Making the case: How the mid-Atlantic region can become a leading cybersecurity hub
The mid-Atlantic, comprising Maryland, Virginia, and Washington, DC, has three essential attributes for building a strong cybersecurity ecosystem.
When most people think about cybersecurity start-ups, tech talent, and innovation, they probably do not immediately think of the mid-Atlantic region. Austin, New York City, and Silicon Valley draw the lion’s share of investor interest and buzz, but the mid-Atlantic has the potential to join their ranks.
In today’s competitive digital environment, creating a thriving cybersecurity ecosystem requires the right mix of ingredients, including funding, innovation, and talent. The mid-Atlantic region has made some notable gains in these areas: investment in local cybersecurity players has increased 21 percent year over year in the past three years; development of cybersecurity intellectual property (IP) has increased by an annualized rate of 12 percent during the past four years; and companies have been enabled by a unique talent ecosystem, with a significant crossover between commercial, federal, and defense/intelligence markets.
Despite these gains, the mid-Atlantic has been challenged by limited leadership experience in the start-up space, an investor base struggling with navigating a web of companies’ government contracts, and a talent pipeline that often struggles to make the transition from the military or the public sector to start-ups and accelerators.
Recent interviews with investors and external experts from leading cybersecurity companies and our survey of 41 mid-Atlantic cybersecurity company executives, conducted in partnership with the Cybersecurity Association of Maryland, reveal potential ways the region can unlock value, enhance the regional cybersecurity profile to grow investments and revenue, increase the number of strong cybersecurity start-ups, and attract talent.
Investment opportunities and challenges
While challenges of growing the cybersecurity ecosystem exist for the mid-Atlantic, cybersecurity companies in the region have demonstrated the potential to excel. When compared with peers in Silicon Valley, mid-Atlantic cybersecurity companies generate 25 percent of the revenue and attract half the M&A activity—with only 20 percent of the venture capital (VC) and private equity investment of their peers (Exhibit 1).
Exhibit 1
In our survey, cybersecurity investors share that they have been more often turning their attention to investment opportunities outside of Silicon Valley, particularly postpandemic (perhaps a result of the hybrid norm or the enhanced importance placed on the cybersecurity industry). In recent years, cybersecurity companies in Austin and New York have been capturing more VC dollars than those in the mid-Atlantic, as well as outpacing the region in VC funding growth. But when we compare VC funding for cybersecurity firms in the mid-Atlantic to those in Silicon Valley, we see that mid-Atlantic firms’ funding is growing at twice the rate year over year (Exhibit 2).
Exhibit 2
Although mid-Atlantic cybersecurity start-ups offer significant potential for investors, many struggle to communicate their value proposition. That disconnect, along with all the historical Silicon Valley successes and a mature understanding of the start-up culture, makes it challenging for a mid-Atlantic founder dipping a toe into new waters to navigate such an established ecosystem. Many survey respondents detailed the hurdles cybersecurity start-ups face when seeking private equity, venture capital, angel funding, and seed funding.
“Investors in the mid-Atlantic region have more stringent demands on regional founders than their counterparts in Silicon Valley. There were a lot of expectations put on founders to prove a lot before they could get capital. Each incremental microdecision was rational, but the summation makes an ecosystem where it is hard to break out.” – Executive of a mid-Atlantic venture capital firm
Unlike their Silicon Valley counterparts, mid-Atlantic start-ups tend to have stronger government ties and are more likely to have a federal government customer base.1 Federal spending is a crucial part of the mid-Atlantic cybersecurity ecosystem—which may, given the nature of the cybersecurity market, provide the region’s cybersecurity firms with a unique way of thinking, if not a whole new approach, compared with the average private-sector-focused player with a B2B or B2C strategy. A federal government customer base, for example, may invite more analysis and due diligence from investors who have primarily focused on commercial markets (and may have a lack of in-depth knowledge of federal markets) because of how investors tend to view federal markets. Increased focus by the federal government on cybersecurity issues bodes well for mid-Atlantic firms: in fiscal year 2022, US federal government demand for vendor-supplied cybersecurity products and services was $14.8 billion and is projected to reach $16.2 billion in 2024.2
“Investors are not naturally enthused by the prospect of investing in an industry so closely linked with the federal government.” – CFO of a mid-Atlantic software company
Some investors struggle to see how mid-Atlantic cybersecurity firms can continue to scale their federal business or translate federal sales successes into commercial-market wins. For those who traditionally serve the federal market, technology requirements are often services and custom-built solutions, whereas the private sector tends to place a premium on software as a service and scalable products. However, for the cybersecurity market in particular, this government sector experience can be incredibly valuable for private sector customers looking for battle-tested solutions. The solution may more often be in building the go-to-market strategy, rather than the underlying technology or business models—a challenge that, with the right investment and support, may create a strong value creation thesis for technology investors.
“I think that creating technology and then selling those technologies are different skill sets. In the mid-Atlantic, there can sometimes be a focus on the technology and blinders on the realities of the commercial market.” – Partner of a leading mid-Atlantic venture capital firm
Compared with their Silicon Valley counterparts, some mid-Atlantic-area cybersecurity company founders struggle to effectively court investors. For example, many of the cybersecurity executives we interviewed say that mid-Atlantic cybersecurity start-ups do not know what metrics investors would like to see.
