Silicon Valley, where I live and work, is the obvious answer as to where to find the most innovative security products. Money flows up and down Sand Hill Road, showcase offices spring off of University, startups gather on either side of the 101 from San Jose to San Francisco, and deals are being made daily at coffee shops like Philz, RedRock, and Coupa (where a latte costs .007 bitcoin!).
When I started my innovative IPv6 company 10 years ago, I chose the DC area, as it had the one thing that Silicon Valley was missing back then--customers. Since I was there, great new incubators have taken off, like 1776 and Mach37, and there is strong governmental support for security startups across the region, as well as the remains of the AOL zillionaires to fund.
Austin has the Dell-ionares eco-system, and Israel has the Mossad mystique running full speed in support of their security startups. And Silicon 'fill-in-the-blank' cities have taken that (very outdated) moniker about as far as credibility will permit.
But this question is not about geography, and I've no interest in sparking an east-west gang cyberwar (though it would make a good reality show Thom Beers!). I've posed this question to discuss if startups are the best and only place to bring true security innovation to the market.
This question arose at a reception after a DHS tech transition council meeting at SRI (in the heart of Silicon Valley) last night (March 2015). Are startups, which are highly innovative in approach, truly meeting the needs of the great enterprises around the world? We'd just heard from major CISOs explaining how difficult and time-consuming it is to introduce new disruptive tech into his company. I know I've tried as a systems integrator to bring emerging tech companies into certain situations only to be challenged by the CISO with questions of their longevity, mission critical practices, real quals, and trustworthy future. I know may very strong technologies that will never get their chance to save the world due to these factors.
For years, security innovation rarely came from large established companies, due to the Innovators Dilemma, which Clayton Christensen described so well in his best selling book of the same name. The premise of protecting one's current customers and products, at the cost of innovation, was a very real thing back in the day. Companies that sell buggy whips are the last to embrace the internal combustion engine.
My belief (and I've just voted with my feet by just joining 129 year old Unisys Corp to head their security business, instead of a much shorter commute down the 101) is that big companies--if they truly embrace innovative practices--can be an important force in innovative security products by combining that new style with their existing substance of mission-critical people and practices, large IP portfolio, global scale, customer intimacy, routes to market, financial trustworthiness, and long-term outlook. It was that IP portfolio, strong talent team, and integrated routes to market, that were worth more than an A, B, and C round combined. Sure there are different sets of challenges at a big company, which is why this approach isn't for everyone, but being able to take a long term approach to earn trust with a company over years is a great luxury few VC's allow a startup. In the end, there must be balance.
I believe not that there is room for everybody, as most new products never see the light of a major deployment, but there should be input from both camps. Many people in the security business today are in it for all the right reasons-- we want to do good and help save the world. As it happens, if you do that you'll probably make a buck or two for you and your stakeholders, but the 'do good' part is clearly what gets us out of bed every morning.
Working together, whether through ISACs, with law enforcement, incubators, or groups like SI/Net, advanced innovative security products can and must emerge that have the trust and confidence of enterprises around the world.