Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

The high cost of doing business in California's San Francisco Bay Area is just one factor driving infosec companies — established and and startups, alike — to pursue their fortunes elsewhere. Here's where many are going.

Sara Peters, Senior Editor

December 11, 2019

12 Min Read
(Image: archjeff/Adobe Stock)

Figure 1: (Image: archjeff/Adobe Stock) (Image: archjeff/Adobe Stock)

A rich bounty of technology talent, nearby centers of cutting-edge technical research, perpetually pleasant weather, and plenty of money helped make California's San Francisco Bay Area an IT and cybersecurity mecca. Yet one glance at current real estate prices in Silicon Valley may send one running toward rainy weather and lower rent.

The cost of doing business is just one factor driving cybersecurity companies to pursue their fortunes elsewhere. And as infosec businesses in other places in the world catch fire, setting down stakes in the Bay Area grows not only less appealing, but less necessary.

"There is a general trend of saying 'big cities are too expensive,'" says Hank Thomas, CEO of American cybersecurity venture capital firm Strategic Cyber Ventures (SCV). That's pushing startups and major players alike to set up shop in second-tier cities instead.

Thomas also says he's beginning to see a new entrepreneurial spirit: More infosec professionals are confidently striking out on their own to launch startups, when only four or five years ago that was less common. Individuals with backgrounds in military or government defense, for example, or those with backgrounds in hardware are creating their own security products companies — more so than security services — and establishing headquarters in their own backyards.

"The key ingredients, in my opinion, for success of cybersecurity, which Silicon Valley has, are an abundant supply of venture capital money, entrepreneurs who are risk-takers, and a society which fosters this culture," says Umesh Padval, partner of VC firm Thomvest Ventures. "Silicon Valley is very attractive due to its open culture to attract the best people from around the world, as the area has great universities."

However, international students' enrollment in US universities at both the undergraduate and graduate levels has been decreasing over the past three years, particularly from Saudi Arabia, South Korea, Iran, Mexico, the United Kingdom, and, on the graduate level, India. The changes are attributed to a mix of American universities’ increasing costs, improving programs in home countries, and changing American policies on immigration on international policy, according to the Institute of International Education.

So are there other places that do fit the description that made Silicon Valley appetizing?

Let's take a look at where new cybersecurity startups are spinning up, established firms are laying down new offices, venture capital money is pouring in, universities are generating research and creating security degree programs, and cities are launching initiatives to support the development of the security industry.

(Continued on next page)

Figure 3: (Image: footagemaker2018/Adobe Stock) (Image: footagemaker2018/Adobe Stock)

Honorable Mentions

Tokyo: Japan's capital city is home to cybersecurity giant Trend Micro, as well as SoftBank, which has recently made major security and technical investments across the globe. Tanner Johnson, senior research analyst for IHS Markit, also puts Japan on his watchlist because the country is not only a "US-centric stepping stone into the Asia-Pacific” but also is "promoting more cybersecurity diligence." He notes that in preparation for the 2020 Tokyo Olympics, the nation is doing a cybersecurity audit of 200 million connected devices.

Maharashtra, India: The western state of Maharashtra includes Mumbai and Pune. Symantec and Cisco Security are there as well as CrowdStrike, which is listing over 15 job openings in the area.  

Ann Arbor, Michigan/USA: "Duo Security kind of put [Ann Arbor] in the spotlight," says Ovum senior analyst Eric Parizo. "Lot of cyber talent there and obviously the University of Michigan as well."

Utah/USA: Major infosec giants Symantec and FireEye already have offices in Draper, Utah. The state also houses Centrify and Idaptive, two of Forbes' top 10 cybersecurity startups to watch.

Vancouver, British Columbia, Canada: "Vancouver is an interesting hub, particularly for IoT/OT security," says Jeff Wilson, senior research director and adviser for IHS Markit. "I think most of the activity started in the university, but it spawned startups like Tofino and Wurldtech that were acquired ([by Belden and GE], and several major cybersecurity companies base their threat research operations out of Vancouver, including Fortinet.”

Wilson notes that Fortinet also recently built a FortiGuard Labs facility elsewhere in British Columbia, and that the region's closeness to Seattle is a benefit.  

