When we launched Mach37 three years ago, we acknowledged at the time that we were essentially running an experiment. At our inception, we believed that an accelerator could effectively harness the rich cybersecurity talent pool in the DC-Maryland-Virginia region (DMV) to create an ecosystem capable of supporting large-scale commercially-focused cybersecurity product companies. There were plenty of skeptics, including many in the institutional venture community, who believe you can’t scale a cybersecurity product company in the DMV. At the time, I privately admitted that we had no idea if we would succeed, and anticipated it would take us at least five years to really know if we are any good at this.Three years later, I am confident that I have burned through any goodwill I had with my friends in the community and that I am deeply indebted to just about every person I know in the industry. But, it seems like our modest experiment is working out way better than most people ever expected, including us. Our small $50,000 investment in each of our 35 companies has been leveraged over eight times on average by private seed investors. What started out as one or two person companies have grown into ten and twenty person companies. Currently, our portfolio employs over 100 full-time equivalent employees, and we expect that number to increase dramatically over the next year as they receive institutional venture funding.To be certain, all of us here at Mach37 know that there is still a lot of work left to do to transform what has been a government-centric business ecosystem into a thriving commercially-focused cybersecurity business epicenter. However, now I believe that this transformation is inevitable.As we pass through the three-year milestone, I wanted to share a few important lessons we have learned from the experience:Lesson #1: Accelerators can effect major changes to business ecosystems. Part of Mach37’s mandate was to cultivate an ecosystem that could transform the cybersecurity intellectual capital native to the DMV into a conveyor belt of successful security product companies. The conventional wisdom in 2013 was that we didn’t have a critical mass of talented individuals in our region that understood how to build security product companies. However, it looks like our brute force approach is working.We started by building a mentor network of security professionals one mentor at a time. (Thank you George Schu for leading the way as Mach37’s first mentor.) What began as a small group of believers evolved into an unmatched 240+ person network of security business experts – all committed to our mission to launch the next generation of security product companies.From there, the momentum increased. Since 2013, over 80 security and software business experts volunteered to teach our entrepreneurs critical skills that will enable them to be successful. Over 70 seed investors have fueled our companies, allowing them to mature and finally begin capturing the attention of the institutional venture community. And, the vital leadership and financial support offered by our sponsors at Amazon Web Services and General Dynamics has been humbling and validates the demand for security innovation from some of the most successful companies in our region.Perhaps the skeptics were right that the DMV doesn’t have as many talented security product business experts as other more established regions. But, what I have learned to value much more than the quantity of experts is that members of the security community in our region rarely say “No.”Lesson #2: The DMV has an unmatched volume of technical security innovation that is driven by government-centric missions. However, security innovation also comes from diverse populations around the world. As most people recognize, there are more talented security technology professionals in the DMV than any place else on Earth. In general, the security ecosystems supported by the DoD, Department of Homeland Security, and the Intelligence Community are driving significant demand for security innovation. Mach37 has been able to effectively leverage this regional asset. Founders from Huntress, Atomicorp, Disrupt6, Fast Orientation, Tensor Wrench, Eunomic, Cyber Algorithms, Anatrope, vThreat, and Hilltop all have been operating at the leading edge of security within this ecosystem for many years.However, we failed to anticipate the large volume of high-quality security entrepreneurs that would come to the DMV from many diverse ecosystems. To date, of our portfolio of 35 companies, over 40% came from outside the DMV. Notably, Mach37 has received applications from 24 different countries (and counting) and we expect to increase our volume of investments in entrepreneurs from outside of the United States in coming cohorts. Additionally, since inception, Mach37 has funded 17 of 35 companies (nearly 50%) with a founder that is either from an ethnically underrepresented group, from the LGBT community, a woman, or a service disabled veteran.Lesson #3: You CAN raise seed capital in the DMV. To be honest, three years ago, we were concerned about the limited volume of seed capital available to product companies in our region. We just weren’t sure it would support the volume of innovative product companies we intended to launch. However, about 70% of our graduates consistently raise capital beyond our initial investment. To be sure, we have reached out to seed investors from other geographies and, thankfully, their appetite to fund security companies in the DMV exceeded our expectations.Further, the often-publicized concerns around the impending “winter” in security investment appear to me to be overwrought, at least in the DMV. Maybe it’s because we have never been spoiled with an abundance of early-stage capital and “winter” doesn’t feel any different to us. Perhaps it’s because the uninitiated investors who are fleeing the sector were never investing in our region to begin with. Or, maybe it’s because investors who understand security continue to invest in the DMV, in spite of the emergence of “winter” in other regions. Whatever the reason, the rate at which Mach37 companies continue to receive funding is increasing and it still feels pretty warm to us.
