According to published news reports this morning covering a press conference by Attorney General Eric Holder, “The United States has for the first time filed criminal charges against foreign government officials in connection to cyberspying allegations.” The grand jury indictment charges five men with “conspiring to commit computer fraud and accessing a computer without authorization for the purpose of commercial advantage” according to the New York Times. In the press conference, the Assistant Attorney General provided specifics related to the case examples of companies affected and the types of information stolen from them.Officials mentioned the Mandiant Report, last year’s watershed public exposure of this type of activity. In that report, Mandiant describes the theft of hundreds of terabytes of data from more than one hundred companies in twenty major industries since 2006. On average, a target company was attacked and then remained exposed for a year or more while information such as technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists were targeted. Many of the targets turn out to be major companies such as Westinghouse, US Steel and Alcoa.But this is just the tip of the iceberg. In the U.S., much of the innovation and many of the jobs come from small or startup companies who don’t grab the headlines and who may not know that they are targets. In the manufacturing sector, for example, data from the NIST Manufacturing Extension Partnership (MEP) indicate that something like 80% of current U.S. manufacturing jobs are with companies of fewer than 50 people. Most of these companies spend a large majority of their time simply trying to grow the business and stay ahead of the competition through innovation, and may not have either the expertise or resources to adequately protect their intellectual property from cyber attack. These companies are perhaps the most underserved segment of the industrial base with current large enterprise cybersecurity solutions, and the largely invisible damage inflicted here represents a particularly corrosive threat to legitimate areas of competitive advantage for the country.Indeed, we know they are a target. According to the NetDiligence 2013 report Cyber Liability & Data Breach Insurance Claims, 63% of US Secret Service forensics investigations are at companies of fewer than 100 employees, and 45% of insurance claims paid are to companies in the small-cap (less than $2B revenue) or nano-cap categories (less than $50M revenue), split about evenly. According to Rep. Frank Wolf (R-VA), chairman of the House Appropriations subcommittee that funds NASA and many of the nation's science programs, "I have seen up close how certain countries...have targeted federal agencies, contractors and law firms to steal billions of dollars of cutting-edge technology that diminishes our national security and undermines job creation."There may be some hope however, creating sector-focused markets of small and mid-tier companies for a new generation of emerging cybersecurity solutions such as those at Mach37. We are in active discussions with manufacturing organizations and other industry alliances, regional threat-sharing groups, and similar partnerships that can bring appropriately scaled technologies to groups facing a common set of threats. We are also fostering a set of potentially disruptive technologies that can help fill this dire need. To name a few:- Pierce Global Threat Intelligence provides a new mechanism for real-time sharing of threats- Identia provides one approach to securing supply chains by simplifying identity management across organizations- MSB Cybersecurity provides support for cybersecurity standards compliance along with actionable recommendations- Axon Ghost Sentinel detects unusual behaviors in distributed device environments- Disrupt6 is on the leading edge of new security paradigms for the emerging world of the production internet (IPv6)To be sure, nobody has the silver bullet to “fix cybersecurity”. But, active promotion of the next generation of cybersecurity solutions and companies, and accelerated connection of those solutions with the groups that need them most, can go a long way to effectively dealing with the high stakes world of cybersecurity in which we live.
CTO SmackChat: The Dreaded “Pivot”
Your startup is a success! Family and friends have seen you through to the point where an angel investor got excited, and your first alpha customer really likes where you are heading. The beta tests are under way and the feedback is coming in.One customer says he would be interested in buying if your product could provide two additional capabilities not in the beta version. Another indicates her problem is not exactly the one you are addressing but she sees how it could apply by changing the domain slightly and taking some additional inputs into account. Some feedback says it seems similar to what they are already using. There is a request to show the output on a map background. And, your marketing guru says that several customers are really struggling to solve a problem that one component of your solution could make dramatically easier. Should you pivot, or stay the course? Add features or simplify? Expand to related problem areas? What feedback do you rely on to make those decisions?A couple things are clear. As a startup your resources are stretched way too thin simply trying to address one market. Expanding to a second problem area before succeeding in the first one makes it much more likely that neither will succeed. The second notion is integrity of a core product offering. If every customer has a different set of implemented features, your business is really a service business built around customizing features rather than a product business.But the harder trap for most entrepreneurial technologists is falling in love with your own ideas. After all, you thought it up, and your whole career has been built on confidence in your technical ideas. You probably know better than the customer what is really possible from a technical standpoint, and what the hard problems are that you know how to solve. In the end though, the right answer is always what customers will pay for. And in our example above I would be inclined to listen to the marketing guru who seems to be close to some potentially paying customers: perhaps it is time to change the product idea, get rid of a bunch of the features that are not helping differentiate it, and focus on the one core bit that could help several customers solve a critical problem.There is no science behind when to pivot and when to stay the course. An important indicator is slow or flat sales (or interest) combined with some customer pull along a different development vector than the one you are following. As the divergence grows that market signal gets stronger that the pivot is upon you, but in the end you need to make a judgment call and work with your own company leadership to ensure it is the right one.
