Whenever people think about cybersecurity, technology, and innovation, they tend to think about Silicon Valley, but The Cipher Brief asked Bob Stratton, a General Partner at MACH37™, what other regions he is seeing a lot of innovation, or perhaps even the most innovation.
Bob Stratton: Interestingly, one of the founding premises around our organization and what was originally an intuition, I now can prove with data: the mid-Atlantic region actually has the highest density of security talent—maybe anywhere. So the question was, well, why don’t we see as many product companies given that we’ve got this amazing talent base that understands the threat and understands these problems, maybe in ways that a lot of other people don’t?
There are a couple of factors that went into that. First, access to investment capital is always a challenge. It arguably might be more of a challenge on the East Coast, or at least a different challenge. Second, there are also certain skillsets in the Valley that are more prevalent—security not being one—and that is product management. We know that a lot of these founders with innovative new security products are probably going to be technical founders, and the place where they really do need the help the most is around product management, around business operations.
What was sort of a theory I think we have now proven. The talent is there, the ideas are there, the technologies are there, but what they needed was this supporting ecosystem. It’s not just investment, it’s not just product management. It’s mentors who have been there and done that, it’s access to customers who might be willing to try a very rough-around-the-edges proof of concept or pilot in a real enterprise.
TCB: You touched on this a little bit, but what do you think are the factors or conditions that are providing such a fertile space for this sort of innovation on the East Coast?
BS: Obviously the proximity to government is a factor. Even in our portfolio, we’ve had folks who’ve had some very rarified skill sets in places where they couldn’t talk about what they did, and understood a problem to a depth that even in the commercial world, even with some resources, people often don’t get the opportunity to dive, or research, or delve. They realize that they understood things about solving problems that could help everybody or a large market, and they wanted to build a company that would allow them to do that.
The other piece of it is that you have a lot of people in the service side of security. They will build things for customers sometimes, and even though they may have built it to solve one customer’s problem, a whole bunch of people may have that same problem, and they just need to take that leap to figuring out how do you sell a product versus your time. A big motivation that I’ve seen, and it’s one of my personal ones, is those of us on the services side don’t scale. If I really want to make a dent in this problem that I think is pervasive and affecting everybody, I have to figure out how to take some little piece of expertise and embed it in something that I can reproduce a thousand or million times and distribute more widely, and then I have more impact.
TCB: You did mention that the proximity to government was one of the factors. What do you see as the government’s role in fostering and promoting innovation? I know that a lot of agencies, like the NSA, have tech transfer programs that allow you to license things like that.
BS: They do.
TCB: How does the government interact with innovation?
BS: I may be biased because I was at In-Q-Tel for its first five years; I’ve spent a lot of my career doing things to help the government and doing technology transfer. There are some really positive developments that I see going on. I’ve spent time with, for example, the National Science Foundation at DHS (Department of Homeland Security) on the transition practice side. I have seen materially different approaches and some real changes of solicitation around research funding that I think are the result of taking feedback from people who might spin technologies out, people who might start companies with research they did, but who had found some stumbling blocks or rough edges.
In the last two years I’ve seen real moves on the part of, and in particular, the NSF for listening to feedback and adjusting to what they heard and really trying when they do small business innovation research grants, for example, to making it as streamlined as possible for people to spin that work out into a commercial product. We all win when that happens.
What I learned at In-Q-Tel was that many of the problems the government has are exactly the problems everybody else has, and to the extent we don’t automatically view them as special or different, we have a much better shot at getting real solutions that are affordable and where the government’s not paying 100 percent of the freight. I think the government has gotten a lot better about taking research performers and giving them some training or guidance in the commercial process and also providing relationships with other organizations, even like my own, to get plugged into places where people should go when they have something new.
TCB: On the flip side of that, there has been a lot of tension between the tech industry and the federal government recently over issues like privacy and encryption. It seems like it’s generating bad blood between them. How do you see that playing out?
BS: I don’t want to speak for my whole industry, but I think many practitioners all share some of the same concerns. I was involved in the previous round of tension around cryptography and commercial development of the cryptography market. I have the scars from that experience. Unintended consequences are a very real risk, and I don’t think you can engineer security just good enough to allow some of these things and not allow some of these others without creating exposures.
The reality is some of these are not technical issues, they are policy issues and if we have an open dialogue, we as a people can decide what we do and don’t want to do. But you have legislation in what seems to be these completely separate realms that affect the security industry.
I’ll give you a good example. The digital millennium copyright act has restrictions on reverse engineering that can affect security researchers. I know some who have moved their work offshore so as not to run afoul of it because they can’t quantify the risk. I don’t want my good security researchers leaving the country to do their job.
The same with cryptography, it’s a tool. Tools can be used in good ways and in bad ways. But we can’t intentionally leave things unfixed for policy reasons. What we need to do is to have the conversations and figure out what’s ok and what’s not ok and proceed from there, because the alternative is that you make products that are weak and then, whether its fraudsters, or terrorists, or somebody else gets to take advantage of all of our tools and infrastructure and that’s not going to help national security.
And by the way, the internet of things just puts an exponent on all of this.
TCB: It seems like the tech innovation scene in the Mid-Atlantic region/East Coast has changed significantly in the last couple of years. How do you see it changing moving forward, and are the key drivers of any of these future changes different, or do you think it’s more a continuation of what we’ve already covered?
BS: There’s a global realization that has people saying “for economic reasons alone, if you have to staff a company, pay salaries, and have those people have a place to live, you have a real challenge if you’re going to do it in certain parts of the country.”
In southwest Virginia, where you see this amazing coalescence of local government, university authorities, telecom providers, and real estate people saying, “Look, if there are jobs, industries that you can put in these places, we will make that happen in an attractive way for companies, even early stage companies.” They’re serious, and all the people are in the room. This is what we’ve been seeing. I can put security operations any place where we’ve got good connectivity and bright people. You’ve got that going on worldwide.
You’ve also got a lot of investors who realize that the security problem affects everyone and everything. If you use anything that’s got a battery in it or plugs in, we have to think about these things. There’s certainly always been interest on the investor part, and I think the range of investors has broadened. You have definite appetites on the part of large enterprises to try very early stage, new approaches, like a proof of concept from a startup company. This has always happened, but I’ve been at other investor events recently, where everybody in the room at these big shops and chief information security officers have said, “We absolutely try things no one has ever heard of, from little companies no one has ever heard of, because these problems have not gone away.”
My experience is most customers are very willing to tell people about the problems that aren’t solved yet, and my message to anybody who has a new security approach or a technology is: validate the value of it with people who actually have the problem.
We security people have a tendency to sit on our good ideas, afraid somebody might take them This is not the time to do that. You can get really good feedback from people with these real challenges, and they’re happy to engage with early stage companies. I have the good fortune to facilitate that, but the truth is, it’s out there, and it’s happening all the time.