Mach37 Spring '16 Class Interview: PCPursuit
Robert Walker
CEO and founder
What opportunity did you recognize that led to the founding of PCPursuit?
Robert Walker: There are a couple of things going on in information security that are really important. Too many information security products only tell you there is a problem after your data has already been stolen. I have seen a few things in my career that are technologies that can prevent problems from happening in the first place, but they are not easy to use and are typically expensive. We recognized that we could make physical systems and digital systems more secure if they could just talk to each other. It’s really never been done before and that’s what we are changing by providing a proactive security solution that is inexpensive and easy to deploy.
What makes your approach different and better from existing approaches?
Walker: Simplicity. You don’t have to roll this out to every asset in your enterprise. You can deploy one tiny piece of software on your Active Directory domain controller and it can protect your entire enterprise. This uses the exact same framework that Microsoft uses themselves. Most solutions don’t do it this way because it’s extremely hard to do.One specific thing our technology doesn’t do is require you to deploy agents to each PC in your enterprise. We have a server that sits between your physical control systems and your Windows Active Directory domain controllers. That PCPursuit software asks if a user badges in and if so, when and where. We report that back and based on what the enterprise administrator wants, we can log it, we can send an email to their manager or restrict access.
What specific value does addressing that opportunity/problem provide for your customers?
Walker: PCPursuit enables enterprises to get considerably better security out of the assets they already own. We make the stuff they have better and we do it very inexpensively. It’s a massive improvement for a very low cost.
Why aren’t current solutions addressing this problem effectively?
Walker: Because they are not thinking outside their own boxes. Physical security solutions only think about the physical side. Digital security only considers their own boxes. We took it up a level to look at both pieces. However, there is another dimension to consider. The technology is really hard to build. The concept is simple, but the execution isn’t easy.
What about your (team’s) background puts you in a unique position to succeed?
Walker: Both my co-founder and I worked at Microsoft. I was there as a full-time employee for 13 years. My co-founder has worked at Microsoft for many years as a consultant. So we both have very deep exposure to Microsoft technology and we know how to implement it in a way that very few people understand. It's not that no one else can do this. It's that few people understand as well as we do how Windows was designed.
What makes this an exciting opportunity for you?
Walker: The thing that I think is most exciting about what we are doing is that we are one of those really rare solutions that can help make your enterprise tremendously more secure than it presently is and at a very low cost. By putting these two pieces of technology together, PCPursuit delivers two key benefits that address two intractable problems:
- It discourages employees from tailgating into buildings. If you can’t get any work done because your login won’t authenticate, you won’t tailgate to get in. If we change the psychology in an office to "always badge in" instead of "avoid it," it changes behavior. Then not badging in becomes the anomaly.
- We also make physical presence another factor for authentication. Passwords aren’t secure. Even if you have to change them every several weeks. People forget them. They write them down so they don’t forget them making them easier to steal. With PCPursuit, if you didn’t badge in, you can’t get access. If your password got phished, that hacker in Russia won’t be physically in your building and can’t get access from inside your enterprise network. If someone found your password, they can’t use it. And we can do it for one-tenth of the cost of other tools in the market. You don’t have to buy tokens or other tools, just install our software on a single server and connect it to Active Directory and your enterprise is immediately more secure.
PCPursuit represents the first example of a simple approach to pairing physical security with digital security. It will have the biggest impact on securing the enterprise since automatic Windows updates. This is the kind of stuff that actually works. Stuff that’s really simple. You just make a little tweak and people don’t have to change the way they work, but it still makes a big difference. It turns out that the technology is hard, but the implementation is simple and effective.
What one aspect of the Mach37 programs did you personally find most beneficial?
Mach37 is really well-connected and is the only accelerator focused solely on information security. Their specialization in information security means everything they do is geared to this field and that is very valuable. In addition, they understand selling to the enterprise. There is a big emphasis in the program on selling and that is not a natural skill for engineers which is the background of most of the founders.
A Tale of Four Cities (with apologies to Dickens)
It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…” Charles Dickens, A Tale of Two CitiesSince the beginning of 2016, it seems like the worst of times. We have seen a correction in the stock market as the Chinese economic bubble has popped, taking the global oil markets with it, and bringing back the all-too-recent memories of the Internet bubble of 2000 and the financial bubble of 2008 (watch out, 2024!). The misery has spread to the Tech sector. The unicorn, unofficial mascot of Silicon Valley, which had gone from being a rare beast in 2014 to a veritable population explosion in 2015, is once again on the verge of extinction.Yet the economic talking heads tell us this is normal, that the U.S. economy is doing well and is reasonably insulated from both the Chinese economy and the negative oil shock. That corrections are a necessary part of the market, to restore balance after a period of irrational exuberance. So, what the heck is going on with Tech?In 2015 I was Principal Investigator for a DHS-funded program called EMERGE, working to leverage commercial business accelerators to help commercially-focused innovative companies bring some of their technology to address needs of the DHS community. As part of this program we were fortunate to get an inside view of four different business accelerator programs in four different cities:
Tech Wildcatters in Dallas, TX
TechNexus in Chicago, IL
Wearable World IoT in San Francisco
And our own MACH37 here at CIT in Virginia, part of the Washington DC region
Slide2
Slide4
Slide1
Slide3
ST Apts
Here is what I learned. First, tech innovation does not occur in isolation; it is the result of effective regional innovation ecosystems that include customers, entrepreneurs, funding sources, a high concentration of expertise and ideas, and enough of a support infrastructure to help the entrepreneurs through the early pitfalls. Each of the four accelerator programs above has done an outstanding job of helping build and then leverage their local ecosystem as an integral part of what makes each region grow.Second, Silicon Valley is not identical to the Tech sector. Although news coverage often glosses over this fact, innovation occurs in many places across the country. I will argue below that while Silicon Valley is indeed unique in many ways, generalizations based on that unique set of circumstances can often be wrong. In the current situation, the doom and gloom based on over-priced investments there is less relevant in other parts of the country.And so, the four cities.Dallas – Texas has several innovation centers including both Dallas and Austin. There is a diverse industry base, with concentrations in energy, health care/life sciences and tech, significant university presence, and a good concentration of wealth. Tech Wildcatters has successfully provided leadership to the region’s startup community with special programs in both health care and tech, and most recently going to a year-round program from the more typical discrete sessions. Dallas is a vibrant startup location, although it is unclear what effect the collapse of oil prices may have on access to capital in the region.Chicago – political issues aside, Chicago has the benefit of a high concentration of Fortune 500 Corporate Headquarters, a robust investment sector and strong University presence. TechNexus has done a masterful job first in priming the innovation ecosystem development 7 or 8 years ago, and now tapping into the innovation needs of Corporate strategic partners who are looking to early stage companies as a source of new products and ideas. If the city can recover from its social strife it is certainly positioned to continue as a significant center of tech innovation.San Francisco – San Francisco/Silicon Valley is the undisputed investment capital of the world for tech. According to Pitchbook in the third quarter of 2015 more than 27% of all the venture capital invested globally came out of Silicon Valley. China has risen rapidly as both a source and target of VC investment, although the collapse of the economy in China seems certain to be a major setback in this area, as the graph seems to indicate starting in Q4 of 2015. New York ranks third on this list, providing just north of 8% of the globally invested capital.Yet with all that money floating around it appears that some Silicon Valley investors may have had more dollars than sense. If you look at the number of deals and the dollar amounts as compiled by Pitchbook, the dollars invested continued to rise in 2015 even while the number of deals plummeted, leading to a rapid rise in median valuations.By comparison, valuations in New York during this same time were only 10% of the San Francisco valuations, an enormous disparity. There are some possible alternative explanations for this disparity (bigger opportunities, move towards later stage investments, etc), but both the anecdotal evidence at the time (“too much money chasing too few deals” was a sentiment we heard more than once) and the subsequent down rounds of investment even for some of the high flyers indicates over-valuation on the part of investors was at least one primary cause of the disparity.A second point. Why on earth would you want to locate and operate a company in the outrageously expensive environs of San Francisco where none of your employees can afford to