Crossing the Cybersecurity Start-Up Chasm

Tom Weithman, MACH37 President, offers three simple rules to entrepreneurs seeking to differentiate their cybersecurity offering

TomWOn April 24th, I had the opportunity to speak at the DCA Live’s “Big Cyber Growth Summit” in Crystal City.  The event was incredibly well-timed by the folks at DCA Live as it followed closely on the heels of RSA’s 2018 conference – the “really, really big cyber growth summit” – in San Francisco, April 16-20.

As President of MACH37 and Chief Investment Officer for the Center for Innovative Technology (CIT), I was pressed into service on DCA’s “The Getting Funded Panel.” As seems to be increasingly the case, I was joined on this panel by several individuals from our ever-expanding mentor/investor network: GAP Fund portfolio CEO-turned Venture capitalist John Funge from Datatribe; oft-time GAP Fund co-investor (ThreatQ,, Virgil Atomicorp) Steven Chen from Blu Venture investors; and a VC we look forward to doing deals with in the future – Steve Smoot from Lavrock Ventures.

Thanks to our incandescent moderator, Matt Klinger of Bridge Bank, a lot of great questions were posed.  And courtesy of the wit and wisdom of panelists other than myself, a number of great insights and operations were advanced. But for me, the most compelling question centered on start-up differentiation – i.e., ‘How can a start-up at the earliest stage of development differentiate itself and acquire first customers in the increasingly complex and crowded cybersecurity sector?’

One need only walk the floor at RSA to seize upon the importance of this question. Over the past few years, the space has become profoundly confusing for buyers; as investors have poured funding into the sector, new market entrants and products have proliferated and lines between cybersecurity subsectors have blurred. Amid this confusion, how does a prospective buyer make the decision to take a chance on cybersecurity start-up?

Between CIT GAP Funds, our “Virginia Fund”, and MACH37, we have now been involved in 70+ seed and early stage cybersecurity investments. Based on observation of this modest universe, I would offer three simple rules to entrepreneurs seeking to differentiate their cybersecurity offering:

  1. Principle #1: Live with the Problem First – From our experience, the most effectively differentiated solutions are those borne of founders who have lived the problem first-hand. Nothing brings sharper focus to the product or greater credibility to the team in the eyes of the customer than a founder or founding team who have lived through the real-world pain that their product is designed to solve.
  2. Principle #2: Lean Is as Lean Does – At MACH37, we are big proponents of the Lean methodology. Lean implementation calls for cyclical development and reiterative customer feedback., early and often. It is a natural extension of Principle #1. Vigorous adherence to this demands continuous customer cultivation and keeps moving the ball downfield, from initial data gathering to beta placement to paid customer conversion.
  3. Principle #3: Surround Yourself with Good Help – There is no question that a repeat and successful cybersecurity entrepreneur with a ready-made rolodex has a distinct advantage in gaining initial customer traction. But what about the other 98% of entrepreneurs who don’t fit that profile? Well, they need to get that rolodex by proxy by prudently recruiting others to the cause – FTEs, advisors and board members – that have those early customer contacts. That’s where a good accelerator can help.

My thoughts are not exactly rocket science, and this is nothing that couldn’t be said of gaining first customers in almost any tech sector. But I would consider these principles mandatory for start-ups seeking differentiation and first customers in this crowded and confusing cybersecurity market.

For more information about CIT and MACH37, please visit and


MACH37 Portfolio Company Spotlight:

Now we can have both High Security and High Convenience

The pain of passwords is a common issue in today’s world for both users and companies alike. There are either too many passwords to remember, or not enough diversity between them to keep your accounts safe. With breaches resulting from inadequate authentication happening every day, companies are scrambling to define stronger password controls. Verizon states that almost 67% of all hacks occur in some way due to stolen or compromised credentials. But what can be done to change a system that has become so pervasive across the world?

This is where Status Identity’s origin story begins. Our company seeks to provide a solution for the competing priorities of password security and convenience. The increasing complexity of authentication mechanisms was resulting in productivity losses for corporations, and frustrations for their employees. Status Identity brings to market a solution that keeps passwords in their place, but adds a second factor to reduce the risk of that log-in for the enterprise. This is a rapidly growing space called multi-factor authentication (MFA). MFA requires users to validate their identity with answers/factors from two of the following categories: something the user knows (a secret), has (a specific possession), and is (a physical characteristic). While the password has always exacted as a secret that the end-user knows, Status Identity looked at the second factor differently in order to increase security and convenience simultaneously.

