Ed Davis doesn’t look like he would be fazed by anything. The former commissioner of the Boston Police Department has seen the kind of horrors he can’t erase from his mind—including the Boston Marathon bombing and its aftermath—but he has moved on.
Now, a new type of threat has crept into his psyche. This one is more virtual in its approach, but the danger is as real as it gets. Davis runs a security consulting firm, and his clients—which include governments, healthcare organizations, and entertainment venues—tend to ask him about physical security. But then they quickly switch to the topic du jour.
“Their second question is, ‘What do you know about cyber?’” he says.
Davis, for one, has been learning a lot about the topic. His experience reflects what many experts already know—that cybersecurity is one of the grand challenges of our time, and it touches almost every industry. The field presents huge problems, of course, but it also holds opportunities for technology, business, and education leaders in New England and beyond.
The Boston area has amassed a great deal of expertise, making it one of the world’s top cybersecurity clusters, along with the San Francisco Bay Area, Washington, DC, and Tel Aviv. A snapshot of local security-related companies (see this map and list) shows they are advancing everything from ways to monitor networks and detect threats, to tools for analyzing and responding to breaches, to techniques for recovering data. Many are working on newer approaches—using machine learning, visualization tools, sensors, and cloud-based environments—to try to help customers develop a more unified security strategy.
One common theme: with the rise of attacks like ransomware—in which hackers hold an organization’s data or assets hostage until they are paid off—the lines between different types of security threats seem to be blurring.
Indeed, Davis points to what he calls a “convergence” of cyber and physical security. A hacker behind a laptop can shut down traffic to websites; so could someone who pours gasoline on an Internet hub’s physical location and sets it on fire, he says. But now, a hacker could also take control of a connected car—or worse—and demand a credit card number before unlocking it.
“The world is really changing for us,” Davis says.
A few years ago, a hacked computer system might disable IT operations or Internet traffic. Today, it could take down a transportation system, energy grid, or hospital network, causing chaos and potentially endangering lives. That’s in part because of the proliferation of connected devices and systems—anything with a chip that can communicate with a wireless network. Think phones, tablets, and watches, but also cars, thermostats, and faucets (yes, faucets) that connect to Wi-Fi or other networks. Any device could be a target, or act as a conduit to other targets or data.
The bad news is the problem is getting worse, fast. “Information technology is now moving into everything,” says Steve MacLellan, a 26-year veteran of Fidelity Investments, where he was senior vice president of security solutions and architecture. (He now advises and invests in security startups.)
MacLellan and other security experts at institutions ranging from Intel to Raytheon already see major threats to critical infrastructure worldwide such as water, gas, and electrical systems, as well as financial, insurance, and healthcare organizations.
What is needed are new approaches to combat hackers and recover from attacks. “In the past, people were thinking about security as part of an IT program—you have a virus on the machine, so you need to clean it,” says Lior Div, CEO and co-founder of Cybereason, a security-tech startup based in Boston and Tel Aviv. “Now there’s malware, but someone is behind it. You need to understand the tactics and techniques they’re using. It’s a completely different mentality—it’s a war zone.”
New Dollars, New Tech
Along with the societal stakes, investment in cybersecurity companies has been growing fast, according to data from CB Insights (see graph). In 2011, globally, there were 166 venture deals in security, for a total of $1.14 billion. In 2015, the number of deals doubled to 332, and the dollars invested more than tripled to $3.83 billion, with steady growth in both categories over the five years. (The great majority of companies in the study—77 percent—were based in the U.S.)
An Xconomy survey shows Boston-area cyber companies have raised at least $1.7 billion in total investment (counting only those that are independent and privately held). And the list of locally based companies that have raised money in 2016 includes Carbon Black, EiQ Networks, Hexadite, Lexumo, and Threat Stack. Those investment deals have totaled north of $50 million.
While the sector is seeing some hype, it’s also going through consolidation. Massachusetts-born Bit9 bought Carbon Black (based in Texas) in 2014 to expand its offerings; the merged company, one of Boston’s biggest in security, is now called Carbon Black. Late last year, Waltham, MA-based Digital Guardian bought Code Green Networks, a data-security firm in Silicon Valley. And in February, IBM Security acquired Resilient Systems, a 100-person startup in Cambridge, MA, focused on incident response.
Meanwhile, Rapid7 and Mimecast were the Boston area’s only tech-related IPOs in the past year, raising about $103 million and $78 million, respectively. Rapid7 is known for its suite of cybersecurity products, while Mimecast (based in London with North American headquarters in the Boston area) specializes in e-mail management and security.
Investors see a lot of noise in the sector. “Security is this gigantic spider web of point solutions. But at some point they need to be consolidated,” says Greg Dracon, a partner at .406 Ventures, which has invested in a number of cybersecurity startups. “A lot of companies are getting funded that can’t be standalone companies.”
It’s hard to verify, but the general sense is that most security-tech companies aren’t making money. Venture-backed startups tend to build for growth, not profitability. “The market wants cutting-edge solutions, but for a new company to cut through the noise and be able to sell, this is a huge jump,” Div says.
Div’s startup, Cybereason, seems to be gaining some traction. Founded in 2012, the 110-person company has secured several big customers, including SoftBank and Lockheed Martin. Cybereason has raised about $90 million in venture capital, making it one of the better-funded tech startups in the region. (Its investors include CRV, Spark Capital, SoftBank, and Lockheed Martin.)
It has gotten there by pushing a new approach.