live? Or Palo Alto, where Palantir is driving out start-ups by snapping up office space at high rents. Well there are certainly some reasons: if you want to hang with the cool kids, California is the place you ought to be. If you need to raise a billion dollars or so, where else would you go? And certainly if you want frothy valuations during the good times, the target destination is clear.A recent Harvard Business School study (http://www.hbs.edu/faculty/Publication%20Files/09-143.pdf) hinted at one possible evolution of this trend. According to the study:“Venture capital firms based in locales that are venture capital centers outperform… [as a result of] outsized performance outside of the …firms’ office locations…”That is, if you are a VC you want to be in one of the centers of VC activity because there is a strong ecosystem of investors…but, the big returns are to be found by investing in other places. Certainly Silicon Valley is not going away as the primary center of activity. Increasingly however, those investors seem to be syndicating with other groups in places such as Dallas, Chicago or…Washington DC – The region centered around Washington DC is generally considered to include Maryland, Virginia (or at least Northern Virginia), and DC itself. The Federal Government is a large presence, along with some of the specialty areas such as cybersecurity and data analytics it has helped develop. Health care/life sciences is also a major player in the area, and there are multiple world-class universities that support the ecosystem. The region generally ranks in the Top 10 innovation areas of the country, and the area’s capital investments are growing, actually increasing in the 4th quarter of 2015 even while investments were declining nationally. One reason for this increase is the growth in cybersecurity, with the potential for more than a billion dollars in cybersecurity investments in the region in 2016. The two biggest areas were health care/bio and software (including cyber), and there is an organized, active ecosystem working to promote the growth of these and other industry sectors.Conclusions – Clearly the stock market is in correction territory, driven initially by economic issues in China and the energy sector. While the tech sector also appears under pressure, the fundamentals here are very different. In the short term, what appears to be a broad retrenchment in the sector is actually mostly a correction of inflated valuations on the West Coast that are not indicative of the sector as a whole. As Rick Gordon, Managing Partner of the MACH37 Cybersecurity Accelerator puts it: “while Silicon Valley has been out on the great unicorn hunt, we have been building an army of cockroaches…small, fast, nimble, designed to survive a nuclear winter, and available at a reasonable price.”The age of easy money from building the next mobile app may be behind us, but the advent of autonomous vehicles, personalized medicine, data-driven everything and more will ensure that the tech sector will continue to drive the next wave of innovation and economic growth for decades to come. But it is increasingly likely that the actual innovations will be found in places like Dallas, Chicago and the Washington region even if the investment capital still flows from New York and Silicon Valley.
Cyber Insurance
When most people think of cybersecurity, they think of IT departments protecting corporate networks, or individuals at home on their personal computers. But cybersecurity is differentiating rapidly as more people realize its actual goal is to improve the reliability of some other business process or product, and not an end in itself. Since these business processes vary widely from one industry to another it makes sense to talk about the unique issues and approaches faced by individual market verticals. One such vertical: Cyber Insurance.
The October 1 edition of the excellent Security Leaders dinner series conducted by @mach37cyber, cohosted by Mach37, AOL, and Marsh & Mclennan at the AOL Fishbowl, was a highly interactive, highly informative panel discussion with insurance industry and related legal professionals on the topic of Cyber Insurance. Cyber Insurance is designed to cover some of the costs in the aftermath of a cybersecurity incident, including items such as forensics to determine what happened and the extent of the damage, public relations to communicate with customers and other stakeholders, costs such as credit monitoring involved in the remediation, and legal costs for defending lawsuits that arise as a result of a breach or loss of data. These costs for businesses that experience a cyber incident continue to increase rapidly.It is clear that cyber insurance is still a very nascent but rapidly growing industry that faces some difficult challenges. Unlike more familiar life insurance, car insurance or hazard insurance, there is no long claims history to determine actuarial risk. There is no agreed set of standards or guidelines, analogous to "stop smoking", that are guaranteed to reduce risk for most customers. Every insurance need is essentially custom to the situation (the panelists all agreed businesses should pay attention to coverages and exclusions such as "acts of war"), with businesses handling health information or PII facing very different imperatives than those handling primarily credit card or other financial transactions. And the way that business is conducted, with online brokers promising several competitive quotes within a few hours, means that the due diligence to determine a business cyber posture or even whether they are already breached when the policy is written, is not practical. The remedy for the latter is an increasing reliance on third-party audits or certifications regarding the business practices of businesses seeking insurance.
