The emails just kept coming.
One morning this past May, Jeff Fagnan was having breakfast with a friend who is the chief information security officer (or CISO, for short) of a large company, and he was witnessing firsthand how many sales emails CISOs receive for new cybersecurity products.
“It was one email from a startup vendor after another,” recalls Fagnan, who is a founding partner at Cambridge venture capital firm Accomplice.
In all, Fagnan says, the CISO received 20-30 emails from cybersecurity vendors within a couple of hours. None of them would ever receive a response.
“It’s a really weird industry in that it’s really hard to get customers to adopt new security software, but it’s also hard for them to talk about it,” Fagnan says.
“It’s a mainstream problem, from the boardroom to office administrators.”
To Fagnan, who has been investing in cybersecurity companies for 17 years now, the flood of sales emails is representative of the bustling activity in the cybersecurity industry right now, in general and in Greater Boston. The region has undeniably been a benefactor in the rise of activity as data breaches and other kinds of cyber attacks become commonplace. Whether it’s the recent Equifax hack that impacted 143 million Americans or the Russian government’s attempt to hack voting systems in 21 states, the need for robust and resilient cybersecurity solutions has never been more clear.
“It’s a mainstream problem, from the boardroom to office administrators,” says Greg Dracon, who focuses on cybersecurity startups for Boston VC firm .406 Ventures. “Everyone understands the challenge, and everyone’s been breached.”
Cybersecurity funding in Boston
With the need to protect organizations of all sizes, dozens of Boston-area startups have raised hundreds of millions of dollars from investors in the past few years to address the demand.
In 2017 so far, Boston-area cybersecurity companies have raised more than $277 million from investors across 19 deals, according to Crunchbase data. Last year, total funding was lower at more than $171 million across 21 deals, and in 2015, cybersecurity funding was at an all-time high in Greater Boston, with more than $388 million raised across 30 deals.
Seven of the top 10 cybersecurity funding rounds in Massachusetts were raised in the last three years, according to Crunchbase. That includes Cybereason’s $100 million round from Softbank in June and its $59 million round in 2015, as well as Digital Guardian’s $66 million in 2015.
To Fagnan and Dracon, the influx of cybersecurity startups has its pros and cons. On one hand, the swell of activity means there are more smart people receiving the financial backing to build valuable products, Fagnan says. But that also means it can be hard for companies to differentiate from each other, which can have a dilutive effect.
Dracon says cybersecurity’s rising popularity can have another unfortunate effect: inexperienced investors seeking to ride the hype train. “There’s so much noise and hype and awareness of it, there’s a lot of what we call ‘venture tourists’ that have funded companies that shouldn’t have raised money,” he says.
One of the underlying trends in cybersecurity over the last decade: the need for businesses to go beyond protecting against cyber attacks on the perimeter of their networks and protect from within. With the proliferation of smartphones and other kinds of connected devices, it’s much easier for hackers to find a weak node and set up an attack from an employee’s device.
“The perimeters have dissolved,” Dracon says.
This has led to the rise of startups that are using machine learning and other kinds of analytical methods to prevent and detect internal threats.
Edgewise Networks, a recently launched startup that is backed by Fagnan’s and Dracon’s firms, is seeking to address internal threats by using machine learning algorithms to understand how applications communicate with each other within a company’s network. Using analytics, it then makes policy recommendations for which applications to trust and which applications should be connected.
Another trend that has Fagnan and Dracon’s interest is the protection of systems within cloud environments. Last week, one of their portfolio companies, Boston-based Threat Stack, raised a $45 million Series C to expand within that space.
Brian Ahern, Threat Stack’s CEO, says the company’s growth is being fueled by middle market and large enterprise customers migrating from on-premises servers to cloud environments, which many traditional cybersecurity services aren’t well-equipped to protect.
“If you’re not cloud-native, what we found is the legacy security providers deploying tech into the cloud requires a services element,” Ahern says. “That puts customers at a significant disadvantage because the time to value is much longer.”
More products require automation
With cyber attacks becoming increasingly sophisticated and more frequent, the need to adopt multiple cybersecurity products has become a fact of life for many companies. Fagnan says that’s because companies want to have the highest-quality products for different solutions, which don’t always come from the same vendor.
This has created a need to automate and control the functions of multiple security vendors from one platform. In the so-called security orchestration and automation space, Boston saw the acquisitions of two startups this year: Hexadite, which was acquired by Microsoft for a reported $100 million, and Komand, which was sold to Rapid7 for roughly $25 million.
Jen Andre, Komand’s founder, says the idea for her startup came from her experience as a security analyst, where she would have to perform repetitive tasks across multiple security software programs several times a day. While she would eventually learn to code her own automation workflows at a later job, she learned that this remained a struggle for many security teams with limited resources.
“It’s really shocking to me that this is a problem that still exists for security teams,” she says.
Cybersecurity exits in Boston
Rapid7, where Andre now works as a senior director, is the most recent Boston cybersecurity company to have gone public with its initial public offering in 2015. It’s part of a handful of cybersecurity companies in Greater Boston that have gone and remained public. Other Boston-area companies that are still public include CyberArk, Akamai, Corero and NetScout. Only three of these companies have gone public in the last eight years.
In the meantime, there have been more than three dozen local cybersecurity acquisitions in the past eight years, with more than half of them happening since 2014. Among those acquired include Veracode, which was once considered a strong IPO candidate but ended up selling to CA Technologies for $614 million earlier this year.
Fagnan, who was on Veracode’s board as a lead investor, says while acquisitions can provide great outcomes, what Boston needs are more companies going public. The next cybersecurity company in Boston that’s poised to do that is another company Fagnan has invested in, Carbon Black, which confidentially filed for an IPO last year and has been quiet about its next steps.
“It’s a stacked deck for a cybersecurity company.”
“You need some of these companies like Carbon Black to be successful,” Fagnan says, because bigger exits it can produce more founders and angel investors in the space.
Dracon agrees, and he says Boston continues to be a great place to build cybersecurity companies. The reasons include Boston’s strong cluster of colleges and universities for technologists, as well as its proximity to big bank customers in New York and companies in Europe looking to expand to the United States.
“It’s a stacked deck for a cybersecurity company,” he says.
This is the first story in our “Cybersecurity in Boston” series, which is running several stories on cybersecurity the week of September 25.