HERNDON — In late October, John Czupak joined the board of directors of ThreatQuotient, a fledgling Northern Virginia cybersecurity company that had received $1.5 million in seed financing less than six months earlier from a group of investors that included the Center for Innovative Technology and the Virginia Tech Investor Network.
In early December, with Czupak as its new CEO, the still-tiny company raised an additional $10.2 million in funding from investors led by New Enterprise Associates and including the CIT, a state-backed nonprofit that helps finance startup technology companies.
Less than six months later, ThreatQuotient has hired 50 people at its Reston headquarters and walked away with the prize for cybersecurity “startup company of the year” at a power-packed industry conference in San Francisco.
“We’ve got a real business that is pursuing a real opportunity that would not have happened without CIT and the Virginia Tech Investor Network,” said Czupak, 53, a 25-year veteran of the cybersecurity industry in the Washington area.
Gov. Terry McAuliffe also is trying to seize an economic opportunity by making new investments in cybersecurity in the pending two-year state budget and refocusing the 31-year-old CIT on its mission of nurturing new technologies into the industries of the future in Virginia.
It is an industry driven by urgent concerns over the vulnerability of interconnected information networks to criminal behavior and crippling attacks by “bad actors” that range from common hackers to foreign governments.
“I talk about cyber every single day,” the governor said at an information security conference in Richmond last week. “It is the one area that the federal government will spend billions and billions of dollars in.”
The budget includes $17.4 million to improve the state’s own cybersecurity, primarily for a new shared services center for agencies that aren’t big enough to require their own cybersecurity staffs; money to hire additional cybercrime investigators for the Virginia State Police and cyberanalysts at the department’s fusion center; and almost $5 million to expand cybersecurity training in higher education, one-third of what McAuliffe had asked.
The MACH37 Cyber Accelerator, launched almost three years ago at CIT, would receive an additional $500,000 in operating funds for an intensive 14-week program that currently is training six startup companies on how to turn their technological ideas into commercial realities. The new class brings the total to 35 companies since the program began.
ThreatQuotient was not one of them; it was helped with financing through the CIT’s Growth Accelerator Program, or GAP, for early-stage companies. It emerged as one of the stars of the annual RSA Conference that drew hundreds of cybersecurity experts to San Francisco. The company won awards for innovation and cybersecurity startup of the year.
“That is a huge win for us to go into Silicon Valley and have a Virginia company recognized as the startup of the year,” said Secretary of Technology Karen R. Jackson, who accompanied the governor and CIT leaders on the trip.
Jackson, co-chair of the governor’s Cyber Security Commission, spent 19 years of her career at CIT, created in 1985 as the brainchild of then-Gov. Charles S. Robb to turn new technologies into businesses that create jobs and enrich the public treasury, especially in the Northern Virginia region that long served as the state’s economic engine.
The engine runs more quietly now after the worst recession since the 1930s and an ongoing congressional budget battle that produced sequestration almost four years ago, forcing deep cuts in federal spending that hit hard in regions that depend on the military and defense contractors.
But Northern Virginia remains part of a hotbed of cybersecurity in large part because of the Pentagon in Arlington County and what Jackson calls “three-letter agencies,” such as the CIA, FBI and, in Maryland, the NSA, or National Security Agency.
Richard Stiennon, a cyber industry analyst who founded IT-Harvest, last month ranked the Washington region second only to California in the number of cybersecurity vendors in the United States, which has 60 percent of the cyber companies in the world.
Maryland has moved aggressively to develop the cybersecurity industry, using government support and academic research, said Czupak, a native of Upper Marlboro, Md., who has lived in Leesburg for 17 years while working for cyber companies in Northern Virginia.
“I think Virginia has just as great an opportunity,” he said.
Czupak was a senior executive for 12 years at Sourcefire, a cybersecurity company based in Columbia, Md., that had its second-largest office at Tysons Corner in Fairfax County. A startup company that grew to employ more than 700 people, Sourcefire was purchased for $2.7 billion in 2013 by Cisco, based in the Silicon Valley.
He said McAuliffe is right to bemoan the thousands of vacancies for high-paying jobs in cybersecurity, which has grown faster than the ability to train people to fill them.
“It’s an absolute fact for our industry that the demand for talent, especially technical talent, and the supply, there’s just a disconnect,” he said. “There is a legitimate opportunity for job creation within this region.”
But Jackson believes the opportunities for high-paying jobs in cybersecurity extend far beyond Northern Virginia. “There are also cyber jobs in Richmond, cyber jobs in Hampton Roads, cyber jobs in Roanoke,” she said.
“There isn’t any company anywhere that isn’t going to have to pay attention to cyber.”
The two-year budget adopted by the General Assembly and awaiting McAuliffe’s proposed amendments today presents CIT with both great opportunities and challenges.
The opportunities include $800,000 that is part of the “caboose” budget for the current fiscal year to fill a shortfall in operating revenues that Ed Albrigo identified soon after becoming the center’s president and CEO in November, and $750,000 to develop an “information sharing and analysis organization” for public agencies and private companies.
The budget also transfers to CIT the full responsibility for $5.6 million it already has been administering for the Commonwealth Research Commercialization Fund, which provides grants to companies and researchers to turn technological research into marketable products.
The biggest opportunity may be its role in vetting collaborative higher education research projects for grants and loans from the Virginia Research Investment Fund, proposed in separate legislation awaiting the governor’s signature but connected to $22 million in the budget as well as $29 million for laboratories and other capital needs as part of a bond package that also is pending his approval.
