Leo Taddeo studied physics at a good engineering school, but he is not your typical nerd. As a Marine Corps tank officer in Iraq, he was awarded the Bronze Star and the Purple Heart, and then he served 20 years as a special agent in charge of cybercrime for the Federal Bureau of Investigation in New York. He can sling tech jargon, but he also has a crystal clear sense for who the bad guys are in the constantly evolving underworld of hackers.
“The capabilities of criminal organizations are catching up with nation-states like Russia and China,” Taddeo says, calling out two countries tagged by some US government officials as perpetrators of recent cyberattacks. When hackers breached the digital vaults of Bangladesh’s central bank and made off with $81 million, some of that money “goes into research and development, and hiring programmers” to come up with the next attack, he says.
But there is a flip side: The Bangladesh incident in February, or the theft and release of Democratic National Committee e-mails and internal research documents in July, generate headlines that get everyone focused on just how vulnerable computer systems can be.
“Every day, we can just use the front page of any given newspaper as marketing material,” says Taddeo, who now serves as the chief security officer for Cryptzone , a Waltham cybersecurity startup.
Bad news is good news for data security companies, which are sort of like fence contractors and alarm installers benefiting from a neighborhood’s burglary spree. And there are dozens of those companies around Boston, which has emerged as Silicon Valley’s biggest challenger in the cybersecurity industry.
Companies such as Rapid7 of Boston have gone public (its market value, following a 2015 initial offering, stands at more than $750 million), and CloudLock of Waltham was acquired by Cisco in June for nearly $300 million. About $3.8 billion of funding went to startup companies in the sector last year, up 36 percent from the year before, according to data from the financial services firm BTIG.
Boston’s strength, when it comes to helping companies build fortresses around their data, comes from academia and traces back to the work of researchers like Ron Rivest, Adi Shamir, and Leonard Adleman at MIT, who devised novel ways to encrypt and decrypt information. In 1982, they founded a company called RSA Security, which grew into one of the industry leaders before being bought by EMC and, this month, subsumed into Texas-based Dell Technologies.
Today, there’s still a lot of leading-edge thinking about how to safeguard your credit card number, or your company’s customer records. Can quantum theory be used to create unbreakable data encryption? Can software get smarter about observing our behavior, so it can understand the normal patterns of our work with computers versus a pattern that looks more like a crook’s?
While lots of security startups might eventually be acquired by a bigger player, Elizabeth Lawler, chief executive of Waltham-based Conjur, says “there’s the desire to build large, standalone companies here in the Boston area.” But a big part of what keeps the ecosystem humming is people who decide to depart after they’ve been acquired into a larger company. “You keep repopulating the new cybersecurity companies with salty dogs who know security,” she says.
Jeff Fagnan, a venture capitalist at Accomplice in Cambridge, suspects that “the space is overfunded at the moment,” with too many “me too” companies. Many executives in the sector acknowledge it is getting crowded and that customers “have to separate the signal from a tremendous amount of noise,” in the words of Bob Brennan, chief executive of Burlington-based Veracode.
That’s true, says Jeremy Delinsky, chief technology officer at Wayfair, an e-commerce company in Boston, but security is an area where younger companies “can often be further ahead in understanding a new problem, while bigger companies tend to be a little bit slower in how they innovate.”
While there are local venture capital firms like Accomplice, .406 Ventures, and TenEleven Ventures that spend much of their time looking at newly hatched security companies, investors are getting “more stringent” about providing later stages of funding, says Brian Ahern, chief executive of Threat Stack, a Boston cloud security company that raised $15 million earlier this year.
Still, the community of investors, security startups, and willing early customers in financial services and health care creates what I like to call a bonfire. It’s a healthy blaze that attracts even more people around it. Bonfires are sectors where Massachusetts is already a global leader and should be touting what’s happening here even more.
In the last few years, companies from Finland, Sweden, Israel, Ireland, and Argentina have set up offices here to be close to the bonfire. Even California, believe it or not.
Paul Martini, the chief executive of iboss, a San Diego network security startup, says that when he was raising money last fall, he was also looking for another city where iboss could set up an office and start to hire. He considered New York, San Francisco, and Boston. Even though the money eventually came from Goldman Sachs in New York, Martini picked Boston for the “sister office to San Diego,” which could eventually grow into the company’s headquarters. Why? We’ve got lots of executives and worker bees with successful track records in cybersecurity. Martini leased an office in July, moved into a condo on Labor Day weekend, and spent much of this week interviewing prospective hires.
“Boston probably has the opportunity to challenge Silicon Valley in security for lead dog position,” says Accomplice’s Fagnan, whose firm has put money into seven newly formed security companies in the last 12 months. But these companies take a long time to build, he says, and though the customer always feels anxiety about staying a step ahead of the bad guys, there’s plenty of pressure for the companies as well.
“It’s a cat-and-mouse game,” says Dan Schiappa, head of the Burlington office of Sophos, a British company that offers security products to small and midsize companies. “If you are not a rapid innovator in this business, and if you don’t prepare for the next big threat, you’re going to die on the shelf.”Scott Kirsner can be reached at firstname.lastname@example.org. Follow him on Twitter @ScottKirsner.