Beijing, China: Foreign cybersecurity investments in China have cooled off, according to recent research from SCV Ventures. Nevertheless, Thomas says that some Chinese industry leaders believe they can stake a claim in the global cybersecurity market, despite increasing fears of cyber-espionage, IP theft, and state-sponsored disinformation campaigns. Beijing is home to China's first threat intelligence company, ThreatBook Labs, as well as Qihoo 360, China's largest provider of cybersecurity solutions, which just announced it will jointly open a cybersecurity technology innovation center with Israel. There are also new startups in China deliberately aiming to serve markets outside the Great Firewall.

(Continued on next page)

Figure 4: (Image: PerryPlanet/Wikimedia Commons) (Image: PerryPlanet/Wikimedia Commons)

New York/USA

Rising real-estate costs in New York City have caused many flagship stores to be replaced by "space available" signs. Yet Steve Morgan, founder and editor-in-chief of Cybercrime Magazine, says the city has enough other charms for it to be a promising location for cybersecurity investments.

"The New York City Economic Development Corporation (NYEDC) has pumped $100 million into Cyber NYC via a public-private investment," Morgan notes. "New York is home to 45 Fortune 500 corporations. New York has a large and diverse workforce consisting of more than 4.5 million people. New York has nearly 100 colleges and universities. The fundamentals are there for the Big Apple."

(Continued on next page)

Figure 5: (Image: TUBS/Wikimedia Commons) (Image: TUBS/Wikimedia Commons)

Southeast England

SCV's Thomas says it is clear the British are serious about obtaining cybersecurity venture capital; inviting VCs like his to official meetings at the Embassy in Washington, for example.   

London is already home to some of the world's major risk management and advisory firms: KPMG, PwC, BT, and EY. The region is also home to the HQs of cybersecurity powerhouses and upstarts like BAE Systems in Surrey, Sophos in Abingdon, Digital Shadows in East Sussex, and Darktrace in Cambridge.

Infosec business has been streaming into "Thames Valley," particularly into the town of Reading. Fortinet, Symantec, CrowdStrike, Absolute, and MobileIron are just a handful of those with offices in Reading.

Alan Rodger, senior analyst at Ovum, also points further northeast to call out an incubator in Martlesham (in Suffolk, outside Ipswitch) that has spun out promising quantum computing company .Q, which helps deliver "future-proof encryption."

Many of the 19 UK universities recognized as Academic Centres of Excellence in Cyber Security Research are stationed in this region.

(Continued on next page)

Figure 6: (Image: WikiVButcher/Wikimedia Commons) (Image: WikiVButcher/Wikimedia Commons)

Austin, Texas/USA

"I'd say from the American perspective, the three big areas have long been Silicon Valley, Boston [the 128 area], and the Texas triangle: Austin [college talent], Dallas [home of several big tech firms], and San Antonio [Air Forces Cyber]," says Ovum's Parizo.

Of the triangle, "I think the big growth is going to happen in Austin," he says. "[We're] seeing more companies expand facilities there, with some even moving staff from California because the cost of living is much lower in Texas. It's no coincidence that both [Trend Micro] and [Palo Alto Networks] are having events there this year." 

Absolute, Blackberry AI and Predictive Intelligence, Cloudflare, CrowdStrike, and MobileIron – together making up half of Forbes' top 10 cybersecurity startups to watch – all have offices in Austin. As of press time Cloudflare had 71 open positions in Austin, including 21 engineering roles. 

(Continued on next page)

Figure 7: (Image: National Atlas of the United States/Public Domain) (Image: National Atlas of the United States/Public Domain)

Georgia/USA

Atlanta is home to the headquarters of SecureWorks and Pindrop. And other major companies are planting flags in the Peach State as well: IBM Security is in Atlanta, Cisco Security is in Alpharetta, and BAE Systems just cut the ribbon on its new innovation hub at the Georgia Cyber Center in Augusta.

"The state of Georgia invested $100 million into the Georgia Cyber Center [in 2017]. That's the largest investment of its kind for a [US] state," notes Steve Morgan, founder and editor-in-chief of Cybercrime Magazine. "The center is a giant cyber water cooler for local students, universities, investors, and startups. There's cybersecurity training, a cyber range, and even K-12 programming. We are starting to see the investment pay dividends with new tenants starting to occupy the space."

