Barbara Bix, security, talent

Massachusetts is Fertile Ground for Security Companies

By Barbara Bix

Barbara Bix helps business leaders uncover, crystallize, and
exploit opportunities to gain the competitive edge.  Twitter: @enteropportunity

The second part of the conference featured several sessions
that offered a window into what local security companies are doing and why
they’ve been successful.  Massachusetts
now ranks third globally as home to the most innovative cyber security

Reasons for Massachusetts’ success in dominating the
security industry include deep roots planted by companies such as Raytheon and
RSA Security, a robust venture community that includes the country’s foremost
security experts, access to talent, and the fact that people on the east coast
don’t switch jobs as frequently as they do in Silicon Valley.
Speakers said key to maintaining leadership will be enabling
established companies to remain independent as they grow.  We need more public companies here.  One of the biggest fears is that west coast
companies will buy, and relocate young companies, taking security expertise out
of the area.
Lots of money is going into security companies in
Boston.  Last year, the figure was $2
billion; year-to-date we’re at $2.3 billion. 
These investments put independent Boston companies in a good place to
acquire smaller companies.  They also
help smaller companies as it’s much easier to acquire local businesses.
Speakers agreed that one of the local strengths is methodical
growth; one of our weaknesses is in getting our message out the way that west
coast companies do.  To address this
challenge, one leader says he is embedding the “west coast mentality”
at senior levels to get a different perspective.  A later speaker observed that marketing is
the hardest skill set to find locally, since “it’s not Boston’s
Elizabeth Lawler, CEO of Conjur noted that increased
collaboration would also foster local growth. 
We need to sponsor entrepreneurs earlier in the process.  Omar Hussain agreed that we need to nurture
smaller companies now so that local acquisition candidates are available
later.  Rather than looking at
collaboration as driving up prices, we need to see it as “de-risking the
The conference also included a showcase of younger local
security companies.  Each had 90 seconds
to introduce themselves to attendees. 
This was the first real dive into point solutions, because most of the
conference focused more on the business.
Several of the founders had re-located to MA to give their
companies a competitive edge.  Reasons
cited include the deep ecosystem here nurtured by government, academia, the
innovative community, and investors; strength of the talent pool; and the
optimal time zone and proximity to the European market.
The biggest challenges facing these startups appear to be
marketing challenges.  Examples founders
gave include acquiring credibility, overcoming prospects’ perceptions about the
relative safety of their current solutions and the difficulties associated with
implementing complex technologies, and prying open the door to the CSO office.
Therefore, it should have been less of a surprise that their
next big hire was not necessarily raw engineering talent.  Instead, the startups said they were seeking
sales and marketing personnel and smart security practitioners who had prior
experience with breaches. 
Is there a talent gap?
The conversation also included a more general conversation
about whether there’s a talent gap here and if so what to do about it.  My sense, in listening to the conversation,
is that there isn’t necessarily a talent gap. 
That said we do need to restructure thinking about our organizations, our
hiring requirements, and our training efforts to build the security workforce
of the future.
There appeared to be general agreement that companies are
not seeking security experts.  Instead,
they are seeking experts in other fields, particularly developers, who can
complement their existing expertise with security knowledge. 
Echoing themes from other sessions, speakers said that
security is everyone’s business.  You
will need a deep awareness of the asset landscape and the threat
landscape.  You need to embed security
expertise in every area of the company–and everyone has to take ownership for
preventing breaches.
You will require people with a broad technology foundation
that are knowledgeable about operating systems, data sets, and how to develop
code with an emphasis on scripting.  You
will need rugged Dev Ops personnel who have hands on experience with the
technology stack and automation so that they can build tools that simulate
threats that are proactive versus reactive. 
In addition to technical experts, companies will also need
supply chain experts, operations personnel, lawyers, and other practitioners
who have an in-depth understanding of the silos that make up a business and can
look for exposures in each of these areas. 
When speakers spoke about education, many focused on STEM
courses at the primary and secondary levels, including introductory courses in
Computer Science. 
Edna Conway, CSO, Global Value Chain at Cisco recommended
that job seekers focus on the skills they have–and how to connect them to
security.  Panelists agreed that
certifications are not as important. 
Rather, they are a “nice to have”.
Human Resource personnel will need to shift the focus from
years of experience to less tangible capabilities such as social skills, the
ability to make risk decisions, and the ability to advocate for resources.  They will also need more flexible policies
that allow higher salaries, greater increases, and perhaps more frequent
performance reviews.
The Last Frontier session will be discussed in a later post
by the session’s moderator. 
All in all, it was a great conference.  I left with a much greater appreciation of
the impact security has on a business’ success, challenges businesses face in
delivering the security their customers are coming to expect, and a list of
opportunities for MA businesses and job seekers.  Thanks to everyone who attended the conference
and contributed to the conversation!
Expect to hear more follow-up and next steps for growth and
support of the security community within the next few weeks.  

Upcoming Events


Related Articles