Medici Effect is real: Silicon Valley and Tel Aviv are still the best places to build a security company
A deep look into five of the largest cybersecurity startup ecosystems and the reasons why despite remote work, Silicon Valley and Tel Aviv are still the best places to build a security company
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 1,775 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
Medici Effect and ingredients needed for cybersecurity companies to thrive
In the 15th century, the Medici family started funding the arts. This has driven many of the greatest artists and most innovative thinkers of their time to move to Florence. This convergence of diverse talent with different backgrounds and perspectives in one physical location led to the explosion of innovation which ultimately started what is currently known as the Renaissance. The term “Medici Effect” was first introduced by American entrepreneur Frans Johansson in his book titled “The Medici Effect: Breakthrough Insights at the Intersection of Ideas, Concepts, and Cultures”. It describes innovation that happens when people and ideas from different disciplines and worldviews intersect.
In the present day, we see examples of the Medici Effect in places like Silicon Valley and Tel Aviv. We refer to these places and their characteristics as “ecosystems”. We know that being around the smartest and the most ambitious people energizes those around them and creates opportunities for learning and collaboration. The times have changed, but what is needed for a place to become an ecosystem is not much different from hundreds of years ago.
I would like to focus on a specific type of ecosystem, namely startup ecosystems. Wikipedia says that “A startup ecosystem is formed by people, startups in their various stages and various types of organizations in a location (physical or virtual), interacting as a system to create and scale new startup companies.” It further explains that “These organizations can be further divided into categories such as universities, funding organizations, support organizations (like incubators, accelerators, co-working spaces, etc.), research organizations, service provider organizations (like legal, financial services, etc.) and large corporations.”
I see various components of startup ecosystems as ingredients needed for early-stage companies to succeed. The more of these ingredients are present, the easier it will be to validate new ideas, form companies, and grow them into large businesses.
There are different ways to describe the key components of startup ecosystems. I believe that the following four are most important: talent, funding & support, government policy, and culture of entrepreneurship.
Talent can come from different places - educational and research institutions, military and the government, or the private sector. Which of these sources is the most critical will depend on the industry, type of innovation, etc. For example, the presence of research institutions and large pharmaceutical companies is important for the formation and growth of biotech startups. Military and the government along with research institutions, on the other hand, can provide a strong talent pipeline for space technology. Talent is the most important of all ingredients because:
There needs to be a talent pipeline capable of producing high-quality founders
There needs to be a pool of people early-stage companies can hire as they are looking to grow and scale
There needs to be a network of people who can act as mentors and advisors to early-stage founders
When talking about funding and support, I am referring to the ability to find capital for validating high-risk ideas and testing business models, and later scaling companies. Emphasis on “high-risk” is key here: although there are many countries and institutions that sit on enormous amounts of money, relatively few are willing to make bets on highly uncertain ideas. Examples of suppliers of high-risk capital include angel investors and venture capital firms (VCs).
The position of the government and the actions it takes to incentivize or de-incentivize business creation and risk-taking is another critical part of an ecosystem. Two parameters in particular define the probability of ecosystem formation: rules and regulations and taxation. In some countries, a person looking to start a company needs to spend thousands of dollars and waste months of time just to collect the necessary paperwork and go through the bureaucratic hell of establishing a new business entity. In others, this can be done in a few hours by submitting a form online and paying some $50 for same-day processing. There are laws that prohibit certain activities needed to validate early-stage ideas, establish unnecessarily high minimum capital requirements for low-risk lines of business, make it hard to manage the workforce, and so on. Another critical factor is taxation: there are jurisdictions where issuing stock to employees is not possible without creating tax complications, and where founders could be forced to pay taxes on the paper value of their startups, even if they haven’t made a single dime in personal income.