(Continued on next page)

Figure 8: (Image: US Census Bureau, Public Domain) (Image: US Census Bureau, Public Domain)

Baltimore-DC-Arlington Region/USA

Even before Amazon announced Arlington, Va.'s "Crystal City" neighborhood as one of its new homes, the region from Baltimore, Md., through Washington, D.C., through Arlington, Va., was swirling with tech and security activity. The latest Cybersecurity 500, published by Cybersecurity Ventures, lists 49 DC metro area companies among the 500.

The region is not only home to government and national security specialists like Northrup Grumman, Siemens, and Lockheed Martin, but also to Verisign, Endgame, LookingGlass, and ThreatConnect in Virginia; and Tenable, ZeroFox, and Terbium Labs in Maryland, among others.

Proximity to Washington, D.C., is one draw, since it is the center of the US federal government's defense and intelligence agencies.

"Anywhere with a strong military heritage has potential to create a pipeline of security talent and companies," says SCV's Thomas.

Beyond that, though, it is the location of a wellspring of cybersecurity university programs.

Maryland, Virginia, and the District of Columbia combined have 39 NSA/DHS designated Centers of Academic Excellence in Cyber Defense education and/or research. Thomas notes that the University of Maryland generates "a lot of talent for the NSA."

As Mike Janke, co-founder of DataTribe, wrote earlier this year, Maryland universities alone have awarded over 10,000 cybersecurity Bachelor's degrees since 2015, and "Maryland is the first state to set up its own cyber investing arm directly from its budget coffers, as well as the first Governor (Hogan) to make cybersecurity the number one focus of the state due to its vast technical resources."

(Continued on next page)

Figure 9: (Image: Ilya Shrayber/Wikimedia Commons) (Image: Ilya Shrayber/Wikimedia Commons)

Tel Aviv, Israel

One of the big splashy cybersecurity investments of 2019 was Japanese company SoftBank's $200 million investment in Cybereason, headquartered in Boston. However, Cybereason was founded by three Israeli researchers and maintains research and development offices in Tel Aviv, despite having corporate  its HQ in the US – a common story for many of the security industry's most successful startups in recent years.

Just this year, Twistlock, with R&D in Israel and headquarters in Portland, Ore., sold for $410 million to Palo Alto Networks (itself an American company with Tel Aviv ties, as its founder was an Israeli-American engineer from Israeli security firm Check Point). Just in Q3 2019, BigID and Axonius, each with offices in New York and Tel Aviv, raised $50 million and $20 million, respectively.

Israel seems to have all the necessary ingredients: a keystone company that first built its reputation (Check Point), a military with a strong legacy of cyber defense, elite technical universities, and local initiatives (like incubator Team8) to empower development of new security businesses.

"There is a shortage of local large VCs, but we are seeing an increase in US-based VCs that have venture arms in the region," says Thomvest Ventures' Padval. "The most important trait these cities have to their advantage is the majority of citizens must complete mandatory military service where they work on advanced cybersecurity products. When they leave the defense service, they take those ideas and bring them to commercial markets."

Indeed, poke around the leadership teams of companies like Cybereason, Deep Instinct, XMCyber, Illusive Networks, IronScales, and a host of others, and you'd think that "former member of Unit 8200" was a credential rather easy to come by. However, Unit 8200 is an elite intelligence team within the Israeli Defense Forces.

Researchers from Tel Aviv University and Technion make regular appearances on stage at security conferences. Researchers have recently unearthed vulnerabilities in Siemens PLCs cryptographic key pairs and failures in Microsoft's advanced threat protection to create timely signatures.

According to Cybersecurity Ventures latest Cybersecurity 500, Israel is the world's No. 2 exporter of security technology and has 42 companies listed on the 500.

"From our research, we've identified Tel Aviv, Haifa, and Herzliya, Israel, having the highest potential to become the next Silicon Valley," says Padval. "We even consider Israel to be a mini-Silicon Valley [now]."

 

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights