(An abridged version of this post appeared in the CipherBrief on May 15th, 2016)
In 2009 I left a job at the Defense
Advanced Research Projects Agency and started Siege Technologies. My goal was
to fill the vacuum of small, innovative companies building advanced, disruptive
technical solutions in offensive and defensive cyber warfare left by recent
large corporate acquisitions. The last
day at DARPA I signed paperwork removing all the accesses I had received during
my time there with DARPA and our numerous partners. They took my green badge,
CaC card, DARPA badge, and computer. I felt a little like George Banks in Mary
Poppins when the bank fires him and proceeds to destroy his umbrella and poke a
hole in his hat as part of the discharge process. I founded Siege Technologies two weeks later
and slowly collected most of those resources again over time. The experience
was extremely informative and provided some important lessons for anyone
contemplating a move into private industry from government or into a startup
from a large company.
Advantages of government experience
There are some powerful advantages that time in government
provide someone making the plunge into entrepreneurship. The biggest is a
perspective on what’s going on at a national or even global level. Insight into
the hard problems, operational challenges and thought leaders are invaluable
takeaways from government service. Additionally the friends and contacts created
throughout government, industry and academia can provide valuable assistance
down the road. Having worked as a contractor, government employee and corporate
employee again there’s a big difference walking into your favorite government
agency with a “blue badge” versus a “green badge”. Having a government badge
causes government people to assign moral characteristics to you that are
significantly different than the negative assumptions pinned on contractors
sadly. And strangely these positive views follow you out into corporate
America. Even though I was the same person throughout the experience there is a
significant difference in how the people you meet while wearing the government
badge perceive you, during and after government
service.
Starting from scratch is hard
It is not easy to take a blank piece of paper and write a
novel. Starting a company is similar, as building something from nothing
requires the ability to see a future that does not yet exist, and execute to
make that vision a reality. Taking a small firm and helping it break out of a
small business mindset to reach its potential is equally hard (and maybe harder
in some ways) because you need to reshape structures that may have hardened and
take on risk that may have been previously discarded or avoided. The technical
team, technology, access to customers and partners, cash, and information are
never as robust as you would like and are often in a state of flux. A challenge
unique to moving to a startup from government is the gossip mill of other
disgruntled government/commercial individuals who allege stolen ideas, inside
access, or other improprieties as the real drivers of success. Changing the
mindset of the brave souls who move from the comfort of government to the
excitement of a startup is imperative, as there is no checklist of procedures
or higher authority to consult before getting things done. Sitting at your desk
or attending meetings are not going to get a product built or customers signed
up, startups are an exercise in energy exertion. I vividly remember talking to
my wife in December of 2009 about whether we would have a paycheck before
Christmas and estimating how many days until our final credit line was maxed.
Getting my first Siege paycheck on Christmas Eve was the best Christmas Eve
gift I’ve received! As Benjamin Franklin said, “Nothing ventured, nothing
gained”.
Smaller is riskier
There is a big difference between a job in the government, a
job at a big business and a leadership position in a startup. The government
has a difficult job ever firing anyone or laying people off, although it does
happen in rare occasions. Big business doesn’t usually fire people and layoffs
are usually focused on culling the weaker ranked employees (although entire
segments of the business can be felled in a single swipe!) And while small
companies engage in layoffs and firing, they introduce a new variable into the
equation: Cash. In business they say “cash is king” because without it, a
business cannot conduct operations. Starting a company involves working for
free, reduced pay, gaps in funding, contributing money, and wondering how to
make payroll. Borrowing money from friends, banks, and signing numerous
contracts as the guarantor. Even well funded VC-backed firms have to worry
about cash throughout the process and keeps track of the “going out of
business” point when your burn rate chews up the cash in the bank.
Smaller is faster
Making decisions in a small company is easy. The individual
makes a decision and moves out. Sometimes there are managers or stakeholders to
consult, but the reporting chain is much smaller and stakeholders to consult
much fewer. The ability to make decisions quickly allows companies to react to
changing market dynamics and technology much more quickly than larger firms
competing in the same space. A great example of this is purchasing. When I
worked at a large defense contractor, in the 1990's I needed to get a copy of “PC Anywhere”.
Weeks went buy until I heard it was authorized. Weeks turned into months and I
reached out to find where it was to discover the acquisition system had lost my
order. When I explained what I needed I was assured it would be coming soon. A
week or two later a different product (PC-Xware) arrived! Contrast that with a small firm
with a flat management chain… if someone needs something at a small firm they
ask their manager and it gets ordered on a corporate card within a day or two.
Smaller is more innovative
It’s easy to understand why small companies move faster, but
where does the phrase “small companies innovate, big companies integrate”
exist? Innovation is a complex topic which numerous books have been written
about to describe. I believe there are a number of factors behind the wave of
innovation coming from small firms:
- Ability to attract and retain top talent. Employees like to work in nimble, more fun, better paying environments!
- Emphasis placed on innovation. Small companies are taking on larger, often entrenched competitors and creating something new is often imperative to survival.
- A culture that values disruption over the status quo. Big companies don’t change quickly while growth-oriented small companies are focused on how to change the game and become a big company!
- Quicker access to resources and decision making. The lack of process and large management chains enable individuals to go and quickly buy/hire/talk/build whatever they need to do as part of their mission to get the job done, while larger organizations utilize processes to limit risk.
