Wednesday, October 7, 2015

Massachusetts is Fertile Ground for Security Companies

By Barbara Bix

Barbara Bix helps business leaders uncover, crystallize, and exploit opportunities to gain the competitive edge.  Twitter: @enteropportunity

The second part of the conference featured several sessions that offered a window into what local security companies are doing and why they've been successful.  Massachusetts now ranks third globally as home to the most innovative cyber security firms. 
Reasons for Massachusetts' success in dominating the security industry include deep roots planted by companies such as Raytheon and RSA Security, a robust venture community that includes the country's foremost security experts, access to talent, and the fact that people on the east coast don't switch jobs as frequently as they do in Silicon Valley.

Speakers said key to maintaining leadership will be enabling established companies to remain independent as they grow.  We need more public companies here.  One of the biggest fears is that west coast companies will buy, and relocate young companies, taking security expertise out of the area.

Lots of money is going into security companies in Boston.  Last year, the figure was $2 billion; year-to-date we're at $2.3 billion.  These investments put independent Boston companies in a good place to acquire smaller companies.  They also help smaller companies as it's much easier to acquire local businesses.

Speakers agreed that one of the local strengths is methodical growth; one of our weaknesses is in getting our message out the way that west coast companies do.  To address this challenge, one leader says he is embedding the "west coast mentality" at senior levels to get a different perspective.  A later speaker observed that marketing is the hardest skill set to find locally, since "it's not Boston's wheelhouse".

Elizabeth Lawler, CEO of Conjur noted that increased collaboration would also foster local growth.  We need to sponsor entrepreneurs earlier in the process.  Omar Hussain agreed that we need to nurture smaller companies now so that local acquisition candidates are available later.  Rather than looking at collaboration as driving up prices, we need to see it as "de-risking the buy".

The conference also included a showcase of younger local security companies.  Each had 90 seconds to introduce themselves to attendees.  This was the first real dive into point solutions, because most of the conference focused more on the business.
Several of the founders had re-located to MA to give their companies a competitive edge.  Reasons cited include the deep ecosystem here nurtured by government, academia, the innovative community, and investors; strength of the talent pool; and the optimal time zone and proximity to the European market.

The biggest challenges facing these startups appear to be marketing challenges.  Examples founders gave include acquiring credibility, overcoming prospects' perceptions about the relative safety of their current solutions and the difficulties associated with implementing complex technologies, and prying open the door to the CSO office.

Therefore, it should have been less of a surprise that their next big hire was not necessarily raw engineering talent.  Instead, the startups said they were seeking sales and marketing personnel and smart security practitioners who had prior experience with breaches. 

Is there a talent gap?

The conversation also included a more general conversation about whether there's a talent gap here and if so what to do about it.  My sense, in listening to the conversation, is that there isn't necessarily a talent gap.  That said we do need to restructure thinking about our organizations, our hiring requirements, and our training efforts to build the security workforce of the future.

There appeared to be general agreement that companies are not seeking security experts.  Instead, they are seeking experts in other fields, particularly developers, who can complement their existing expertise with security knowledge. 

Echoing themes from other sessions, speakers said that security is everyone's business.  You will need a deep awareness of the asset landscape and the threat landscape.  You need to embed security expertise in every area of the company--and everyone has to take ownership for preventing breaches.

You will require people with a broad technology foundation that are knowledgeable about operating systems, data sets, and how to develop code with an emphasis on scripting.  You will need rugged Dev Ops personnel who have hands on experience with the technology stack and automation so that they can build tools that simulate threats that are proactive versus reactive. 

In addition to technical experts, companies will also need supply chain experts, operations personnel, lawyers, and other practitioners who have an in-depth understanding of the silos that make up a business and can look for exposures in each of these areas. 

When speakers spoke about education, many focused on STEM courses at the primary and secondary levels, including introductory courses in Computer Science. 
Edna Conway, CSO, Global Value Chain at Cisco recommended that job seekers focus on the skills they have--and how to connect them to security.  Panelists agreed that certifications are not as important.  Rather, they are a "nice to have".

Human Resource personnel will need to shift the focus from years of experience to less tangible capabilities such as social skills, the ability to make risk decisions, and the ability to advocate for resources.  They will also need more flexible policies that allow higher salaries, greater increases, and perhaps more frequent performance reviews.

The Last Frontier session will be discussed in a later post by the session’s moderator. 
All in all, it was a great conference.  I left with a much greater appreciation of the impact security has on a business' success, challenges businesses face in delivering the security their customers are coming to expect, and a list of opportunities for MA businesses and job seekers.  Thanks to everyone who attended the conference and contributed to the conversation!

Expect to hear more follow-up and next steps for growth and support of the security community within the next few weeks.  

No comments: