May 2018

Maryland recently enacted two new cybersecurity industry tax credits — good news for Maryland’s cybersecurity industry and also an example of how a business-oriented group can turn advocacy into results.

The first tax credit will promote investment in Maryland’s cybersecurity product companies by providing a credit for individuals and entities that invest at least $25,000 in those businesses. The second tax credit encourages small businesses to purchase cybersecurity products or services from Maryland-based businesses, by giving them a tax credit equal to 50 percent of qualified spending. The aggregate amount of the tax credits available for both purposes is $10 million over the next two years.

If you have been paying attention to diverse groups such as The 2030 Group, the Montgomery County Economic Development Corp. and TEDCO, you know that each has been advocating for greater investment in building cybersecurity product companies and encouraging regional businesses to buy local when purchasing technology. They and others have also often pointed out that small businesses are actually the most at risk for cyberattacks, since they often do not have the resources to purchase cybersecurity technologies. Based on this, it shouldn’t be surprising to learn that the creation and promotion of these tax credits results at least in part from strong business community engagement.

Somewhat surprisingly, the Cybersecurity Association of Maryland Inc. led the charge on this legislation. I’ve always found CAMI interesting. It is a not-for-profit that was formed by Art Jacoby to promote the growth of Maryland’s cybersecurity industry. Art formed the group because he saw a need for it; he was an entrepreneur who saw a market need that needed to be filled. CAMI wasn’t formed as a legislative advocacy group. Its mission was to show which companies were growing in Maryland’s cybersecurity industry via its on-line directory of cybersecurity companies and to create opportunities for these companies through business connection events. CAMI’s leadership took a small budget, and, like many entrepreneurs I know, bootstrapped CAMI’s way to relevance.

Talking with Executive Director Stacey Smith, I learned that CAMI had looked at the Maryland cybersecurity legislative landscape and decided to take an entrepreneurial risk. Legislation that would have accomplished many of the objectives of the recently adopted tax credits had languished during last year’s legislative session. Rather than wait for others to advocate for these credits, CAMI decided to take the financial risk of hiring a legislative expert and jumping into the legislative process. CAMI went from connecting members of the cybersecurity industry with one another to connecting these members with legislators.

As is often the case when members of the business community start to speak with a single voice, policy makers paid attention. For example, Guy Guzzone, a Maryland state senator from Howard County, shared with me that CAMI’s engagement in the legislative process was a “very significant” reason why the cybersecurity industry tax credits were adopted on a bipartisan basis.

Smith had worked in the Maryland government before taking on the leadership of CAMI. She sees the tax-credit process as a template for how the region can grow more rapidly. Because cybersecurity is a very fast-moving industry, government policy makers often cannot move quickly enough to keep up.

“What works best is to have a partnership of collaboration between the public and private sector, with the public sector providing some of the resources and connections needed by the private sector while seeking insight from the private sector and relying on the private sector to execute on the plan,” she says.

I see in CAMI’s actions a successful model for how to combine entrepreneurial energy and engagement with the government to achieve a business community objective. It’s another example of how the region’s business leaders can accomplish meaningful changes when they work together.

It also provides an additional lesson of broader application. The overall financial amount of the tax credits — $10 million – is a far smaller amount than dollars made available to attract large businesses. It will be interesting to see over the next two years how many Maryland cybersecurity businesses will benefit from these tax credits. My suspicion is that the number will be significant. There’s no better way than finding new customers to help a business grow – getting financial assistance to find them is a big deal.

Although policymakers will often focus on hunting elephants – searching for the next large company to locate in their jurisdiction – the best solutions are often found in helping the businesses that are already there. Asking them what they need and finding ways to promote their growth is just as important as elephant hunting, if not more so. And it’s usually easier and cheaper to accomplish.

Read more

What does it take to be a founder of a cybersecurity startup in the Greater Washington region? Prior experience, according to a new study from American University’s Kogod School of Business.

Professor Erran Carmel led a team at Kogod’s Center for Business in the Capital that looked at the founding teams of 177 pure-play cybersecurity companies – businesses that operated exclusively in cybersecurity. A previous study that Carmel and I had done showed that our region had more than 850 cybersecurity companies, which was important and useful information. But as Carmel put it, “I thought there was something missing. We knew how many companies were engaged in cybersecurity, but we didn’t know who was starting them. I thought by focusing on pure-play companies, I would get a clearer picture of where our cybersecurity company founders come from.”

His report has some eye-opening observations. Almost three-quarters of these firms had at least one founder with prior experience either as a vendor to the national security establishment or as a government employee working in that area. More than half had a founder with government service in their background. This struck me as an important confirmation of what many had sensed – that our local cybersecurity industry is tied closely to the national security sector.

Another significant finding was about the level of prior experience of the sampled cybersecurity founders. Almost nine out of 10 founders had prior cybersecurity experience. Unlike some other technology sectors where founders could have more varied experiences, there appears to be a close connection between developing hard technical skills in the cybersecurity domain and business formation. If this is true, then cybersecurity is clearly not an area where you can wing it.

Carmel’s other findings should also encourage policymakers. Almost eight in 10 founders were residents in the Greater Washington region prior to starting their most recent firm. Moreover, more than a quarter were serial entrepreneurs, which means that experienced individuals are staying in the region to start new companies. Generally, a technology community’s effectiveness is evaluated by how well it does at retaining entrepreneurial talent. This makes Carmel’s latest report good news for the region.

What concerns me, however, is how the new data reinforces a troubling conclusion from our earlier work together. Greater Washington’s cybersecurity industry is far too dependent on delivering its technology as part of consulting engagements. Previously, we had shown that only 5 percent of all cybersecurity companies in the region were product-oriented, with the vast majority delivering technology as a service. Even when Carmel focused on pure-play cybersecurity businesses for his recent study, the percentage was still low: only 10 percent.

I shared these findings with a number of our region’s leading cybersecurity entrepreneurs and investors to get their reactions.

No one was surprised by the prior experience point, although a few were surprised the percentage was so high. Venture investor Stephen Smoot of Lavrock spoke for the group when he observed “entrepreneurs obviously lean on their prior experience when starting a company. Given that the majority of cyber talent in this region cuts its teeth in and around government customers, I’m not surprised.”

The bigger area of concern was the lack of product companies. Some, like Anup Ghosh, the founder of Invincea, a commercially successful cybersecurity product company, put the blame squarely on a shortage of venture capital, pointing out that “product oriented companies typically require more startup capital,” making access to capital a key challenge for entrepreneurs in the region. Kevin DeSanto, co-founder of Kipps DeSanto and a merger and acquisition expert in cybersecurity, thinks that the lack of capital properly leads entrepreneurs go grow service businesses, since customer revenue from the government is where they find the money to grow in the absence of risk capital.

Work like Carmel’s gets us closer to understanding our region’s innovation ecosystem and being better able to diagnose our challenges and to see opportunities. With respect to new company creation, we are fortunate to be proximate to the national security establishment because it is a tremendous developer of cybersecurity talent and a key customer. Our efforts to grow new companies should reflect that this is not an industry for the inexperienced, but one that rewards proven competence and expertise. It is also an industry that remains heavily reliant on less profitable business models.

As we consider how to grow our technology economy, this most recent data reinforce that if we focus on experienced cybersecurity technologists and giving them the support they need to grow product-oriented businesses, we can accelerate regional economic growth.

Read more