Building a company is rewarding
Taking a company from nothing or small into something large
enough to have some “punching power” is extremely satisfying. It means the
market recognizes that you are offering something of value. That people are
joining your endeavor to make a difference. The resources you accumulate as you
grow mean some of the concerns from earlier days are mitigated and new
opportunities begin to present themselves. A new era of entrepreneurs are
rising up who are increasingly availing themselves of the opportunity to inject
a conscience into their work and engage in social causes through their
corporate position, products, and with the resources created by the firm. My
wife and I have committed to giving the bulk our gains from Siege some day to
charitable causes and view the firm as an opportunity to have a positive impact
at a scale unachievable as individual contributors to those causes. Firms like
Newman’s own give away their profit to philanthropic causes, and numerous
clothing/jewelry/coffee businesses integrating a social cause into their
corporate mission and value statement. In fact the percentage of corporate
giving is inversely correlated with size, with the smallest firms giving the
most generously[1],[2]
Perspectives on the cyber security startup market
The cyber security startup market has been hot. On fire is
probably more accurate. The graph below shows how investment has been ramping
up over the last seven years (I started Siege at the relative low point of
2009, apparently not a good year from investors perspective!)
Figure 1 Millions of
Dollars invested in Cybersecurity Companies.
Spending on cybersecurity in 2015 exceeded $75 billion according
to Gartner[3]. The
market is over $100 billion according to Market and Markets and will grow to $170
billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent
from 2015 to 2020[4]. The
cyber security insurance market is expecting significant growth and should
reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year[5].
But in 2015 signs were showing that the valuations and
dollars heading to cybersecurity companies had begun to cool. Specifically, “some
are predicting a measured slow-down leaving a slew of Seed/Series A funded
companies without a Series B sponsor”[6]. Median security EV/revenue
multiples have declined from 5.5x in 2013, to 5x in 2014 and 4.5x in 20154.
That said the problems still remain. Enterprises large and
small, government agencies and individuals are still being targeted and
compromised with increasing frequency. 2015 alone saw a reported jump of 48% in
compromises that were reported, and successful detected attacks have been
rising at a compounded annual growth rate of 66% year over year since 2009[7]. The
annual cost of these attacks range from hundreds of billions to trillions
depending on your estimation methodology and sources (considering theft of IP
versus just cleanup, for example). Nobody has built the silver bullet solution
to solve the problem and significant opportunities exist if entrepreneurs are
really providing new solutions to the problems that exist and loom over the
horizon in the form of technologies or services.
Perspectives on transitioning government-funded technology
At Siege we have a number of technologies that we have
developed with external funds, spanning areas as diverse as cyber
quantification to custom hypervisors to software protection and software
vulnerability remediation. Some were developed entirely with government funds,
some with almost exclusively internal or commercial funds and most with a
hybrid. Taking these capabilities from the lab to product is not easy. Numerous
hurdles must be addressed, from classification to export control to publication
restrictions to the myriad of intellectual property rights issues. And that’s
before you address the “valley of death” that exists between research and
products. An article in IEEE captures this challenge well, saying “New and innovative technologies will only
make a difference if they're deployed and used. It doesn't matter how visionary
a technology is unless it meets user needs and requirements and is available as
a product via user-acceptable channels.
One of the cybersecurity research community's biggest ongoing challenges
is transitioning technology into commercial or open source products available
in the marketplace”[8]
and that reflects my personal experience working in research and innovation at
big companies, DARPA and now a smaller firm.
Inventors are often beholden to their creations and believe
it possesses more value than they often do. There is usually a gap between the
requirements targeted during development and what the market needs. And there
is funding required to get the product from where it is currently to where it
needs to be. Inertia fights against changing anything and turning this
technology into a product, but the fight can be well worth it if the numerous
obstacles are addressed with vigor head on. It is a fight that must be won in
order to “change the game” and make a difference instead of allowing the
solutions to important national and global problems to die an inglorious death in
the lab.
Conclusion
It is impossible to affect change without taking risk.
Change necessitates overcoming resistance and various obstacles to achieve a
necessary goal. Starting or joining a new venture provides the opportunity to
affect significant change at personal, technological, national and societal
levels if success is achieved. But even if failure is an outcome, lessons are
learned and character is formed through that process. The average successful
entrepreneur has several failures in his or her belt (I had two false starts)
and is middle aged with the median age entrepreneurs started their companies
being 40[9]. Teddy Roosevelt captures the opportunity well
with his famous quote: “It is not the
critic who counts; not the man who points out how the strong man stumbles, or
where the doer of deeds could have done them better. The credit belongs to the
man who is actually in the arena, whose face is marred by dust and sweat and
blood; who strives valiantly; who errs, who comes short again and again,
because there is no effort without error and shortcoming; but who does actually
strive to do the deeds; who knows great enthusiasms, the great devotions; who
spends himself in a worthy cause; who at the best knows in the end the triumph
of high achievement, and who at the worst, if he fails, at least fails while
daring greatly, so that his place shall never be with those cold and timid
souls who neither know victory nor defeat.”[10]
[3] http://blogs.wsj.com/venturecapital/2016/02/17/the-daily-startup-increased-spending-in-cybersecurity-drives-funding-surge/
[4]
http://www.marketsandmarkets.com/PressReleases/cyber-security.asp
[6] Momentum Partners,
“Cybersecurity Market Review 4Q 2015 Year End”, January 2016
[7]
http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html
[8] Maughan, D., Balenson, D.,
Lindqvist, U., & Tudor, Z. (2013). Crossing the Valley of Death:
Transitioning Cybersecurity Research into Practice. IEEE Security &
Privacy, 11(2), 14-23.
[10] Theodore Roosevelt, Excerpt
from the speech "Citizenship In A Republic" delivered at the
Sorbonne, in Paris, France on 23 April, 1910.