Security Spaces Worth Watching
People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.While "different" is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I'll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.Encapsulated ExpertiseThis isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.The Internet of ThingsA problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is "The Internet of Things." Because anything can be a "thing" it's difficult to even know where this category begins and ends.If you have been wondering which things are capital-T "Things," here is a list of some examples that might fit the description:
- Network-connected home appliances like the Nest Thermostat
- Network-connected sensor devices such as electric power meters
- "Smart cars" and "smart highways"
- Industrial control systems
- Remotely piloted vehicles
- Any device that can be attached to a wired or wireless network that isn't a computer or workstation at which you can sit.
This category creates security challenges because:1) These things can provide a point of entry for attackers to the rest of your network2) Some of these things have the ability to affect the physical world in real ways3) These things may be transmitting information about you or your environment with significant implications for your privacy.Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.Software Defined NetworksAnother area that is showing up more and more in the enterprise IT conversation is software defined networking or "SDN." This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn't improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server's configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network "fabric" while systems are in operation without significantly impacting throughput on the network.Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don't address security in much depth yet.Some things to consider about SDN include:1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;2) How to prevent unauthorized access to the management/change function on individual routers or switches3) Emergent network effects after making a change - do side effects "ripple" through the network afterward? How long do they take to dissipate?Zero-Trust Security ModelsRecently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.The "zero trust" or "untrusted everything" approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.These approaches often explicitly reject the idea that there is an "inside network” of trusted resources and an "outside network" full of bad actors waiting to attack things.In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.
To Mach or Not to Mach
“To Mach, or not to Mach”So you’re thinking of applying for the Mach37 program? You’re unsure. You’re skeptical. After all, you know this industry inside and out. You’re convinced your solution is the hottest thing going and there’s no competition. You are going to raise some capital from the money you’ve saved, get a few friends to kick in and you’ll sell this company for a gazillion dollars in a year or two to Facebook. Simple plan. Fool proof. That’s why everyone does it, right?Not so fast…What do your customers think? Oh you don’t have any yet? Surely they need this solution because you know your technology. You’ll just call up a few government clients where you provided great support and they will just write the Purchase Order. Maybe. Or maybe you’ll chase the “opportunity” for 18 months (standard) while you pour all of your money into product development. Double your estimate of development time and cost. The bank account is dwindling. Maybe you’ll just take a part-time support contract and bill some extra hours. There goes 30 hours that you are going to need but just don’t know it.Call John and Susan. They are great sales people and are under appreciated at their established publicly traded firm and surely can “moonlight” and get your product out there. They surely will work for “equity” and prioritize this over their $150k year guaranteed salary with bonus opportunities.Have you thought about intellectual property protection? Trademarks? Total available market? Go-to market strategy? You’ll just figure it out along the way and find an outsourced firm to do that.You’re a little frustrated though because you’ve explained this technology to your peers and they just don’t get it. It’s because you’re just too smart. It has nothing to do with your inability to articulate the value proposition.You’ve looked at Mach37. They want a small percentage of your company from the start. Are they crazy? This company is going to be worth millions and you’re going to maintain 90% ownership. If you need capital, the angels will certainly come knocking on the door and Venture Capital firms will stroke checks for millions, asking, asking only a few percentage points.A backup plan is good. You’ve heard Kickstarter crowd funding is a sure fire way to raise a ton of money. Fool proof plan…can’t lose.At this juncture, may I suggest setting up a lemonade stand and charging $100 per cup? You’ll more likely to be successful.Mach37 partners know the industry. They are connected to almost EVERYONE and you will be introduced to many of them. They know products. They understand the market, the competition, the pitfalls and they know how to develop a successful business plan. They are patient. They understand pivoting. They are a holistic accelerator that will give you the best chance to be successful. They provide funding. They introduce you to the real players. And the Thursday night dinners are pretty good too (I highly recommend the cannoli)!Summarized…apply. Consider it a privilege to be considered and an honor to be accepted. Focus and give 110% to the program if you get in. Be the first in and the last to leave every day. Execute. Accept criticism and feedback. Engage. Debate. Fail. Pivot. Improve. Succeed. Excel.My name is Shawn Key. I am the founder of Key Cybersecurity, Inc., a Mach37 inaugural cohort member. We are the developer of CyberMerlin, a cyber security illicit file detector geared to Fortune 500 and K-12 enterprise network organizations. We raised $250k in funding in four months and are poised for success. I continue to reach back to Mach37 weekly to ensure I am focused and on the right path. I owe this chance to be successful to Mach37 and the great resources they introduced to me during the program. By far, this is the best experience I have ever had and I am thankful to everyone who took a chance on me and set me on the path.The ball is in your court….apply.Sincerely,Shawn R. KeyFounder, Key Cybersecurity, Inc.www.keycybersecurity.comskey@keycybersecurity.com"2014 NVTC Destination Innovation Award (Security Category)
CTO SmackChat: Minimalism
By now, most entrepreneurs have adopted the lean startup principles advocated by Eric Ries in his book The Lean Startup. A key concept is the Minimum Viable Product, the mechanism used to convey your core product ideas to potential early users, and test key market assumptions in an iterative process to ensure that what you finally deliver both solves a problem and can generate enough paying customers to build a business. Of course the hard nut with this concept is figuring out “minimal” and “viable” in a world where your startup may be created based on a good idea and not much else.