Common solutions today send passcodes through phone calls and text messages to authenticate users. With these methods, security relies on third-parties (telecom companies), and hackers have been able to spoof connections to secretly assume users’ phone numbers. The National Institute for Standards and Technology (NIST) has looked at this and recommended that these forms of MFA be replaced. And we can’t forget how much friction is created when users are required to enter in these codes on web pages, perhaps mistyping a single digit causing the whole process to start all over again. So what are we left with?

Status Identity’s solution uses an android or iOS application that resides on the end-user’s phone for quick and convenient MFA. This application interfaces with Status Identity’s authentication service to confirm or deny access. The benefits of utilizing the phone are numerous, as users always have their phone readily accessible to them and have become very used to the features the phone offers for a second-factor of authentication. These same features are leveraged within the app: the user can confirm or deny their access via a push notification, biometric authentication (such as TouchID), soft-tokens, and many other manners. However, the biggest difference that Status identity provides is “Passive MFA”. So what exactly is Passive MFA?

Passive MFA provides corporations and security professionals the security of an additional point of verification without any active involvement required from the end user. Rather than require the end user to take additional steps after entering a single set of credentials, Status Identity simply pings their mobile device and captures data to ensure their behavior is consistent with prior patterns, and contextually relevant. For example, when a user logs-in and types their username and password correctly, Status Identity would then make sure that the user’s phone is in the right area and that the application being accessed is a normal application for this user amongst other criteria. If something seems anomalous, the service would prompt the user to authenticate via one of the above mentioned factors. This logic is built so that the user has the ability to earn the trust of the service and gain access to passive authentication.

Status Identity’s objective is to make the authentication process as easy as possible so that security is an inherent part of your day. If we can leverage several data points at each point of log-in and adapt the optimal authentication mechanism during each access event, we should be able to solve the pain that passwords have caused for many years.

–  Nakul Munjal, Status Identity Chief Executive Officer

MACH37 2.0 by Tom Weithman

TomWAs MACH37’s President and Chief Investment Officer, I was delighted last week to welcome our Fall 2017 cohort class. The 6 new companies of this, our “F17 cohort,” make up the 9th such class of MACH37, our nation’s first and preeminent accelerator dedicated solely to the launch and development of new cybersecurity start-ups.

We are proud to build on a strong past record of success. With start-up representation in its deal-flow to-date from 29 countries, MACH37 has truly emerged as a global brand. We are proud of having hit upon a formula that has allowed us to launch 46 new cyber companies since the program started in 2013. Our model has helped over 60% of MACH37 graduates succeed in raising funding post-demo day. We are proud that MACH37’s financial sponsors and supporters – among them General Dynamics, MITRE, and SAP NS2 have testified to the value of our program. We are proud of our acknowledgement by the broader cybersecurity community as the “go-to” resource for security entrepreneurs. We build on this successful track record as we move forward with the Fall MACH37 class – ninth in chronology but the first of what we have come to consider “MACH37 2.0.”

So what’s changed?

New MACH37 Team Members: Mary Beth Borgwing (Left) and Jason Chen (Right)

Team Additions
As members of the founding MACH37 management, Chief Technology Officer Dave Ihrie and I were present at the creation of MACH37 in the Spring of 2013. This fall, for MACH37 2.0, we have welcomed on-board four new teammates:

      • Jason Chen – Managing Director of Operations. Jason brings to us a rich experience as a consultant, early stage investor and serial entrepreneur. Most recently, Jason has served as Techstars Entrepreneur-in-Residence, Director of Techstar’s Start-up Next Cybersecurity DC pre-accelerator program, and co-founder of cybersecurity training start-up HackEd.
      • Mary Beth Borgwing – Managing Director of Cyber. Mary Beth is an industry executive with 30+ years of operating experience in a variety of cybersecurity companies. Most recently, Mary Beth served as President and CEO of Lemonfish, a data breach discovery and AI analytics company that was acquired in March, 2017.
      • Jennifer Quarrie – Director of Knowledge and Innovation Strategy. Jennifer is a professional innovation strategist and entrepreneur who uses applied creativity and innovation to facilitate organizational transformation. She combines her instructional design skills and research in cognition, learning, well-being and listening with 17 years of international business experience to teach applied creativity and innovation across the public and private sectors.
      • Mike Ravenscroft – Associate Director of Operations. A former consultant for the Advisory Board and founding team member of the Smart Cities Accelerator, Mike will be working closely with Jason on the day-to-day operations of MACH37.

