A Simple Case for more Maryland and Mid-Atlantic cyber product companies
Earlier this year I was asked to serve on the steering committee of Governor Larry Hogan’s Excel Maryland Initiative. The initiative focuses on the development of a unique partnership of the private sector, public sector, and academia to craft a plan to support economic growth through the advanced industries, such as cyber security and life sciences, in Maryland. Having worked at the NSA and a number of cyber services and product companies, including Tenable Network Security and having made the switch to being a cyber-security start-up investor, I had a lot to say on this subject.
My view on this is very simple — given the choice between enabling the next ten “Tenables” and trying to expand the cyber workforce, we should put our efforts into new “Tenables”, i.e, new start-ups. Maryland already has a top-flight cyber workforce. Why do we not seem to get the biggest economic development bang-for-the-buck out of it?
Here is my reasoning:
First, I’m a huge fan of cyber-workforce development, but most of those openings are outside of this state and won’t be a net positive impact on the state economy.
With Cyber Command, the NSA and many other organizations here in Maryland, we have a DNA in the population of experienced cyber professionals. These professionals get pulled into the more than 3.5 million jobs in cyber that are often outside of this state.
I’ve heard it argued that companies will move to this region because of our cyber talent and this may be the case with some companies, but to date, we’ve not had a major company like an Amazon choose this region because of our local cyber population. In fact, we’ve had recruiters set up shop in places like Columbia, Maryland with the intent on recruiting talent out of Cyber Command to send to NY city and other places where the need for cyber talent was high.
Also, the number of cyber jobs at the NSA, DOD and civilian government is also more or less fixed. It does increase from year to year and is a significant portion of the Maryland economy, but producing another 100,000 trained cyber professionals won’t cause the government to open up an additional 100,000 positions at NSA.
Second, cyber product start-ups hire employees from the entire population and not just the “cyber” experts.
If you have a cyber consulting organization of a few 100, most of these consultants are actual experts. If you compare this to a typical cyber-security startup, you can employee a much larger cross section of the local population.
For example, everyone at Tenable wasn’t necessarily a cyber warrior who protected us from hackers and malware for a living. Instead they were highly professional customer support, sales, field marketing, legal, human resources, accounting, facilities management and IT and other types of jobs.
Third, cyber product companies can get along much better with each other than services companies can.
I’ve participated in many economic development round tables and it is very apparent that the last thing a company like Lockheed Martin wants to see is another integrator moving into the region. This is because there are a fixed number of government cyber security audits, staff augmentation, operations center and other jobs across the government. There are examples of services companies partnering on contracts in this region, but the competitiveness of service contracts is extremely high.
With cyber product companies, this is not the case. There is plenty of room in the industry for specialization as new information technologies emerge and for innovation. There may be some feature overlap in cyber companies, but unlike services companies which compete for every IT services contract, firewall, compliance, malware and authentication companies don’t automatically compete by default.
Cyber product partnerships can also extend much further than service partnerships. If you visit RSA, you will see close to 1000 vendors all claiming interoperability with you. However, if you visit an average security IT shop, very little is actually connected. Partnerships through integrations can make a customer’s life much easier. For example, Tenable partnered with Thycotic(both based in this region) through an integration that allowed for complete audits without having to share administration privileges with auditors.
Fourth, cyber product start-ups are more efficient at creating economic impact.
Cyber services companies generally grow through the addition of new employees. Their revenues can roughly be calculated as a function of the total number of employees in the company. And the maximum amount of work or revenue a services company can get is a function of the number of its employees.
With software and software as a service (SaaS), once a product is built it can be sold many times. There is no limit on how many times a piece of software can be downloaded. Support, sales, marketing, running the software as a service is typically a very small percentage of the overall price. This makes software companies usually profitable. Profitable companies attract the best talent, investors and often have a path to public IPO.
Cyber product companies attract venture capital investment, often at multiple of revenue in the 4x to 10x range. That means a cyber product company which was growing and had revenue could sell part of its stock to a venture capital firm and raise money to further invest in the company, incentivize employees and acquire other technologies. Typically, cyber services companies DO NOT attract the attention of investors. When venture capital invests in a company in a region, other venture capital will follow and look within that region.
