In the course of analyzing the death of the Taxpayer Protection Initiative HoCo Rising implored the Howard County Republican party to focus on more serious activities, and among other things noted: We need ideas for how to … make Howard County the Silicon Valley of Cyber technology… By Cyber technology I presume HCR meant cybersecurity, the sexed-up name for what used to be known as information security, IT security, or computer security. So that naturally moved me to ask the following question: Is it possible that Howard County could indeed become the Silicon Valley of cybersecurity?
Answer #1: No.
In fact, I’d echo what Lloyd Bentsen once said to Dan Quayle: Howard County, I’ve been to Silicon Valley, I know Silicon Valley, I’ve worked for Silicon Valley companies half my life. Howard County, you’re no Silicon Valley, and you’re not likely to be the Silicon Valley of anything anytime soon.
Then I thought, well, that’s rather rude and dismissive, maybe I should be a little more open-minded about this and do some actual investigation of the question. So on to…
Answer #2: No, because there’s already a Silicon Valley of cybersecurity, and (surprise!) it’s Silicon Valley itself.
Here I’m assuming that by a Silicon Valley we’re referring to a region where technology innovation is rampant and where that innovation drives a thriving economy of entrepreneurial firms providing technology-based products and services. In the area of information security specifically we can get a good take on the regions doing the innovating by looking at the companies recognized in the annual awards sponsored by SC Magazine, a leading trade magazine for IT security professionals. I took the list of 2010 award finalists, reworked it into the form of a Google Docs spreadsheet, and then created another spreadsheet listing the companies who were finalists, along with each company’s main location(s) and the associated region(s). (This involved some judgment calls, for example where a company was a semi-autonomous division of another company or had multiple main offices.)
The resulting list includes a wide range of successful and innovative companies in the general information security space, creating and marketing products that range from relatively simple anti-virus and firewall products to complex systems for detecting, analyzing, and rectifying security problems in large enterprise networks. Of the 75 companies that were finalists, 28, or over a third, were based wholly or partly in Silicon Valley, ten in the Route 128 area around Boston, six in Southern California, five in Texas, and four in Maryland and Northern Virginia (the region all the cool kids are now calling the DMV); no other region had more than three. Locally, two Columbia-based companies were on the list, Sourcefire and Tenable Network Security. (To put this in perspective, both Overland Park, Kansas, and Atlanta, Georgia, also had two companies on the list.)
Clearly anyone looking to create a world-class company providing information security products and services is going to look first at Silicon Valley, and perhaps also at the Route 128 area. Other regions may each have a few local champion companies, but by and large the rest of the world is simply going to be purchasing and using products and services created elsewhere. My employer (which happens to be an SC Magazine 2010 award winner) is no exception: We’re headquartered in Sunnyvale, California, in the heart of Silicon Valley, and have almost all of our employees based there, including all our R&D activities; we have only four people in Maryland and Virginia, all of whom are focused on selling our products to Federal government customers.
So when it comes to commercial cybersecurity technology and IT products and services in general, with only a few minor exceptions we’re in a situation reminiscent of the famous Trenton, New Jersey, slogan, Silicon Valley makes, Howard County takes.
Well, that’s rather a downer. Frank, can’t you come up with any better answers? Read the upcoming part 2 for another take on the question at hand (not that you’ll necessarily find it any more comforting).