Last but not least, there is a culture of entrepreneurship. Without the culture of risk-taking, the culture that gives people full agency over their actions and makes them understand that nothing is impossible, the culture that puts people’s skills and abilities over their background and socioeconomic status, a successful tech ecosystem is not possible. This factor is frequently forgotten by people who think that simply bringing a few other components such as funding and mentorship in one place can create a well-functioning ecosystem. A case in point is many attempts to build a “Silicon Valley of X” without considering the culture - Silicon Valley North in Canadian Vancouver and Toronto, Silicon Valley of the metaverse in North Carolina, Silicon Valley of the South in Chattanooga, another Silicon Valley of the South in Miami, Silicon Valley of the East in Penang, one more Silicon Valley of the East in Taiwan, Silicon Valley of the former Soviet Union in Armenia, Silicon Valley of the Eastern Bloc in Bulgaria, Silicon Valley of South America in Uruguay, and many others.
Geography plays an important role in ecosystem formation as the more concentrated the area, the stronger the ecosystem, and vice versa. The significance of this factor will become apparent when we look at cybersecurity startup ecosystems.
A brief look at cybersecurity startup ecosystems
Let me start by prefacing this by saying that I am only looking at security markets aligned with the Western democracies. Countries such as China and Russia have their own ecosystems but they are out of scope for this specific discussion.
Several places around the globe developed different elements necessary for the formation of security ecosystems, but only a few have mastered all of them. In my view, the top five cyber-focused ecosystems are:
Silicon Valley, US
Tel Aviv, Israel
New York, US
Washington DC, US
London, UK
Silicon Valley, US
San Francisco and the Bay Area in the US is without any doubt, a tech and startup capital of the world.
The region's cybersecurity talent pipeline which comes from many successful venture-backed tech companies is very strong. Product companies have no choice but to build strong security defenses, a reality that gave rise to the whole generation of security practitioners with an engineering mindset. Additionally, the region has the highest in the world concentration of technology business leaders (people who have built and helped scale billion-dollar companies many times in their careers), as well as brilliant engineers who have built products for infinite scale.
The region continues to be number one in terms of both the amount of venture capital and angel funding in the world. Moreover, decades of successful exits have created a tight ecosystem of mentors, advisors, angel investors, and others with the desire to give back and help the next generation of technology entrepreneurs. It is this web of favors, introductions, and paying it forward that makes Silicon Valley so unique.
The US government is known for creating conditions for entrepreneurs to realize their potential, so San Francisco, the Bay Area, and the country more broadly are perfect for ambitious entrepreneurs. Entrepreneurship is highly celebrated, and failure is seen as a stepping-stone to growth. Investors are happy to support serial founders whose earlier ventures failed, knowing that the lessons they’ve learned before will increase their chances for success if and when they decide to try again.
San Francisco and the Bay Area embody the culture of risk-taking and entrepreneurship. Investors are willing to take bets on ambitious founders, employees are happy to join early-stage startups knowing that their future is both risky and uncertain, and senior, generously compensated employees of large tech companies are frequently leaving their stable jobs to start their own ventures.
One critical downside of San Francisco and the Bay Area in the context of cybersecurity is the fact that companies located here tend to have enough resources to allocate to security and be much more mature when it comes to their security posture compared to the rest of the market. Founders that come from cloud-native, venture-backed Bay Area enterprises often end up building solutions that attempt to further strengthen defenses of the top 1-5% of the market, instead of catering to the rest of the customers who are usually less mature. That said, while this may limit the total addressable market for some entrepreneurs, many are able to foresee and escape this limitation by building for the broader market.
I know that there is the sentiment in the industry that San Francisco and the Bay Area are “dying”, and that in 2024, more people are leaving the region than moving in. It is true that because of homelessness, the rise of crime, and the largely dysfunctional local government, the quality of life in San Francisco has greatly declined. It is also true that many people, especially knowledge workers such as software engineers, have been moving to places such as Austin and Miami. However, when we look closer, it becomes apparent that those leaving are not founders or VCs; frequently, they are engineers and other knowledge workers who realize they can get a better quality of life in places like Austin, Miami, or Denver while working remotely for the same types of employers. For entrepreneurs, California continues to offer a great ecosystem to build successful companies (even if at times it does mean accepting lower standards of living).
Examples of successful cybersecurity companies based in Silicon Valley include Palo Alto Networks, Zscaler, and Cloudflare.
Tel Aviv, Israel
Israel has the most startups per capita of any country which earned it the title “startup nation”. A large percentage of Israeli startups are focused on cybersecurity. Following the success of Check Point back in the 1990s, local technologists and entrepreneurs turned Israel, and specifically Tel Aviv into the center of the innovation lab for the global security market. As of 2021, there were over 450 cybersecurity companies in Israel; this number has most definitely gone up over the past three years.
Many factors have contributed to the rise of Israel:
The country’s military is the biggest contributor to Israel’s cybersecurity talent pipeline. It is not a secret that the Israeli Defense Forces (IDF) and its Units 8200 and Matzov, to name some, are known for incredible offensive and defensive capabilities. This wasn’t really by choice - since its inception, the country had to fight for survival and defend its way of living against adversaries from several directions. After decades of investments and hard work, the IDF became what it is known as today - one of the most advanced cybersecurity military forces. The focus on entrepreneurship and the idea that military service is something temporary are some of the core factors that distinguish the elite Unit 8200 from the elite US agencies such as the National Security Agency (NSA). The top US cybersecurity practitioners who join the NSA tend to stay there for decades; if they leave, it is typically to retire into cybersecurity consulting, and sometimes - to become CISOs at large organizations. The IDF alumni, unlike their US counterparts, usually leave in their late 20s or early 30s to join their friends in a successful startup or build a path-defining company on their own.
Israel is home to a large number of top-tier cyber-focused and generalist venture capital firms. Not only does the country draw more venture capital per capita than the US, but also Tel Aviv is the 2nd highest-valued startup ecosystem in EMEA and 5th in Asia & Oceania. As this 2023 DealRoom report puts it, “If Tel Aviv was an Innovation hub in the Americas, it would rank #7”, just below the Bay Area, Seattle, New York City, Boston, Los Angeles, and Austin, and ahead of San Diego, Toronto-Waterloo, Chicago, and Washington DC. Unlike American investors, most of which focus on providing capital, getting a check from one of the top Israeli VCs, such as Cyberstarts, YL Ventures, Team8, Glilot Partners, and Jerusalem Venture Partners, to name a few, comes with a lot of practical help. From go-to-market and product to operations and fundraising, top-tier Israeli VCs provide a lot of hands-on support to help their portfolio companies grow.
For decades, the Israeli government has been a strong advocate for promoting innovation and entrepreneurship. Initiatives such as Yozma, launched in the 1990s, provided startups with early-stage funding, incentivized foreign investment, and stimulated the emergence of a powerful venture capital ecosystem in the country. The country’s taxation and legal systems, supplemented by Israel’s Chief Scientist’s Office offer grants and funding initiatives for research and development projects, further establishing Israel as the place to start a company.
I would argue that the most important factor that enabled Israel to build a perfect ecosystem for cybersecurity startup founders is its culture. As I previously discussed, “Israeli entrepreneurs are strongly driven to make big things happen; there is this insatiable hunger in their eyes, in their energy, in their strong bias for action. They work long hours doing what needs to be done and are not willing to take “no” for an answer. It’s quite rare to see this drive when talking to cybersecurity founders in the US: most have had rewarding and well-paying careers before starting their companies, and the level of hustle one needs to succeed in the US is often (although not always) lower compared to what’s required in Israel. This bias for action, the determination to succeed, and what Israelis call chutzpah, which is best translated as fearlessness and audacity, are in my view the most critical ingredients driving the country’s success in the cybersecurity space. Although these qualities are by no means exclusive to entrepreneurs from Israel, and there are plenty of startup founders in nearly every country who are equally driven, I do believe that as a percentage of the total, Israelis are much more likely to live these values. For instance, the percentage of tech employees in Tel Aviv who are planning to start their own company is much higher than in any other part of the world (probably second only to San Francisco and the Bay Area).”
Examples of successful Israeli cybersecurity companies include Wiz, Check Point, and CyberArk.
One critical downside of Israel is that it is located in another part of the world, and its market is so small that Israeli startups have no choice but to sell to US customers from day one. Savvy Israelis found a playbook on how to do this successfully and how to turn this gap into a competitive advantage by building products in Tel Aviv and selling them in the US.