Cyber product companies also tend to share stock through options with the new hires since they are taking a risk and they want to incentivize them to stay and work hard at the company. For the most part, cyber services companies do not offer stock and when they do, it’s not the same sort of stake as a product company.
Cyber product companies tend to create a cast of former executives and company founders who start new cyber companies, become seed investors in new cyber companies. This is an area where we are very weak in Maryland and the Mid-Atlantic and could do a lot better. “Doing Better” means we need more product companies. More product companies will create more successful opportunities for entrepreneurs. Some will start new companies, some will work for venture capital, some will start their own fund like GTA.
Fifth, and most importantly, there are plenty of cyber technology companies hidden across the state.
When I work with cyber services companies doing mission for customers both in civilian and government circles, I always see highly innovative cyber technologies. These technologies are often competitive with market capabilities, but lacking in customer support, product marketing polish or consistency from customer to customer because of the use of service for further development and customization.
Getting a services organization to switch and think like a product company is really difficult because the business model is contract driver and based on staff. For example, a legal team that is accustomed to maintain service level agreements on a contract may not have the experience needed to manage intellectual property of technologies or produce a basic end user license agreement for the product.
Having said that, there have been some cyber product technologies spun out in this region, including:
- KEYW funding Hexis, bringing top market and selling it to WatchGuard.
- Northrup Grumman spinning out BluVector, an advanced network security monitoring solution, through the use of private equity firm LLR.
- MasterPeace Solutions, a provider of technology solutions to the intelligence community, created an in-house incubator called LaunchPad specifically to launch product companies from a services business.
- Intelligent Automation Inc., a technology innovation company focusing on federal government customers, spun out CryptoniteNXT which is the leader in software defined segmentation.
- TechGuard, supports many government customers in this region and spun out Bandura Systems, which is a threat intelligence gateway and has an office in the Howard County MCE.
I featured Maryland in the title of this article since I am indeed a Maryland resident and part of the Excel initiative. Having said that, everything I say here applies to Virginia and the District of Columbia.
This region is indeed a leader in cyber “know how” but has very few cyber security product companies that have made it to brand name level. Where are the next “ten Tenables”?
The amount of cyber talent we have in this region is far beyond other areas in the US. Consider some following statistics:
- According to IPEDS data, the capital region grows THREE TIMES as more associate, bachelor and advanced information security analysts degrees that Silicon Valley. In fact you added up information security degrees produced in Silicon Valley, New York and Boston, it would still be less than what this region produces. Below is a graph comparing different levels of information security graduates across four regions different US regions. (For a copy of the report, please contact the Greater Washington Partnership).
- Silicon Valley gets a lot of credit for being the leader in producing cyber companies, but this region isn’t that far behind. There are about 100 cyber security product companies there and about 50 in this region. That leaves 800 cyber services companies in this region — each sitting on years of cyber technology “know how” that could be translated into the next Tenable or Sourcefire.
So what can you do?
- If you are an executive at a cyber services company, in particular, one that develops software for the government, you should consider productizing your technology and bringing it to the commercial markets. It is much easier to keep your best consultants and cyber know-how at your customers than it is to take a chance and let them build something that supports many more people at the same time.
- If you do a cyber product, separate out the technology into a new entity. Cyber product companies are valued much higher than services companies. A company that had partial services revenue and partial product revenue is difficult to value by a potential investor and ultimately an entity wanting to acquire your company. One of the best examples of this in our region is Contrast Security, a maker of web security solutions, which was spun out of Aspect Security, a web application consulting company.
- If you are working as a developer, consultant or analyst in cyber security and have a desire to see your efforts and know-how productized and available to the entire Internet versus one customer at a time, but don’t know how to start a company you should research MAVA, DataTribe, BetaMore, Mach37, TEDCO (who has co-invested with Gula Tech Adventures in several cyber companies) or the dozens of other incubators and accelerators in this region.
- Chances are, your local county has a variety of resources for you. For example, here in Howard County, they have the MCE run by the county’s economic development program, builders such as COPT are setting aside space for start-ups like CIRQL and entrepreneurial programs like Start-Up Grind have a chapter here as well.
Note — I’d like to thank Drew Cohen (Masterpeace CEO), George Davis (TEDCO CEO), Justin Label (Inner Loop Capital) and Mike Janke (DataTribe CEO) for providing input and comments in this article.