Thursday, May 26, 2016

From public sector to private sector: A view from the trenches.

(An abridged version of this post appeared in the CipherBrief on May 15th, 2016) 

In 2009 I left a job at the Defense Advanced Research Projects Agency and started Siege Technologies. My goal was to fill the vacuum of small, innovative companies building advanced, disruptive technical solutions in offensive and defensive cyber warfare left by recent large corporate acquisitions.  The last day at DARPA I signed paperwork removing all the accesses I had received during my time there with DARPA and our numerous partners. They took my green badge, CaC card, DARPA badge, and computer. I felt a little like George Banks in Mary Poppins when the bank fires him and proceeds to destroy his umbrella and poke a hole in his hat as part of the discharge process.  I founded Siege Technologies two weeks later and slowly collected most of those resources again over time. The experience was extremely informative and provided some important lessons for anyone contemplating a move into private industry from government or into a startup from a large company.

Advantages of government experience

There are some powerful advantages that time in government provide someone making the plunge into entrepreneurship. The biggest is a perspective on what’s going on at a national or even global level. Insight into the hard problems, operational challenges and thought leaders are invaluable takeaways from government service. Additionally the friends and contacts created throughout government, industry and academia can provide valuable assistance down the road. Having worked as a contractor, government employee and corporate employee again there’s a big difference walking into your favorite government agency with a “blue badge” versus a “green badge”. Having a government badge causes government people to assign moral characteristics to you that are significantly different than the negative assumptions pinned on contractors sadly. And strangely these positive views follow you out into corporate America. Even though I was the same person throughout the experience there is a significant difference in how the people you meet while wearing the government badge perceive you, during and after government service.

Starting from scratch is hard

It is not easy to take a blank piece of paper and write a novel. Starting a company is similar, as building something from nothing requires the ability to see a future that does not yet exist, and execute to make that vision a reality. Taking a small firm and helping it break out of a small business mindset to reach its potential is equally hard (and maybe harder in some ways) because you need to reshape structures that may have hardened and take on risk that may have been previously discarded or avoided. The technical team, technology, access to customers and partners, cash, and information are never as robust as you would like and are often in a state of flux. A challenge unique to moving to a startup from government is the gossip mill of other disgruntled government/commercial individuals who allege stolen ideas, inside access, or other improprieties as the real drivers of success. Changing the mindset of the brave souls who move from the comfort of government to the excitement of a startup is imperative, as there is no checklist of procedures or higher authority to consult before getting things done. Sitting at your desk or attending meetings are not going to get a product built or customers signed up, startups are an exercise in energy exertion. I vividly remember talking to my wife in December of 2009 about whether we would have a paycheck before Christmas and estimating how many days until our final credit line was maxed. Getting my first Siege paycheck on Christmas Eve was the best Christmas Eve gift I’ve received! As Benjamin Franklin said, “Nothing ventured, nothing gained”.

Smaller is riskier

There is a big difference between a job in the government, a job at a big business and a leadership position in a startup. The government has a difficult job ever firing anyone or laying people off, although it does happen in rare occasions. Big business doesn’t usually fire people and layoffs are usually focused on culling the weaker ranked employees (although entire segments of the business can be felled in a single swipe!) And while small companies engage in layoffs and firing, they introduce a new variable into the equation: Cash. In business they say “cash is king” because without it, a business cannot conduct operations. Starting a company involves working for free, reduced pay, gaps in funding, contributing money, and wondering how to make payroll. Borrowing money from friends, banks, and signing numerous contracts as the guarantor. Even well funded VC-backed firms have to worry about cash throughout the process and keeps track of the “going out of business” point when your burn rate chews up the cash in the bank.

Smaller is faster

Making decisions in a small company is easy. The individual makes a decision and moves out. Sometimes there are managers or stakeholders to consult, but the reporting chain is much smaller and stakeholders to consult much fewer. The ability to make decisions quickly allows companies to react to changing market dynamics and technology much more quickly than larger firms competing in the same space. A great example of this is purchasing. When I worked at a large defense contractor, in the 1990's I needed to get a copy of “PC Anywhere”. Weeks went buy until I heard it was authorized. Weeks turned into months and I reached out to find where it was to discover the acquisition system had lost my order. When I explained what I needed I was assured it would be coming soon. A week or two later a different product (PC-Xware) arrived! Contrast that with a small firm with a flat management chain… if someone needs something at a small firm they ask their manager and it gets ordered on a corporate card within a day or two.

Smaller is more innovative

It’s easy to understand why small companies move faster, but where does the phrase “small companies innovate, big companies integrate” exist? Innovation is a complex topic which numerous books have been written about to describe. I believe there are a number of factors behind the wave of innovation coming from small firms:

  • Ability to attract and retain top talent. Employees like to work in nimble, more fun, better paying environments!
  • Emphasis placed on innovation. Small companies are taking on larger, often entrenched competitors and creating something new is often imperative to survival.
  • A culture that values disruption over the status quo. Big companies don’t change quickly while growth-oriented small companies are focused on how to change the game and become a big company!
  • Quicker access to resources and decision making. The lack of process and large management chains enable individuals to go and quickly buy/hire/talk/build whatever they need to do as part of their mission to get the job done, while larger organizations utilize processes to limit risk. 

