Cisco’s announcement this month that it intends to acquire Ann Arbor-based cybersecurity startup Duo Security for a whopping $2.35 billion shines a light on the Midwest’s increasing strength in the cybersecurity space. Given that Ann Arbor is relatively small compared to cities like Chicago and New York, such a large exit might come as a surprise to some. However, Duo Security is not a cybersecurity island in Ann Arbor. Rather, Ann Arbor may very well be the epicenter of the Midwest’s growing cybersecurity industry.
Duo Security cofounders Dug Song and Jon Oberheide previously worked together at Arbor Networks, which was founded in 2000 as a University of Michigan spinoff. That same year, Ann Arbor gave rise to a number of cybersecurity startups like NextHop Technologies and Interlink Networks, which spun out of Merit Network. The University of Michigan cofounded Merit in 1966, connecting mainframe computers from coast-to-coast and helping to develop internet standards that are still in use to this day. It is the longest running computer network in the United States, and students and researchers had access to study the earliest internet traffic. All of this created a deeply knowledgeable talent pool in Ann Arbor with the expertise to become startup founders.
In 2007, with several cybersecurity startups planted in Ann Arbor, Silicon Valley-based Barracuda Networks opened an Ann Arbor office. A few years later, in 2010, Arbor Networks was acquired by private equity firm Danaher. This is where velocity begins to increase in the ecosystem. That same year is when Song and Oberheide founded Duo Security. The following year, other early Arbor employees founded Deepfield Networks, which Nokia acquired in 2017. That same year, the university spun out Censys.io, which is now led by early Duo Security employees. Just this year, another university alum founded Blumira, the city’s newest cybersecurity startup. All of these successful security companies — including Arbor which was acquired again by Netscout in 2015 — still operate in a city with a population of approximately 120,000.
While Ann Arbor might arguably be the epicenter of the Midwest’s cybersecurity industry, talent and resources are increasing in cities like Chicago and St. Louis as well. In these cities, however, we see different growth trends. One of those trends is that security experts leave the coasts and bring their expertise to Chicago.
For example, Trustwave was founded in Chicago and led by employees from coastal cybersecurity companies: Reston, Virginia’s Verisign and Atlanta’s IBM-owned ISS. Singapore’s Singtel acquired Trustwave in 2015.
Other homegrown cybersecurity companies include VASCO (now OneSpan), which launched in Chicago in 1997 as a cybersecurity provider for financial services companies, and went public in 2000. In 2009, Chee-Young Kim and Andrew Hoog, cofounded mobile-centric security company NowSecure. In 2012, repeat network security entrepreneur Raymond Hicks founded 5thColumn, and the following year, Mohammed Elkhatib — who cut his teeth at coastal cybersecurity companies like Netegrity, Cisco, and RSA — founded Anomalix, which creates identity management and access governance solutions for companies.
We also see a trend of successful Chicago entrepreneurs returning to the market to break into the cybersecurity space. In 2010, the former chief information security officer at Orbitz, Ed Bellis, founded Kenna Security, which has main offices in both Chicago and San Francisco (my firm Hyde Park Angels invested in Kenna). Similarly, repeat Chicago entrepreneurs Craig Lurey and Darren Guccione reunited in 2011 to cofound Keeper Security.
While Chicago certainly has a growing cybersecurity market, southwest Illinois is also home to Scott Air Force Base, which became host to the country’s largest cybersecurity operations center in 2016. Located just outside of St. Louis, the base’s new Cyber Protection Division has fueled a growing demand for cybersecurity talent in the region. With the Department of Defense’s best networking technologies at its disposal and major institutions in the region that have vested interests in protecting data, we will likely see more startups emerge in St. Louis — similar to the impact that Merit had on the Ann Arbor talent pool.
In the hopes of fueling this ecosystem, leaders in both St. Louis and Southwest Illinois are collaborating to provide cybersecurity workforce development resources for the region. Launched in 2015, the Midwest Cyber Center provides a range of tools to help grow St. Louis’ cybersecurity talent pool — from priming youth through various curricula to offering apprenticeships for experienced professionals looking to enter the industry.
It’s not just St. Louis-area entrepreneurs and community developers who are providing the necessary resources for innovation, however. In 2016, a cybersecurity-focused VC fund and accelerator program launched in St. Louis called SixThirtyCyber. SixThirtyCyber provides seed funding, programming, and mentorship to cybersecurity startups. While startups can apply from anywhere, accepted startups must participate in the program in St. Louis. One of the fund’s promising St. Louis-based portfolio companies is AppsCo, which helps users securely manage their access to their company’s apps. Time will tell how well SixThirtyCyber’s fund does at attracting and retaining top cybersecurity talent in the region, but St. Louis is certainly on the cybersecurity radar and will likely make major strides in the coming years.
As Ann Arbor serves as a longstanding network security pillar, Chicago matures, and St. Louis buds, I think it’s safe to say that we’re currently witnessing the Midwest’s emergence as a major player in the cybersecurity industry. With the capital that Duo’s acquisition will infuse into the region through its entrepreneurs, it will be very interesting to examine cybersecurity’s growth in the Midwest over the next several years.
Pete Wilkins leads the most active early-stage venture group in the Midwest, Hyde Park Angels (HPA).