the cloud provider could do with the keys (for example, give only ‘encrypt’ and ‘decrypt’ permissions and not ‘key-rotate’, ‘key-delete’ permissions). The enterprise can also view the key usage logs to ensure the keys are used in accordance with the agreement.
When the enterprise wants to cease using the SaaS provider, they could download their data and simply revoke the access to the key. The SaaS provider no longer will be able to view or process the data. No more worries about whether the SaaS provider has done the right and responsible thing and deleted your data.
Bring Trust into SaaS
At SecureDB, we anticipate this to be the next logical step to acceleration of SaaS adoption.
Bring-Your-Own-Keys (BYOK) for data-encryption converts cloud and SaaS (inherently un-trusted) environments into trusted environments.
Consider this: when your company is using a SaaS service, your company data is most likely sitting right next to some other company’s data – in the same table or in the same database. This means that if an attacker finds a way to compromise the SaaS provider’s database, your company data is compromised just as everyone else’s.
Enter BYOK. If the SaaS provider supports BYOK, your data is encrypted using the keys you own. Now, you are protected against a whole slew of attack vectors. You can revoke the keys at will. This is in the best interest of SaaS companies too. They can vastly reduce their exposure to risk.
Write this into contract
Before a company hands over the data to SaaS companies, it is in the company’s best interest to ensure the SaaS company is encrypting the data. Call out specific fields that must be encrypted and provide the SaaS company with BYOK key.
We agree, this is still few years out. But we need to start somewhere. Please share your thoughts in the comment box below.
When I speak with investors about the information security market and the advantages of partnering with a vertically focused accelerator, they typically ask me to characterize our ideal opportunity for investment. My canned response is almost always that we look for teams whose founders embody two targeted sets of skills: 1) deep technical and analytical security domain expertise; and 2) strong entrepreneurial and communication skills.
However, as an accelerator that invests at the very beginning of a start-up’s lifecycle, we often find entrepreneurs before they have had the opportunity to build out their teams. Generally, that one founder frequently only embodies the first of the two target characteristics.
Honestly, that’s just fine with us.
The truth is that we are overwhelmingly biased toward investing in those entrepreneurs who have the technical and analytical depth and operational experience required to understand the most challenging security problems we face today. We believe that depth and experience can be found more abundantly in the security researcher, or hacker, community, than anywhere else on the planet.
If you believe security industry analyst Keren Elazari as we do, hackers are the immune system for the information age. The hacker community is driven by the desire to understand how things work and, importantly, how to break them and make them better. The innovators in this community spend years developing a depth of understanding that is required to birth the next generation of disruptive information security products.
My observation is that our focus may be slightly contrarian, as early-stage investors often overlook the hacker community as an attractive source for investment opportunities. (I’ll concede that there are several exceptions to this observation, but since Bruce Schneier and Dan Kaminsky had already achieved rock star status, I view them as outliers.) If I were to contrast hackers with the legions of entrepreneurs filling the ranks of accelerators worldwide, I do think they are different.
As one would expect, hackers are focused on those activities that leverage the first set of target skills mentioned above. Hackers solve difficult technical challenges that underlie vexing security problems. They are driven by a desire to see their hard work make a significant impact, versus being satisfied by a quick financial flip of their intellectual property. They invest their time inventing things, versus polishing a presentation to convince you why you need to buy the thing they invented.
We think most angels and institutional VC’s are perilously biased toward the second set of target skills and often lack the patience and technical depth required to ferret out the most compelling security innovations. Said differently, for most early-stage investors, a flashy PowerPoint presentation from a recently minted MBA with strong communication skills carries more weight than a technologist with a decade of technical experience in the security domain.
However, the dirty little secret in start-updom is that while it can take years of technical and analytical experience to inspire truly disruptive security innovation, technical founders can buy, borrow, partner with or be taught the second set of target skills within a few months. Our strategy at Mach37 is to identify the best technical founders and reinforce their deep technical expertise with the curriculum, co-founders, mentors, advisors, and capital they need to be successful.
Next week, Black Hat and DEF CON will mark the largest annual gathering of the U.S. hacker community and will showcase the work of several of the community’s brightest. Within this gathering, Mach37 will likely identify several founders for future cohorts. Perhaps ironically, most early-stage investors will not be there.
Honestly, that’s just fine with us.