For anyone interested in understanding the factors that played a critical role in turning Israel into one of the global leaders in cybersecurity, what the future looks like, and what can make the country fail, check a Venture in Security deep dive titled: “Why Israel may become the winner in the global cybersecurity market, and what can make it fail”.
New York, US
New York City is the financial capital of the world, and as such it is where many major global corporations have their headquarters, including over 10% of the Fortune 1000 enterprises. New York features a vibrant cybersecurity startup ecosystem.
According to CBRE, there are almost twice as many security practitioners in New York as there are in the Bay Area. This makes sense given the population of NYC and the number of large corporations headquartered in the region. The area’s cybersecurity talent pool has a lot of experience at large enterprises, financial institutions, and Fortune 1000 companies. A solid chunk of people are focused on regulatory compliance. Additionally, Israeli founders often move to New York right after raising Series A, when they are ready to scale across the US market.
New York has a major presence of the world’s largest VCs and the amount of capital deployed in the region is second only to Silicon Valley. In addition to generalist investors, New York is home to cyber-focused VC firms such as Lytical Partners, and cyber-focused partners at generalist VCs such as Jahanvi Sardana at Index Ventures, Zane Lackey at Andreessen Horowitz, and Shirley Lu at Alpha Square Group.
As the financial capital of the world, New York is certainly friendly to security entrepreneurs and startup founders more broadly.
Being the financial center, I observed that New York is a bit more risk-averse than Silicon Valley when it comes to capital allocation. That said, the culture of entrepreneurship and risk-taking is as strong as it can be. For many generations, people would move to New York driven by the hope of making it big, and this mindset, combined with an abundance of opportunities to innovate, and a large number of potential customers who are struggling with unsolved security problems, continues to attract ambitious security startup founders.
There are two challenges of the New York security ecosystem which both stem from the same origins. First, because a large percentage of security practitioners are employed by established enterprises, the problems they are exposed to have a limited total addressable market. Second, large enterprises are not usually early adopters. This means it is not enough for security practitioners to know what the problems of Fortune 1000 are; they need to be able to find early adopters in the mid-market segment first, and only then can they try to sell to where their networks are. In practice, this is easier said than done: problems of mid-market enterprises are entirely different, and therefore they are not eager to buy solutions tailored to the top of the market.
Examples of successful cybersecurity companies based in New York include Security Scorecard, Flashpoint, and Deep Instinct.
Washington DC, US
Washington DC is the capital of the United States and home to one of the most fascinating cybersecurity ecosystems on the planet.
If cybersecurity was a country, the Washington DC metro area would without a doubt be its capital. The region is home to the highest concentration of cybersecurity talent per capita which adds up to the 5% global share of all security practitioners. The region is home to the US government, a large number of government contractors, the United States Cyber Command, the National Security Agency, and other special agencies, think tanks, public, not-for-profit, and private sector organizations with a focus on national security and defense. All these factors combined make the Washington DC metro area the world’s most cyber-focused region.
Historically, Washington DC was home to many successful government contractors and service providers. What was lacking was the expertise of taking ideas and turning them into massive-scale product companies. In the past several decades, thanks to the relentless work of cyber-focused accelerators, incubators, and investment organizations such as MACH37, DataTribe, AllegisCyber, Blu Venture Investors, and many others this has changed. Today, the Washington DC metro area has a rapidly developing technology and product ecosystems. Although the amount of venture funding in the region has been growing fast, it is still substantially lower than the capital that gets allocated in Silicon Valley or New York.
Similar to other parts of the US, Washington DC has founder-friendly regulation and taxation systems.
While the Washington DC metro area is home to the largest number of security practitioners globally, the region has struggled to evolve into a hotbed of cybersecurity startups. That is not to say that no successful companies are coming out of the area. Quite the opposite - startups like Huntress, Dragos, and Netography show that it can be done. The challenge is that most entrepreneurs in the region lack the experience building products and as a result, tend to default to starting service providers and growing as government contractors. Moreover, unlike in Israel, those joining special agencies and the government intend to stay there for many years, and not accumulate knowledge they need to build their own business and leave. This makes sense for many reasons, one of which is that unlike in Israel, there is no mandatory military service in the US, and so the military and the special agencies are competing with the private sector, including startups, for talent.
