investment

A Tale of Four Cities (with apologies to Dickens)

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two CitiesSince the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:

Slide2

Slide4

Slide1

Slide3

ST Apts

Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.And so, the four cities.Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummeted, leading to a rapid rise in median valuations.By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? Or Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.

Security Spaces Worth Watching

People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.While "different" is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I'll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.Encapsulated ExpertiseThis isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.The Internet of ThingsA problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is "The Internet of Things."  Because anything can be a "thing" it's difficult to even know where this category begins and ends.If you have been wondering which things are capital-T "Things," here is a list of some examples that might fit the description:

  • Network-connected home appliances like the Nest Thermostat
  • Network-connected sensor devices such as electric power meters
  • "Smart cars" and "smart highways"
  • Industrial control systems
  • Remotely piloted vehicles
  • Any device that can be attached to a wired or wireless network that isn't a computer or workstation at which you can sit.

This category creates security challenges because:1) These things can provide a point of entry for attackers to the rest of your network2) Some of these things have the ability to affect the physical world in real ways3) These things may be transmitting information about you or your environment with significant implications for your privacy.Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.Software Defined NetworksAnother area that is showing up more and more in the enterprise IT conversation is software defined networking or "SDN." This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn't improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server's configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network "fabric" while systems are in operation without significantly impacting throughput on the network.Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don't address security in much depth yet.Some things to consider about SDN include:1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;2) How to prevent unauthorized access to the management/change function on individual routers or switches3) Emergent network effects after making a change - do side effects "ripple" through the network afterward? How long do they take to dissipate?Zero-Trust Security ModelsRecently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.The "zero trust" or "untrusted everything" approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various  computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.These approaches often explicitly reject the idea that there is an "inside network” of trusted resources and an "outside network" full of bad actors waiting to attack things.In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.