The purposes of the new fund mirror those of the Innovation and Entrepreneurship Investment Authority created in 1984 to oversee the CIT, notably to “foster innovative and collaborative research, development and commercialization efforts in the commonwealth in projects and programs with a high potential for economic development and job creation opportunities.” The presidents of three major research institutions — the University of Virginia, Virginia Tech and Virginia Commonwealth University — sit on the CIT board of directors.
The budget’s challenges for CIT include much more detailed state reporting requirements for its operations, including the award of bonuses or incentive pay, such as the $883,000 paid out to employees in September, two months before Albrigo arrived and determined that revenues were likely to fall short by a similar amount in the fiscal year that will end June 30.
“I’ve told CIT they need to tighten things up,” McAuliffe said in an interview last week.
Albrigo said the payouts were unrelated to the projected shortfall, but he made clear that he understands the public mission of the center and almost 40 employees with more than $11 million in annual funding from the state.
“At the end of the day, I view it as we’re an asset of the commonwealth,” he said. “How do we leverage the commonwealth’s funding with private funding to benefit the commonwealth? To me, that means economic potential.”
The budget also would open the way to sell the CIT complex, including a signature tower that has been both lauded as a distinctive architectural landmark and likened to an upside-down wedding cake. The proceeds from a sale would go into the new higher education research investment fund.
The property lies next to what will be the Innovation Center stop on the Metro transit system when it is extended to Washington Dulles International Airport, so state officials consider it too valuable for a complex that is 85 percent rented out to other entities.
“That shouldn’t be our focus,” said Sen. Frank M. Ruff Jr., R-Mecklenburg, a member of the Senate Finance Committee, which has pushed to sell the property. “Our focus should be getting money into research.”
The governor has not commented on the budget proposal to make the property surplus for eventual sale, but Jackson said: “The value of any organization shouldn’t be in the building. It’s what goes on inside the building.”
ThreatQuotient popped up as an investment opportunity when Jennifer O’Daniel was looking for Virginia startup companies on a list seeking “angel” investors.
O’Daniel is director of investments at CIT and co-founder of the Virginia Tech Investors Network, supported by CIT and consisting of her and about 75 other Tech alumni looking for ways to help their own. So far, the network has invested in five companies.
“We’re interested in Hokie-led startups,” she said.
ThreatQuotient was founded in 2013 by Wayne Chiang, a Tech graduate and the company’s chief architect, and Ryan Trost, its chief technology officer. Both had worked in the security operations center at General Dynamics Corp., a Falls Church-based aerospace and defense company that has become the principal private sponsor of the MACH37 Cyber Accelerator at CIT.
The company’s signature product is a “threat intelligence platform” that aggregates and analyzes an enormous amount of data about potential cyberthreats to a company’s information network, and quickly arms the system against those threats. “What we do is operationalize the intelligence,” Czupak said.
O’Daniel turned to the CIT’s GAP funds to provide $100,000 of what became $1.5 million in seed financing for the company a year ago. The other investors included the Virginia Tech Investors Network and Blu Venture Investors. One of the Virginia Tech investors who worked with Czupak at Sourcefire contacted him about joining the company.
Czupak, in turn, used his contacts in the cyber investment community to arrange the next level of financing led by NEA, a multibillion-dollar venture capital firm. CIT made another small investment in the company as part of the $10.2 million financing, which has enabled the company to grow quickly.
“Our entire goal is to invest in companies and attract other capital to those companies,” O’Daniel said.
CIT officials estimate the GAP funds leverage every dollar invested by 18.5 times, using $17.9 million in equity investments to attract $331 million in private investment in companies with a total value of $798 million. They estimate those companies will create up to 9,000 jobs in Virginia over the next five years. The budget allocates $3.1 million a year to the program and requires a return on investment of no less than 11 to 1.
Most of the CIT’s investments and grants have been in companies or researchers outside Northern Virginia, but the cybersecurity industry is still rooted in the region. So while the state-sponsored enterprise could move, its MACH37 Cyber Accelerator wants to remain in the area — “because all of the customers are here,” said Rick Gordon, managing partner of the accelerator he founded with CIT in 2013.
Since its founding, MACH37 has invested more than $1.4 million in 29 companies, not including the current class of six, whose participants came from Turkey, Seattle and Boston, as well as Northern Virginia and Charlottesville. Each company receives a $50,000 startup grant. The only stipulation is they must have a significant presence in the state.
“We ask the question: Are you willing to move to Virginia?” Albrigo said.
State lawmakers put additional money in MACH37 in the pending budget, but they want more detailed reporting on the benefits to the state from an enterprise they expect to sustain itself financially by next year.
“We want to keep it going, but we also wanted to see some results,” Ruff said.
The critical role of cybersecurity is something upon which Republican legislators and McAuliffe agree. “There’s no way you can get any higher on the radar screen,” said Del. John M. O’Bannon III, R-Henrico, chairman of the House Appropriations subcommittee on economic development.
As a physician in one of Virginia’s largest health systems, O’Bannon understands the threat to confidential patient and financial information from outside intrusions and attacks. “We need our smart guys to be better than their smart guys,” he said.
Legislators also see the economic potential in cybersecurity as a business. “We don’t know,” Ruff said, “but we think it’s going to be pretty big.”