Insurance claims start when an insured business has knowledge that something has happened, so for data breaches this means the company must be at least sophisticated enough to know that something is wrong. But as one panelist indicated, the most commonly reported incident is "hack" (not a very sophisticated description) counting for about 1/3, while lost laptops and even lost paper still account for significant portions of claims. The insurance company can help bring in forensics and other experts to determine the extent of losses and help stop further losses, and then supports later steps in the remediation and recovery process.In discussions after the panel, a couple interesting questions came up. First, is cyber insurance more like car insurance (where different skill levels are reflected in different accident rates, allowing lower premiums for good drivers) or more like life insurance (where every insured person experiences exactly one death and premiums are essentially financing the cost of activities around dying, requiring higher premiums for those with a shorter expected time period to do the financing)? Ideally this would look more like car insurance, with a set of specific steps to reduce chances of an accident, but most people seemed to believe it is currently more like life insurance, financing for that first event after which businesses take more extensive steps on their own to prevent a recurrence.A second interesting question was whether people in the crowd would want to be in this insurance business (an admittedly skewed sample, since the audience was mostly techies). The large majority of people I spoke with said "no", since it seems almost the luck of the draw which companies will survive in the market; if your business base doesn't experience many costly claims then you're probably ok, but the market dynamics make that extremely difficult to determine.The third interesting post-panel question revolved around the asymmetry in risk and damage in this ecosystem as a whole. The best example here is the loss of PII from a business with cyber insurance. While a business with poor cybersecurity practices certainly incurs costs related to a breach, the harm also falls extensively on the individuals whose PII has been compromised. But the harm to the business is mitigated by the insurance, while the harm to individuals is less well covered (hence, lawsuits). Credit monitoring is sort of like jail time...once you reach three or four life sentences, adding additional coverage doesn't really help very much. One could hope the cyber insurance industry is taking steps to help mitigate risks for businesses seeking good practices, while not protecting businesses who seek only to profit at individual expense.Finally, there are a variety of interesting conclusions for early stage companies looking to sell cybersecurity products to businesses in the age of cyber insurance. For entrepreneurs involved with forensics or risk management, it may be that the insurers are your primary market rather than companies directly. In the era of risk management, businesses are no longer seeking to drive their risk to zero. Instead this becomes a cost tradeoff; at what point does additional technology cost more than the insurance to protect the same level of risk. For a cybersecurity vendor not only are you competing with other equivalent vendors for a share of the fixed security pie, now you are competing with a range of alternatives some of which are not even technology-based.Cybersecurity insurance will continue to grow as a dynamic force in this market. It is unclear exactly how those dynamics will evolve however, so prudent companies should continue to watch this industry vertical carefully.
Bring-Your-Own-Keys: Bringing Trust into SaaS
Below is a guest post by Karthik Bhat, founder and CEO of SecureDB, a MACH37 portfolio company. SecureDB's Encryption as a Service product makes implementing encryption into applications fast, easy, and inexpensive for businesses of all sizes - from startups to Fortune 500. Learn more about SecureDB at https://securedb.co/.
- Ledger West, Associate Partner, MACH37
Over the last few years, a wide variety of internal functions of business - HR, Payroll, CRM, e-signature, Benefits Management, Health Insurance, Project Management etc. have moved to respective SaaS companies. With more and more enterprises handing over their sensitive data to SaaS providers, there is a tremendous need to protect this data in the cloud using encryption. Any responsible cloud provider should be encrypting this sensitive customer data along with all proper key management practices.
However, the biggest challenge of cloud-encryption is: who owns the keys? Quite a number of companies will be okay with their SaaS provider owning and managing the encryption keys. Many will not.
The need of the hour is for the cloud platforms and SaaS companies to allow their customers to bring their own encryption keys - Bring Your Own Keys (BYOK). This way, customers can rely on SaaS companies without any apprehensions about data-leaks. BYOK will ensure that a SaaS company's access to customers business data is always controlled. Thus, cloud providers and SaaS companies can continue focusing on the core value that they provide to the enterprises, without sweating much about security of sensitive customer data.
