Yeah, It Makes Sense for Virginia to Invest in Cybersecurity

Mackster

The Mackster gives speech at Launch Lounge event in San Francisco in March 2016. Photo credit: Richmond Times-Dispatch.

by James A. Bacon

Normally, it’s a terrible idea for government to pick economic winners and losers. Politicians latch onto fads and enthusiasms arising from the private sector but allow wishful thinking to override investment discipline when it comes to allocating government capital.

Bacon’s dictum is that if “everyone” knows a sector is hot, and “everyone” is investing in it, unless you’re the smartest, best-informed guy in the room, you’re probably wasting your money.

Twenty years ago, economic developers were chasing the semiconductor and “high tech” sectors. Today, biotech and greentech are hot — and mayors and governors around the country are mal-investing hundreds of millions of dollars in those sectors in the vain hope of triggering riding the wave to economic prosperity. That’s why I cringe when I read about the City of Virginia Beach putting money into a “biomedical” office park, and I get the heebie-jeebies when the state backs Northern Virginia’s Center for Personalized Health.

I may live to regret saying so, but I think that Gov. Terry McAuliffe may be on to something with his cybersecurity initiative. His two-year budget for 2017-2018 steers $750,000 in extra funding to Virginia’s Center for Innovative Technology (CIT) to develop an “information sharing and analysis” capability to build upon CIT’s Mach37 cyber-accelerator located in the CIT building and CIT’s investments, typically about $50,000 a pop, in cyber-related start-ups. In the grand scheme of things, the money is pocket change. The real contribution that CIT provides is acting as a relationship and resource broker for aspiring entrepreneurs.

There are several reasons why I think the cyber-security initiative makes sense for Virginia.

First, business and government awareness of cyber threats has increased markedly in the past few years. The threat is real, and business and governmental organizations are spending more money to combat it.

Second, Virginia is a major player in the industry, second only to California in the number of cyber-security vendors. Companies with cyber-security capabilities have clustered in Northern Virginia to serve the Department of Defense, the Central Intelligence Agency, the Federal Bureau of Investigation and the National Security Agency, where security requirements are high. With a wealth of human capital — thousands of IT workers trained in information technology and cyber-security — the region generates lots of new security-related business ideas. The existence of an existing business cluster and innovation ecosystem makes it easier for entrepreneurs to recruit skilled employees and forge alliances and partnerships.

Third, cyber-security as an economic development ploy has not yet become a national craze. Stupid money hasn’t yet started flowing into the industry, creating a glut of too many dollars chasing too few deals. Inevitably, that will happen, and Virginia leaders need to be alert to it. But it doesn’t seem to be happening yet.

Fourth, Virginia is not throwing around a lot of money. The added sums are infinitesimal compared to what Virginia is spending on new STEM programs at Virginia universities, the Commonwealth Research Commercialization Fund, and the universities’s share of the recently approved 2.1 billion bond package. As noted above, Virginia’s main contribution to cybersecurity is identifying entrepreneurs with promising ideas and hooking them up with private-sector partners who can help them. That is a defensible, inexpensive, and value-added role for the state to play.

Finally, the potential return on public investment is high. ThreatQuotient, a Northern Virginia cybersecurity company that received $1.5 million in seed funding from local investors including CIT early last  year, raised $10.2 million in second-round financing in December, and won recognition in a cybersecurity industry conference in San Francisco as “startup company of the year.” ThreatQuotient now employs 50 people in Reston, according to the Richmond Times-Dispatch.  Reports Michael Martz:

CIT officials estimate the [Growth Accelerator Program seed] funds leverage every dollar invested by 18.5 times, using $17.9 million in equity investments to attract $331 million in private investment in companies with a total value of $798 million. They estimate those companies will create up to 9,000 jobs in Virginia over the next five years. The [state] budget allocated $3.1 million a year to the program and requires a return on investment of no less than 11 to 1.

It goes without saying that such claims should not be taken at face value. CIT, like every other public, private or quasi-public entity in the world, is putting the best face on its performance. Still, the investment returns would appear to be orders of magnitude greater than traditional economic-development tax incentives and real estate subsidies.

There appears to be one other thing the state can do to promote this burgeoning sector. As Martz observes, thousands of cyber-security jobs are going begging in Virginia. The industry has grown faster than the ability to train people to fill the jobs. “It’s an absolute fact for our industry that the demand for talent, especially technical talent, and the supply, there’s just a disconnect,” he quotes John Czupkak, who serves on the ThreatQuotient board of directors, as saying.

As I have long maintained, state and local government can best promote economic development by doing its core jobs well: Deliver the highest quality government services at the lowest possible cost. Virginia doesn’t need to incentivize or subsidize cybersecurity to make it successful. Virginia community colleges and universities need to turn out more graduates with the skills the industry needs.