Professor Erran Carmel led a team at Kogod’s Center for Business in the Capital that looked at the founding teams of 177 pure-play cybersecurity companies – businesses that operated exclusively in cybersecurity. A previous study that Carmel and I had done showed that our region had more than 850 cybersecurity companies, which was important and useful information. But as Carmel put it, “I thought there was something missing. We knew how many companies were engaged in cybersecurity, but we didn’t know who was starting them. I thought by focusing on pure-play companies, I would get a clearer picture of where our cybersecurity company founders come from.”
His report has some eye-opening observations. Almost three-quarters of these firms had at least one founder with prior experience either as a vendor to the national security establishment or as a government employee working in that area. More than half had a founder with government service in their background. This struck me as an important confirmation of what many had sensed – that our local cybersecurity industry is tied closely to the national security sector.
Another significant finding was about the level of prior experience of the sampled cybersecurity founders. Almost nine out of 10 founders had prior cybersecurity experience. Unlike some other technology sectors where founders could have more varied experiences, there appears to be a close connection between developing hard technical skills in the cybersecurity domain and business formation. If this is true, then cybersecurity is clearly not an area where you can wing it.
Carmel’s other findings should also encourage policymakers. Almost eight in 10 founders were residents in the Greater Washington region prior to starting their most recent firm. Moreover, more than a quarter were serial entrepreneurs, which means that experienced individuals are staying in the region to start new companies. Generally, a technology community’s effectiveness is evaluated by how well it does at retaining entrepreneurial talent. This makes Carmel’s latest report good news for the region.
What concerns me, however, is how the new data reinforces a troubling conclusion from our earlier work together. Greater Washington’s cybersecurity industry is far too dependent on delivering its technology as part of consulting engagements. Previously, we had shown that only 5 percent of all cybersecurity companies in the region were product-oriented, with the vast majority delivering technology as a service. Even when Carmel focused on pure-play cybersecurity businesses for his recent study, the percentage was still low: only 10 percent.
I shared these findings with a number of our region’s leading cybersecurity entrepreneurs and investors to get their reactions.
No one was surprised by the prior experience point, although a few were surprised the percentage was so high. Venture investor Stephen Smoot of Lavrock spoke for the group when he observed “entrepreneurs obviously lean on their prior experience when starting a company. Given that the majority of cyber talent in this region cuts its teeth in and around government customers, I’m not surprised.”
The bigger area of concern was the lack of product companies. Some, like Anup Ghosh, the founder of Invincea, a commercially successful cybersecurity product company, put the blame squarely on a shortage of venture capital, pointing out that “product oriented companies typically require more startup capital,” making access to capital a key challenge for entrepreneurs in the region. Kevin DeSanto, co-founder of Kipps DeSanto and a merger and acquisition expert in cybersecurity, thinks that the lack of capital properly leads entrepreneurs go grow service businesses, since customer revenue from the government is where they find the money to grow in the absence of risk capital.
Work like Carmel’s gets us closer to understanding our region’s innovation ecosystem and being better able to diagnose our challenges and to see opportunities. With respect to new company creation, we are fortunate to be proximate to the national security establishment because it is a tremendous developer of cybersecurity talent and a key customer. Our efforts to grow new companies should reflect that this is not an industry for the inexperienced, but one that rewards proven competence and expertise. It is also an industry that remains heavily reliant on less profitable business models.
As we consider how to grow our technology economy, this most recent data reinforce that if we focus on experienced cybersecurity technologists and giving them the support they need to grow product-oriented businesses, we can accelerate regional economic growth.