Building a company is rewarding

Taking a company from nothing or small into something large enough to have some “punching power” is extremely satisfying. It means the market recognizes that you are offering something of value. That people are joining your endeavor to make a difference. The resources you accumulate as you grow mean some of the concerns from earlier days are mitigated and new opportunities begin to present themselves. A new era of entrepreneurs are rising up who are increasingly availing themselves of the opportunity to inject a conscience into their work and engage in social causes through their corporate position, products, and with the resources created by the firm. My wife and I have committed to giving the bulk our gains from Siege some day to charitable causes and view the firm as an opportunity to have a positive impact at a scale unachievable as individual contributors to those causes. Firms like Newman’s own give away their profit to philanthropic causes, and numerous clothing/jewelry/coffee businesses integrating a social cause into their corporate mission and value statement. In fact the percentage of corporate giving is inversely correlated with size, with the smallest firms giving the most generously[1],[2]

Perspectives on the cyber security startup market

The cyber security startup market has been hot. On fire is probably more accurate. The graph below shows how investment has been ramping up over the last seven years (I started Siege at the relative low point of 2009, apparently not a good year from investors perspective!)

Figure 1 Millions of Dollars invested in Cybersecurity Companies.
Spending on cybersecurity in 2015 exceeded $75 billion according to Gartner[3]. The market is over $100 billion according to Market and Markets and will grow to $170 billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020[4]. The cyber security insurance market is expecting significant growth and should reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year[5].

But in 2015 signs were showing that the valuations and dollars heading to cybersecurity companies had begun to cool. Specifically, “some are predicting a measured slow-down leaving a slew of Seed/Series A funded companies without a Series B sponsor”[6]. Median security EV/revenue multiples have declined from 5.5x in 2013, to 5x in 2014 and 4.5x in 20154.

That said the problems still remain. Enterprises large and small, government agencies and individuals are still being targeted and compromised with increasing frequency. 2015 alone saw a reported jump of 48% in compromises that were reported, and successful detected attacks have been rising at a compounded annual growth rate of 66% year over year since 2009[7]. The annual cost of these attacks range from hundreds of billions to trillions depending on your estimation methodology and sources (considering theft of IP versus just cleanup, for example). Nobody has built the silver bullet solution to solve the problem and significant opportunities exist if entrepreneurs are really providing new solutions to the problems that exist and loom over the horizon in the form of technologies or services.

Perspectives on transitioning government-funded technology

At Siege we have a number of technologies that we have developed with external funds, spanning areas as diverse as cyber quantification to custom hypervisors to software protection and software vulnerability remediation. Some were developed entirely with government funds, some with almost exclusively internal or commercial funds and most with a hybrid. Taking these capabilities from the lab to product is not easy. Numerous hurdles must be addressed, from classification to export control to publication restrictions to the myriad of intellectual property rights issues. And that’s before you address the “valley of death” that exists between research and products. An article in IEEE captures this challenge well, saying “New and innovative technologies will only make a difference if they're deployed and used. It doesn't matter how visionary a technology is unless it meets user needs and requirements and is available as a product via user-acceptable channels.  One of the cybersecurity research community's biggest ongoing challenges is transitioning technology into commercial or open source products available in the marketplace[8] and that reflects my personal experience working in research and innovation at big companies, DARPA and now a smaller firm. 

Inventors are often beholden to their creations and believe it possesses more value than they often do. There is usually a gap between the requirements targeted during development and what the market needs. And there is funding required to get the product from where it is currently to where it needs to be. Inertia fights against changing anything and turning this technology into a product, but the fight can be well worth it if the numerous obstacles are addressed with vigor head on. It is a fight that must be won in order to “change the game” and make a difference instead of allowing the solutions to important national and global problems to die an inglorious death in the lab.

Conclusion

It is impossible to affect change without taking risk. Change necessitates overcoming resistance and various obstacles to achieve a necessary goal. Starting or joining a new venture provides the opportunity to affect significant change at personal, technological, national and societal levels if success is achieved. But even if failure is an outcome, lessons are learned and character is formed through that process. The average successful entrepreneur has several failures in his or her belt (I had two false starts) and is middle aged with the median age entrepreneurs started their companies being 40[9].  Teddy Roosevelt captures the opportunity well with his famous quote: “It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.[10]




[1] CEO Force For Good, “Giving in Numbers 10TH ANNIVERSARY 2015 EDITION”, September 2015.
[2] https://philanthropy.com/article/Most-Small-Companies-Make/225215
[3] http://blogs.wsj.com/venturecapital/2016/02/17/the-daily-startup-increased-spending-in-cybersecurity-drives-funding-surge/
[4] http://www.marketsandmarkets.com/PressReleases/cyber-security.asp
[5] PwC, “Insurance 2020 & beyond: Reaping the dividends of cyber resilience”, September 2015
[6] Momentum Partners, “Cybersecurity Market Review 4Q 2015 Year End”, January 2016
[7] http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html
[8] Maughan, D., Balenson, D., Lindqvist, U., & Tudor, Z. (2013). Crossing the Valley of Death: Transitioning Cybersecurity Research into Practice. IEEE Security & Privacy, 11(2), 14-23.
[9] Ewing Marion Kauffman Foundation, “The Anatomy of an Entrepreneur”, August 2009.
[10] Theodore Roosevelt, Excerpt from the speech "Citizenship In A Republic" delivered at the Sorbonne, in Paris, France on 23 April, 1910.