Why BYOK is Important?The beauty of the BYOK is that enterprises have full control over the life cycle of the keys (generation, usage, backup, rotation etc.). The enterprise can also assign specific permissions on the encryption keys that limits what the cloud provider could do with the keys (for example, give only 'encrypt' and 'decrypt' permissions and not 'key-rotate', 'key-delete' permissions). The enterprise can also view the key usage logs to ensure the keys are used in accordance with the agreement.
When the enterprise wants to cease using the SaaS provider, they could download their data and simply revoke the access to the key. The SaaS provider no longer will be able to view or process the data. No more worries about whether the SaaS provider has done the right and responsible thing and deleted your data.
Bring Trust into SaaSAt SecureDB, we anticipate this to be the next logical step to acceleration of SaaS adoption.
Bring-Your-Own-Keys (BYOK) for data-encryption converts cloud and SaaS (inherently un-trusted) environments into trusted environments.
Consider this: when your company is using a SaaS service, your company data is most likely sitting right next to some other company's data - in the same table or in the same database. This means that if an attacker finds a way to compromise the SaaS provider's database, your company data is compromised just as everyone else's.
Enter BYOK. If the SaaS provider supports BYOK, your data is encrypted using the keys you own. Now, you are protected against a whole slew of attack vectors. You can revoke the keys at will. This is in the best interest of SaaS companies too. They can vastly reduce their exposure to risk.
Write this into contractBefore a company hands over the data to SaaS companies, it is in the company's best interest to ensure the SaaS company is encrypting the data. Call out specific fields that must be encrypted and provide the SaaS company with BYOK key.
We agree, this is still few years out. But we need to start somewhere. Please share your thoughts in the comment box below.
CISO’s Don’t Want Your Analytical Tools
In his March 20th Cyber Intelligencer, Anup Ghosh nailed it with his description of the failure of our traditional Prevent, Detect and Respond strategy. As Anup proposes, given the state of our collective failure, a move toward a strategy that is focused on Containment, Identification (of compromised assets and adversaries), and regaining Control of compromised networks is a more sound approach.In his piece, Anup correctly indicts the purveyors of Detection tools, who:[have] only succeeded in producing prodigious alerts and data dumps that understaffed and over-worked security teams now have to wrestle with. Few organizations have enough resources to sort through the volume of alerts their solutions provide and the terabytes of log data required to derive actionable insight at the speed and scale that is required.As the industry and our customers move forward toward Identification and Control, information security capabilities will necessarily evolve away from emergency response and dispatch playbooks and toward more sophisticated analytical approaches. Unfortunately, given that the population of information security personnel with strong intelligence and analytical skills is about as abundant as valyrian steel, if we don’t alter the way these tools are delivered, we are destined to fail again.Of course, well-funded purveyors of analytical tools who have effective sales and marketing teams will be able to sell their expensive on-premise tools to large government information security organizations and the Fortune 100. But, given the volume of their data and the speed with which customers need to take action, they won’t be happy with their results.Ironically, the good news for these vendors is that the rest of the market can’t afford to deploy their capabilities. How many non-Fortune 100 companies do you know who have advanced threat intelligence cells and big data log analysis infrastructures? So at least they won’t be pissed.At the end of the day, I believe that even large company CISO’s really don’t want to buy analytical tools. Rather, they simply want prioritized recommendations and enough confidence in the analytical rigor behind those recommendations to confidently take meaningful action.To us, solutions that invert the analytical process – providing prioritized actions based on rigorous analysis and shared intelligence, and walking customers backwards through the analysis only if they care, are going to be winners. Using machines versus people to triage massive volumes of intelligence based on relevance and risk to an organization is inevitable. Solutions that leverage more affordable As-a-Service delivery models that enjoy economies of scale for both computational resources (i.e., elasticity) and analytical human capital make the most sense.At Mach37, we agree with Anup. We continue to prospect for and invest in solutions that will deliver affordable advanced intelligence and analytical capabilities to satisfy the growing need for Identification and Control. We believe these solutions will allow us to avoid the mistakes of the Detection vendors, finally getting it right this time.