“When someone in the Bay Area says they are a founder, this means a set of things that it does not mean in the mid-Atlantic. There are a couple benchmarks you want to be a ‘venture backable’ company, and founders in the mid-Atlantic know less of that and are slower to figure it out.” –Senior leader of a mid-Atlantic venture capital firm
“Private cybersecurity companies in the mid-Atlantic may not have the entrepreneurial pattern recognition that people in Silicon Valley have. VCs make 20 to 30 bets, and only a handful generates returns. That is the mental model, so the perceived potential needs to be massive.” – Cybersecurity investor
Innovation and growing IP development
So how do mid-Atlantic cybersecurity firms break through to investors? To start, they can point to the scoreboard.
Mid-Atlantic cybersecurity companies are outpacing other hubs in terms of cybersecurity start-up formation and patent creation—securing cybersecurity patents at a CAGR of 23 percent from 2017 to 2021, while the volume of cybersecurity patent activity in Silicon Valley has decreased year over year during the same time frame (Exhibit 3).
Exhibit 3
When assessing innovation, investors tend to look at start-ups, how the IP they create makes a technological innovation “real,” and whether the technological innovation is protected from disruption.
Mid-Atlantic cybersecurity start-ups may not produce as many patents as firms in other regions, but their growth outpaces other tech hubs. Between 2017 and 2021, the number of cybersecurity patents produced annually by mid-Atlantic cyber start-up firms rose to 120 from 90, approximately 12 percent CAGR. Meanwhile, in Silicon Valley, the number of patents rose to 220 from 190, or just 5 percent CAGR, and in New York, patents rose to 100 from 70, or 10 percent CAGR, during the same period.
Another challenge for mid-Atlantic start-ups is getting an audience with investors. According to our survey, 55 percent of respondents say they would like to attend more events and participate in more industry conferences, associations, incubators, and accelerators, and that enabling entities can do more to facilitate connectivity with investors.
“The networking that takes place in the mid-Atlantic rarely includes meaningful investors of any type. I travel a lot and when networking in other areas—California and Texas in particular—investors are out, they know the landscape, and they are far more action oriented. This allows founders to have a large pool to select from and to identify the best matches. In the mid-Atlantic, finding a good match can be difficult.” – Mid-Atlantic cybersecurity executive
Attracting, training, and retaining talent
The mid-Atlantic cybersecurity ecosystem has a unique workforce consisting of professionals who have cyber defense and operations, public sector and military, and private sector experience. According to our research, the mid-Atlantic, when compared with Silicon Valley, has four times the number of certifications awarded to cybersecurity professionals, including Certified Ethical Hacker, CompTIA Security+, CCISO, CISM and CISSP. Additionally, the mid-Atlantic has twice as many cybersecurity degree graduates when compared with Silicon Valley.
Relative to demand, however, the mid-Atlantic region still has a shortage of cybersecurity talent.3 Three of four cybersecurity executives surveyed say that finding talent in the region is difficult due to specific challenges including security clearances and citizenship requirements. Education programs will not be able to close the cybersecurity talent shortage alone, as 85 percent of job postings require two or more years of experience. The education and experience gap aligns with survey respondents ranking experience as the most important consideration when recruiting and hiring cybersecurity talent, cybersecurity certification as the second most important consideration, and a college degree as the least important.
Science, technology, engineering, and math (STEM) educational programming can prepare students for cybersecurity careers, though STEM proficiency in mid-Atlantic area schools may jeopardize the future cybersecurity talent pipeline. While Maryland and Virginia are doing relatively well in terms of their students’ proficiency in math and science, the Washington, DC, metro area students are significantly underperforming. For example, eighth grade students in Washington, DC, ranked 51 and 52 out of 52 jurisdictions in mathematics and science, respectively.4
Unlocking value in the mid-Atlantic cybersecurity ecosystem by 2030
Understanding leadership challenges, helping investors navigate a web of government contracts and opportunities, and building a robust talent pipeline are critical to success for the mid-Atlantic cybersecurity ecosystem. Stakeholders at every stage of the cybersecurity value chain in the region can take several steps toward unlocking the region’s value:
- Growing local talent to meet demand. Increasing support for the mid-Atlantic region’s primary and secondary STEM education programs to foster a future-ready cybersecurity workforce builds interest at an early age. More opportunities in STEM, including scholarships, training programs, competitions, and course offerings such as computer science, are all needed. Additionally, more training for current teaching staff, and connecting local schools with university partners and private industry experts, are critical to building the skill sets the next generation needs.
- Providing pathways for internships, scholarships, apprenticeships, and mentorships that target underrepresented communities builds inclusivity into the talent pipeline. Partnering with not-for-profit organizations that focus on technology education can provide convening and mentorship opportunities for underrepresented communities where talent may be found.
- Developing future founders with the knowledge and skills for cybersecurity entrepreneurship. Introducing entrepreneurial courses, guest lectures, and workshops led by cybersecurity business founders, and mentoring programs at mid-Atlantic area schools, could connect potential founders with existing start-ups for real-world business experience.
- Enhancing cybersecurity students’ ability to effectively pursue commercialization facilities at universities drives innovation for patenting. These might include private sector partnerships to identify promising IP from university students or sponsoring student memberships to databases/sources for patent searches to spur more submissions.
- Supporting today’s founders and companies to effectively navigate investment processes and scale business. Building upon existing organizations and providing additional support for regional accelerator programs, industry conferences, and participation in public–private technology accelerators may be required to embed some local cybersecurity leaders into the fabric of the industry and provide them with the skills to raise the profile of the unique qualities of the region’s innovation ecosystem.