Although the future of the Washington DC metro area is shaping up to look great, as of today, the lack of a culture of building product companies and limited funding options impede the region’s ability to compete with startup hubs such as San Francisco and Tel Aviv.
Source: D.C.’s Cybersecurity Talent Pool Is Largest in the World — By a Long Shot
London, UK
Based on my observations, London, UK is the best place in Europe to build a cybersecurity company (assuming the goal is to build a global player with a strong presence in the US). There are several reasons why this is the case:
Compared to other European countries, the UK is the most supportive of people willing to take risks. Germany and France have solid security talent and access to capital, but neither of them is a safe place for entrepreneurs to fail. This has been slowly evolving but as of today, being an entrepreneur in these countries is not easy. The UK, on the other hand, is much more supportive of risk-taking.
Unlike other European countries, people in the UK have no language barrier when selling to the US market. Moreover, similar language also smoothes out the cultural barriers and differences in the worldview, making it easier for founders from the UK to build relationships with US customers.
Overall, the UK cybersecurity startup ecosystem is quite strong even if not all the ecosystem factors are in their ideal state.
The country has several universities that offer degree programs in cybersecurity. More importantly, London is home to a large number of banks and European fintech leaders such as Revolut, Monzo, and TransferWise which had to go past compliance checkboxes and focus on building robust security programs to protect their assets and infrastructure. This has created a solid pipeline of security talent with experience in product companies. That said, the pool of talent in the UK is substantially smaller than in the US and Israel, and the country’s withdrawal from the European Union in 2020 hasn’t exactly made it easier to hire security practitioners from neighboring countries.
The region has a sufficient amount of capital allocated to cybersecurity. From angel groups and syndicates such as Cyber Club London and CyLon Ventures to a solid number of VCs and corporate VCs such as Notion Capital and Nauta Capital, to name some, London has a strong network of local investors needed to enable companies to grow. US-based funds such as Ten Eleven Ventures also have a presence in the UK. Still, the country is not a match to the US or Israel when it comes to the funding ecosystem. This is especially the case at the earliest stages (pre-seed and seed) as few funds are willing to take a chance on unproven ideas, much fewer than in San Francisco or Tel Aviv.
The UK government has been trying to create the right conditions for tech companies to thrive. The World Bank Group ranks the UK as number eight globally based on the ease of doing business (the US is at number six). It is in a much better state than most other European countries, which is another reason why security founders find it easier to start a company in the UK compared to doing it in, say, Italy or Germany.
As a country with a strong background in financing, the UK has strict bankruptcy laws and a long tradition of being quite judgmental of failure. This fear of failure does impede people’s ability to take risks. Surveys show that a large percentage of people are afraid to fail. Case in point is the report from 2022 which found that “While 61% of Britons said there were good opportunities in their area to start a business, 52% of these people cited fear of failure as a reason for not doing so. That was seventh highest of all the countries surveyed”.
Fear of failure, scarce talent, and funding challenges aren’t the only factors that make it harder to build a company in the UK compared to the US. The main reason is the fact that UK startups, in order to grow past a certain size, must cater to the US market, and that isn’t as easy as they often hope.
For those interested in better understanding the European cybersecurity startup ecosystem, I recommend reading a Venture in Security deep dive titled “Getting Europe to become an active player in the global cybersecurity market: challenges, opportunities, and the way forward”.
Examples of successful cybersecurity companies based in the UK include Mimecast, Sophos, and Darktrace.
Cybersecurity startup ecosystems in the remote-first world
I have met a number of people who argue that in 2024, it doesn’t matter where the team or the company is located because today's world has embraced a remote-first mindset. There are good reasons why people come to this conclusion:
Since many buyers now work from home, it is less important for startups to be located near their offices.
Since most employees are looking for fully remote or flexible arrangements, a company no longer needs to be in the Bay Area or New York to get access to a large pool of the best talent.
Since investors are now taking meetings and building relationships via Zoom, founders no longer need to go to their offices. Moreover, most investors have now accepted that talent can be located anywhere in the world, and therefore are open and willing to write checks to people outside of the top-tier US cities.
