, , ,

A Tale of Four Cities (with apologies to Dickens)

, , ,

It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two CitiesSince the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:

Slide2

Slide4

Slide1

Slide3

ST Apts

Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.And so, the four cities.Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummeted, leading to a rapid rise in median valuations.By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? Or Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.

Cyber Insurance

When most people think of cybersecurity, they think of IT departments protecting corporate networks, or individuals at home on their personal computers. But cybersecurity is differentiating rapidly as more people realize its actual goal is to improve the reliability of some other business process or product, and not an end in itself. Since these business processes vary widely from one industry to another it makes sense to talk about the unique issues and approaches faced by individual market verticals. One such vertical: Cyber Insurance.AOL FishbowlThe October 1 edition of the excellent Security Leaders dinner series conducted by @mach37cyber, cohosted by Mach37, AOL, and Marsh & Mclennan at the AOL Fishbowl, was a highly interactive, highly informative panel discussion with insurance industry and related legal professionals on the topic of Cyber Insurance. Cyber Insurance is designed to cover some of the costs in the aftermath of a cybersecurity incident, including items such as forensics to determine what happened and the extent of the damage, public relations to communicate with customers and other stakeholders, costs such as credit monitoring involved in the remediation, and legal costs for defending lawsuits that arise as a result of a breach or loss of data. These costs for businesses that experience a cyber incident continue to increase rapidly.It is clear that cyber insurance is still a very nascent but rapidly growing industry that faces some difficult challenges. Unlike more familiar life insurance, car insurance or hazard insurance, there is no long claims history to determine actuarial risk. There is no agreed set of standards or guidelines, analogous to "stop smoking", that are guaranteed to reduce risk for most customers. Every insurance need is essentially custom to the situation (the panelists all agreed businesses should pay attention to coverages and exclusions such as "acts of war"), with businesses handling health information or PII facing very different imperatives than those handling primarily credit card or other financial transactions. And the way that business is conducted, with online brokers promising several competitive quotes within a few hours, means that the due diligence to determine a business cyber posture or even whether they are already breached when the policy is written, is not practical. The remedy for the latter is an increasing reliance on third-party audits or certifications regarding the business practices of businesses seeking insurance.Cyber Ins panelInsurance claims start when an insured business has knowledge that something has happened, so for data breaches this means the company must be at least sophisticated enough to know that something is wrong. But as one panelist indicated, the most commonly reported incident is "hack" (not a very sophisticated description) counting for about 1/3, while lost laptops and even lost paper still account for significant portions of claims. The insurance company can help bring in forensics and other experts to determine the extent of losses and help stop further losses, and then supports later steps in the remediation and recovery process.In discussions after the panel, a couple interesting questions came up. First, is cyber insurance more like car insurance (where different skill levels are reflected in different accident rates, allowing lower premiums for good drivers) or more like life insurance (where every insured person experiences exactly one death and premiums are essentially financing the cost of activities around dying, requiring higher premiums for those with a shorter expected time period to do the financing)? Ideally this would look more like car insurance, with a set of specific steps to reduce chances of an accident, but most people seemed to believe it is currently more like life insurance, financing for that first event after which businesses take more extensive steps on their own to prevent a recurrence.A second interesting question was whether people in the crowd would want to be in this insurance business (an admittedly skewed sample, since the audience was mostly techies). The large majority of people I spoke with said "no", since it seems almost the luck of the draw which companies will survive in the market; if your business base doesn't experience many costly claims then you're probably ok, but the market dynamics make that extremely difficult to determine.The third interesting post-panel question revolved around the asymmetry in risk and damage in this ecosystem as a whole. The best example here is the loss of PII from a business with cyber insurance. While a business with poor cybersecurity practices certainly incurs costs related to a breach, the harm also falls extensively on the individuals whose PII has been compromised. But the harm to the business is mitigated by the insurance, while the harm to individuals is less well covered (hence, lawsuits). Credit monitoring is sort of like jail time...once you reach three or four life sentences, adding additional coverage doesn't really help very much. One could hope the cyber insurance industry is taking steps to help mitigate risks for businesses seeking good practices, while not protecting businesses who seek only to profit at individual expense.Finally, there are a variety of interesting conclusions for early stage companies looking to sell cybersecurity products to businesses in the age of cyber insurance. For entrepreneurs involved with forensics or risk management, it may be that the insurers are your primary market rather than companies directly. In the era of risk management, businesses are no longer seeking to drive their risk to zero. Instead this becomes a cost tradeoff; at what point does additional technology cost more than the insurance to protect the same level of risk. For a cybersecurity vendor not only are you competing with other equivalent vendors for a share of the fixed security pie, now you are competing with a range of alternatives some of which are not even technology-based.Cybersecurity insurance will continue to grow as a dynamic force in this market. It is unclear exactly how those dynamics will evolve however, so prudent companies should continue to watch this industry vertical carefully.