This team will be instrumental in MACH37’s drive to accelerate the industry’s next great cybersecurity start-ups.

Co-Location with CIT GAP Funds
Our discussions with MACH37 graduates consistently point to the benefit of closer linkage between MACH37 classes and other start-ups, specifically citing start-ups in the CIT GAP Funds portfolio. Acknowledged by organizations such as CB Insights, Entrepreneur Magazine and the Association for Corporate Growth as an industry leading venture investor, CIT GAP Funds has placed over 180 seed and early stage investments since its 2004 launch. Along the way, CIT GAP Funds has quietly built up a reputation as one of the nation’s leading early stage cybersecurity financiers with a deal sheet including investments such as Invincea, Distil Networks,, ThreatQ and Divvy Cloud. As CIT GAP Funds has bankrolled all 46 of MACH37’s seed investments, it made sense to foster greater synergies between the two portfolios. In MACH37 2.0, we have physically co-located the CIT GAP Funds Investment Team and MACH37. We realized still greater density of entrepreneurial activity by folding the Smart Cities Accelerator into a single common work space. These linkages offer the F17 cohort an unprecedented concentration and diversity of perspective on the new business formation process and a heightened visibility to members of the downstream investor community likely to back MACH37 deals.

Curriculum Enhancements
MACH37 2.0 introduces a pair of enhancements to the past MACH37 training program. Curriculum changes deepen MACH37’s reliance on the Lean Start-Up methodology and place a greater emphasis on customer development by introducing the GOOTB (“get out of the building”) approach. Our commitment to these twin principles emphasizes continuous interaction throughout the program by accelerator companies with real-world cybersecurity industry experts. Our curriculum and cohort management approach will challenge MACH37 companies to leave the comfort of the office and literally “get out of the building” to test their assumptions, pivot, and rapidly hone their go-to-market strategy in a real world setting through brokered meetings with potential customers, partners, and investors. These enhancements will produce more “shots on goal” by MACH37 graduates for our founders and their customers and investors.

Re-Focus on STARS Mentor Network
MACH37 has long been differentiated by its broad and deep, cybersecurity industry-specific “STARS” mentor network. In MACH37 2.0, we draw on this network with renewed vigor and focus. Through the assignment of “lead mentors” and formation of advisory “kitchen cabinets” for each MACH37 company, we will provide founding teams with extensive one-on-one mentorship from cybersecurity industry experts in sales, marketing, product development, and venture capital investment. This coupling of MACH37 instructional processes and business advice delivered by business and technical savvy mentors will create valuable connections that provides MACH37 startups the competitive advantage required to attain market leadership and customer traction. Again, think “customers … early and often.”

MACH37 Fall 2017 Meet the Cohort – Fireside Chat with Dov Yoran and Ely Kahn

MACH37 “Gets Out of the Building”
In MACH37 2.0, the accelerator itself will live by the principles it espouses, maximizing exposure to partners and accelerator stakeholders throughout the region. To do this, we are taking our Fall 2017 flagship MACH37 events – including our “Meet the Cohort” event, “Security Leaders Dinners” series and “Demo Day” – to multiple locations along the Northern Virginia’s Metro Corridor.

Our Meet the Cohort event kicked off our Fall 2017 event series last week at SineWave Technologies in Crystal City. The event featured a lively fireside chat with Ely Kahn, Co-Founder of Sqrrl, and Dov Yoran, Senior Director, Business Development at Cisco Systems.

Next Wednesday, we will host our MACH37 Fall 2017 Security Leaders Reception featuring Dr. Mark Maybury, Vice President of the Intelligence Portfolio for The MITRE Corporation. For more information on this event and others, visit our website:

From all reports, the entire MACH37 community – the F17 class, past MACH37 graduates as well as our sponsors, mentors and other investor and corporate stakeholders – are as excited as we are about MACH37 2.0. We’re not turning MACH37 upside down … just inside-out. We hope you’ll come along for the ride!

–  Tom Weithman, MACH37 President and Chief Investment Officer