I have experienced first-hand a number of the traps that technologists tend to trip over with this concept. The classic one of course is building products that are never quite ready to ship because they need just one more feature. Early in my career I developed a number of highly optimized protocols for satellite-based networks; it turns out that only satellite builders determine the protocols that fly, and the best technology is often not the winner. Complexity is another dangerous siren song – after a few meetings where it takes half an hour for even the friendliest, most perceptive customer to go “aha!” you begin to wonder about the guy who made millions selling those plastic electric outlet covers to prevent toddlers from sticking their tongues in the outlet.
One of my startups embodied all of these traps in a single great idea. Well before iTunes perfected the concept, we built and tested a very efficient delivery system for selling individual movies, songs and other content onto end user devices. At the time, transmission costs were high and credit card transaction costs were also high. We conceived a closed loop where content was aggregated at a central point, shipped over satellite to every TV station in the country, and streamed over the unused bandwidth in HDTV to a small receiver gizmo connected to end user devices that would decode the signal and securely aggregate single transactions into a monthly billing. The actual system was tested in New York, Trenton, NJ, Baltimore and Washington DC, and overnight we could stream enough content to make the top 100 movies, 1000 songs, and other content instantly available to millions of users. Even the back end worked, but in the end I believe I was the only person ever to complete an actual purchase and pay for it on my credit card.
So how do you figure out the Minimum Viable Product? Especially when a company is just starting, the key notion is to get your idea in front of potential customers and see if it solves a problem they care about. At this stage it doesn’t take a lot of development, but just enough to be able to describe the problem and how you address it, the value proposition for the user, and enough of an indication of what a user would see and do to make it feel real. The acid test at this stage is finding a potential customer who indicates that if you can build it, they will try it and eventually buy it. That establishes the “viable”. Beyond that, the “minimal” is driven almost more by schedule than by features. How long will that first customer wait before they forget about you? How much do you have to demonstrate in terms of solving the core problem to entice your customer to take those next steps down the development path with you? In the end, both “minimal” and “viable” are defined by your early customers, not by you. Your job is to make a guess that is close enough to keep those early customers engaged until you are actually in a position to deliver something.
David Ihrie is CTO of MACH37 and has been the lead technical person for six startup companies. He has a BS in EE/CS and an MS in Management specializing in the Management of Technological Innovation, both from MIT.
Reflections on Mach37 F13 (and some news)
We at Mach37 have decided to modify the terms of our initial investment in each company in our Spring 2014 cohort to double our financial commitment to $50,000. This additional financial investment will not only help Mach37 entrepreneurs attract complementary team members, but also will provide them with additional resources necessary to expand target market validation and further accelerate technology development.
Earlier this month, Mach37 completed its first Cybersecurity Investor Demo Day. Along with six CIT GAP Fund cybersecurity entrepreneurs, our four F13 (Fall 2013) cohort participants presented their companies to an audience of over 100 information security investors. By all accounts, their presentations were successful and I believe they foreshadow many future successes by Roy Stephan (PierceGTI), David Lehrer (Conatix), Ethan Allen (Sikernes) and Shawn Key (Key Cybersecurity).
As I think about each of their presentations, it seems almost unfair that they were limited to eight minutes each. The brevity of a demo day pitch belies the immense amount of work each of these entrepreneurs delivered over the past four months. As anyone who has ever built an effective investor pitch will attest, the significant majority of the work is conducted weeks and months ahead of time.
Roy, David, Ethan and Shawn sprinted through Mach37’s 14-week curriculum: Fully analyzing their competitive environments; effectively positioning their respective product concepts; developing unique technical capabilities; and generating significant market validation from target market customers. As all four of them will attest, the Mach37 program is not for the uncommitted.
Based on our collective observations from F13 and the amount of work delivered by its entrepreneurs, the partners at Mach37 want to make an important recommendation to future Mach37participants: Find capable, full-time partners.
To encourage future applicants to find complementary partners, we are placing a greater emphasis on having multiple founders as part of our core selection criteria.
The amount of effort required to develop and implement a business concept over a brief 14-week period while also designing and delivering a functional prototype is more work than one full-time founder can reasonably manage. The best founding teams usually include full-time technical and entrepreneurial founders, all of whom understand the customer problem they are solving and how to share responsibility as they build their respective businesses.