Bring-Your-Own-Keys: Bringing Trust into SaaS

Below is a guest post by Karthik Bhat, founder and CEO of SecureDB, a MACH37 portfolio company.  SecureDB's Encryption as a Service product makes implementing encryption into applications fast, easy, and inexpensive for businesses of all sizes - from startups to Fortune 500.  Learn more about SecureDB at https://securedb.co/.

- Ledger West, Associate Partner, MACH37

Over the last few years, a wide variety of internal functions of business - HR, Payroll, CRM, e-signature, Benefits Management, Health Insurance, Project Management etc. have moved to respective SaaS companies. With more and more enterprises handing over their sensitive data to SaaS providers, there is a tremendous need to protect this data in the cloud using encryption. Any responsible cloud provider should be encrypting this sensitive customer data along with all proper key management practices.

However, the biggest challenge of cloud-encryption is: who owns the keys? Quite a number of companies will be okay with their SaaS provider owning and managing the encryption keys. Many will not.

Bring-Your-Owk-Keys-For-Cloud-SaaS-Platform-SecureDB-Data-Encryption

The need of the hour is for the cloud platforms and SaaS companies to allow their customers to bring their own encryption keys - Bring Your Own Keys (BYOK). This way, customers can rely on SaaS companies without any apprehensions about data-leaks. BYOK will ensure that a SaaS company's access to customers business data is always controlled. Thus, cloud providers and SaaS companies can continue focusing on the core value that they provide to the enterprises, without sweating much about security of sensitive customer data.

Why BYOK is Important?The beauty of the BYOK is that enterprises have full control over the life cycle of the keys (generation, usage, backup, rotation etc.). The enterprise can also assign specific permissions on the encryption keys that limits what the cloud provider could do with the keys (for example, give only 'encrypt' and 'decrypt' permissions and not 'key-rotate', 'key-delete' permissions). The enterprise can also view the key usage logs to ensure the keys are used in accordance with the agreement.

When the enterprise wants to cease using the SaaS provider, they could download their data and simply revoke the access to the key. The SaaS provider no longer will be able to view or process the data. No more worries about whether the SaaS provider has done the right and responsible thing and deleted your data.

Bring Trust into SaaSAt SecureDB, we anticipate this to be the next logical step to acceleration of SaaS adoption.

Bring-Your-Own-Keys (BYOK) for data-encryption converts cloud and SaaS (inherently un-trusted) environments into trusted environments.

BYOK-Bring-Your-Owk-Keys-For-Cloud-SaaS-Platform-SecureDB-Data-EncryptionConsider this: when your company is using a SaaS service, your company data is most likely sitting right next to some other company's data - in the same table or in the same database. This means that if an attacker finds a way to compromise the SaaS provider's database, your company data is compromised just as everyone else's.

Enter BYOK. If the SaaS provider supports BYOK, your data is encrypted using the keys you own. Now, you are protected against a whole slew of attack vectors. You can revoke the keys at will. This is in the best interest of SaaS companies too. They can vastly reduce their exposure to risk.

Write this into contractBefore a company hands over the data to SaaS companies, it is in the company's best interest to ensure the SaaS company is encrypting the data. Call out specific fields that must be encrypted and provide the SaaS company with BYOK key.

We agree, this is still few years out. But we need to start somewhere. Please share your thoughts in the comment box below.

CISO’s Don’t Want Your Analytical Tools

In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of our traditional Prevent, Detect and Respond strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.In his piece, Anup correctly indicts the purveyors of Detection tools, who:[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with. Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.As the industry and our customers move forward toward Identification and Control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be pissed.At the end of the day, I believe that even large company CISO’s really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.To us, solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care, are going to be winners. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for Identification and Control.  We believe these solutions will allow us to avoid the mistakes of the Detection vendors, finally getting it right this time.