I think that all these changes have truly democratized entrepreneurship and made it possible for people regardless of their location or network to access customers, talent, and funding globally. Today, one no longer needs to be located in the Bay Area or in New York to raise capital, hire the best, or sign deals with customers.
While all this is true, to think that in 2024 startup ecosystems no longer matter, is, in my view, a big mistake. Although the world has irreversibly changed, what hasn’t changed is how we, humans, function. In particular,
Investors write checks to those they trust and those they like. This isn’t going to change anytime soon. This may matter less to people with strong investor networks or serial founders, but everything else equal, first-time early-stage founders will find it much easier to access capital if they can grab a coffee with VCs in the Bay Area or Tel Aviv, compared to doing Zoom calls. The fact that anyone can now pitch to a VC based in San Francisco means that competition for funding is going to go up, and with that, entrepreneurs who can build authentic relationships in person will have an edge.
Security leaders buy from founders they trust. More broadly, people do business with those they trust, and that isn’t going to change just because we work remotely. In a world where it's nearly impossible to get anyone’s attention online, being able to sit next to a CISO, introduce yourself, and have a casual conversation about something two people are passionate about is invaluable. Given the rising number of cybersecurity companies, and the push for go-to-market strategies that respect buyers and users, in-person interactions and account-based marketing will only rise in importance.
We are much more creative when we collaborate with others in person, in front of a whiteboard. Moving digital sticky notes doesn’t evoke the same response as when we are in the same room. This will continue to be true for years to come.
All these factors lead me to conclude that the importance of ecosystems is increasing; not despite our ability to be fully remote, but because of it. Founders looking to build path-defining security startups will find it easier to get started if they are located in one of the cybersecurity and startup hubs, such as the Bay Area or Tel Aviv. One way around this is having a strong network in these hubs while choosing to live in a place with a lower cost of living. For example, a founder who has many years of experience working and strong networks in San Francisco or Tel Aviv can most certainly run a successful company out of, say, Boston, Miami, or Austin. However, those just starting with no such networks may find it much harder (although certainly not impossible) to succeed.
For those thinking about whether moving to a large tech hub makes sense in today’s work, I highly recommend reading the following few pieces:
Closing words: deciding where to build a security company in 2024
In today’s world, I think it’s no longer smart to stick to a single belief and insist on it being a grand truth. It is better to think from first principles, stay flexible, and be willing to make the best decisions given the circumstances at hand. Knowing that being remote introduces overhead, it may be smarter to commit to working in person for the first several months of company formation. This would make it easier for founders to build strong relationships (especially if they haven’t worked together before), move faster, and solve problems more effectively. Being based in cybersecurity startup hubs such as Bay Area or Tel Aviv can make it much easier to build relationships with investors, build a circle of angels and advisors, find early adopter customers, and get a new idea off the ground. Once the company has solved initial hurdles, it can either become fully remote to access the best talent globally (assuming the same continent and no time zone differences) or embrace a collocated approach despite the fact that it can dramatically limit its talent pool. Depending on the types of customers the company is targeting, it may make sense for it to have a physical presence in the Bay Area (cloud-native enterprises and tech startups), New York or Boston (Fortune 1000 and more traditional enterprises), or Washington, DC (the US government).
There is a common saying that talent is equally distributed, but opportunity is not. Although the remote-first world has certainly democratized both access to security talent and entrepreneurship, I think it continues to be true today. While one no longer has to be in the Bay Area, New York, or Tel Aviv to build a successful security company, it certainly helps to be where the people and the resources are. Surely, one can easily hop on a Zoom, Google Meet, or Teams call, send a contract or a term sheet for e-signing, and close an important deal remotely. And yet, it helps to be able to have a coffee with an investor over the weekend, or shake hands with the new customer and celebrate their onboarding. Ecosystems matter, and they will continue to matter. Over time, casual interactions compound. New connections compound. New ideas compound. Furthermore, we learn from our surroundings, we shape our plans and dreams by observing what those around us are working on.
This is why it is so important to be where the action is. And, this is why I believe that Silicon Valley and Tel Aviv are still the best places to start a security company.
Thanks Ross. Do you have a list of the other locations in North America that was part of your analysis that shows the concentration of cybersecurity startup's ?