,

The Innovation Kill Chain

,

Caution: Satire AheadThere is a dangerous threat to our economy and way of life springing up in seemingly every industry. Almost half the Fortune 500 were booted from the list between 1999 and 2009. Some prognosticators say this threat could result in even more than half of the Fortune 500 going away over the next decade, with a conservative economic impact of more than $2 trillion to our current productive capacity. What is this threat? Disruptive Innovation and the provocateurs inflicting it upon us, the Disruptive Innovators, or Dis-sInners as I like to call them.Fortunately we are not helpless in the face of this scourge; we can fight back. The reason is that these Dis-sInners proceed, no matter the industry, in a very well-known set of steps before they can succeed. If we can disrupt their insidious designs at any step along the way, they will fail, and this is what I call "The Innovation Kill Chain."The seven steps of a typical Dis-sInner attack are as follows:

  1. First, they will conduct surveillance, to understand their target, evaluate competitive strengths and weaknesses, and position for the eventual attack. While this stage is hard to detect, we can take comfort that our highly efficient current business structure is very difficult to disrupt.
  2. At stage 2 the Dis-sInner will typically expose themselves by creating a legal paper trail (articles of incorporation and similar) that reveal both their true identity and business intent. Paranoid companies could develop a standing research capability to discover and track these perpetrators, but it is hardly worth the effort since they will never amount to a true threat to our overwhelming market share.
  3. The third step in the Innovation Kill Chain involves the Dis-sInners planning to undermine the value of your core Intellectual Property. Here the well-prepared defender can become more proactive by filing extensive patent coverage that will allow for future lawsuits should the Up-Startup ever amount to anything. Remember, you have deep pockets and they don't, so it does not matter whether there is actual economic value in your IP portfolio; all that matters is the ability to create expensive legal proceedings at critical times.
  4. Inevitably, some Dis-sInners actually start building prototype products and begin looking for "beta customers". By all means, this is your opportunity to appear forward leaning while still containing the threat. The most successful defenders step forward at every request...but then stretch out the process through the various tricks of bureaucracy we all know so well. Should a Dis-sInner persist, extensive product feedback involving meaningless features and tangential use cases is often an effective counter-measure.
  5. Only a few of the most Advanced Persistent Threats will make it to the point of seeking funding, but for these we recommend the essential Enterprise FiresaleWall. Your Corporate Venture Fund can be a key player in this process. Remember, that these early-stage APTs have not yet taken over key parts of your market, and a well-timed lowball offer can often shortcut their efforts at Escalation of Visibility.
  6. It is inevitable that your market position will eventually be breached. There are only two types of market leaders, those that know they have been disrupted and those that don't yet know it. This is where a top notch Chief Innovation Prevention Officer (CIPO) earns their keep. “Off the street and on the shelf” are truly words to live by. Early warning can give you plenty of time to squeeze every last penny out of those previously lucrative markets. And your best customers will surely want to stay with a market leader, even in the face of punitive long term contracts.
  7. Once a breach has occurred it is time for forensics and damage control. Here, behavioral indicators can be useful in ferreting out the Inside Your Market Threat. Do not succumb to the temptation to point fingers and re-organize; instead watch the Up-Startup and match their every move. One very effective defense, particularly in the Government space, is to partner with the enemy! As a prime contractor, you will have locked up the Dis-sInner market potential and control their destiny through the amount of business you let trickle-down their way.

Knowing your adversary, and the common steps they take in seeking to disrupt your business is the most effective way to stay prepared and stay ahead of this insidious threat.

Differentiating Cybersecurity Startups

A number of investors from around the country tell us they have a problem. When considering early stage investments in cybersecurity companies, whether at Mach37 or elsewhere, investors have a hard time telling the companies apart. One issue is that companies abstract away the technical jargon for their investor pitches, and at the buzzword level they really DO sound similar. However we know from the Mach37 portfolio, where we pay attention to competitive issues within cohorts and are always looking for new ideas, that each company is unique. The challenge then is making those differences clear in an easily comprehensible way. We were searching for a way to depict the entire portfolio on a one page graph with a modest number of categories; here it is.Company Differentiation v2.1 Across the bottom are the target users for each product, color coded and grouped into the corresponding market segments across the top. The technology categories on the vertical axis are based on our "Understanding the Technology" white paper, with a few additional categories added. This segmentation clearly gives a nice spread of the Mach37 companies, and corresponds well with our intuitive understanding of how the portfolio is beginning to meet the market needs. It also provides an interesting working definition of a company pivot, which we are beginning to see in a couple instances: a pivot is reflected by a company moving from one place on the graph to another.We are interested in your feedback. Does this provide a useful differentiation of companies in the space? Do the categories make sense? How does your portfolio stack up? Could a similar depiction work for other verticals with a different set of technology categories and users?