Top cybersecurity companies are putting down roots in Boston. But what is fueling the move?

Established companies and startups hoping to break into the increasingly lucrative cybersecurity market are making their way over to Boston — and a river of investment is prompting the move.

That’s according to Caleb Barlow, Vice President of IBM Security, one of many companies now firmly established in Massachusetts’ largest city.

With a population of over 600,000, Boston has become one of the major cybersecurity hubs in the United States, alongside San Francisco and Israel’s Tel Aviv, Barlow says.

According to research agency Cybersecurity Ventures, 35 Boston-based cybersecurity firms made the Top 500 list of the most innovative security firms worldwide in 2016.

Companies on the list included Rapid7, Apportion and Threat Stack, as well as established names in the industry such as IBM Security, Arbor Networks and Veracode, which continue to thrive in the area.

Cybersecurity Ventures says that Massachusetts is the third-largest host of top cybersecurity companies across the United States, behind California’s 150 firms and Virginia, which caters for 41 companies.

Xconomy researchers claim that over 60 cybersecurity firms can be found within an hour drive of downtown Boston — and these companies, whether they are private, launched an IPO or have been acquired, have secured over $3.6 billion in investment.

According to Barlow, it is this access to high levels of venture capital which could ensure Boston, one day, will become the “cybersecurity capital” of the world, especially as many security startups are heading to the city for access to investor funds.

What also drives such investment, however, is the city’s educational opportunities and talent.

“Boston is home to some top-notch universities that are driving technology entrepreneurship and innovation, making recent grads very desirable to these startups,” Barlow says.

Sam Curry, Boston-based Arbor Networks’ Chief Security Officer and Chief Technology Officer, agrees. The executive says the “outstanding” colleges and universities Boston offers — such as Boston University, the Massachusetts Institute of Technology (MIT) and Northeastern University — coupled with a strong market in technology, has resulted in strong talent retention.

This, in turn, brings new startups and venture capital to the area.

The financial reward for training in cybersecurity is another element likely to attract and retain a talent pool for Boston firms. According to Salary Genius, the average pay for a cybersecurity professional is $121,001 per year in the city, with a rough starting salary of $99,648.

When it comes to the top jobs, cybersecurity staff can walk away with up to $170,825 per annum.

“[Boston’s] history as a hub for technology innovation has led to a vibrant start-up and VC [venture capital] community,” Curry noted. “There is a virtuous cycle that happens when successful companies spawn new ideas and opportunities.”

With strong growth levels, the startup scene gaining momentum and heavy levels of investment, competition for customers is also on the rise. As a result, some companies which enjoy growth as independent startups in Boston can be acquired or merged into the solutions provided by larger enterprises — consolidation that IBM’s Barlow says “is already happening.”

IBM has acquired a total of 20 cybersecurity-related firms and has a history of snapping up companies in the Boston area. Big Blue purchased Resilient Systems, a Cambridge, MA-based company in April this year, joining Q1 Labs in 2011 and Trusteer in 2013, both of which are from the same region.

“Nowadays, the unfortunate reality is that your average chief information security officer has 85 products from 40 different vendors — making security a very complicated task,” Barlow noted.

“Consolidation is natural to expect in this market, and we're already starting to see that. I often say, buying a security solution is kind of like buying a car seat for you first child. No one is interested in the second best.”

Boston, like any other city, still has its challenges. According to Barlow, despite IBM being able to hire 1,000 cybersecurity staff last year, there will still be roughly 1.5 million vacancies across the industry by 2020 — and this “competition for top security talent” impacts every city.

According to the executive, Boston universities are simply “not producing” the levels of cybersecurity staff the growing industry needs.

Barlow said:

“It takes universities years to develop new programs and attract students to participate and unfortunately, just like the skills shortage, we’re also struggling to find enough skilled professors to teach the upcoming students interested in cybersecurity.

This is a major growth opportunity for Boston to emerge as a leader for training security professionals.”

Arbor’s CSO agrees, deeming the issue a “crisis globally” which needs to be addressed both at a local and industry level.

Curry calls the problem the “number one issue” which is holding the industry back, but says that handled properly, this area of investment could boost growth and “give Boston an edge over other tech-centric regions.”

The city does have the potential to capitalise on the talent shortage considering Boston’s educational establishments, strong investment and job growth — as well as reliable travel links to Europe and beyond. As startups are snapped up, enterprise players establish firm roots in Boston and investment continues to pour in, demand is only going to increase.

According to Sam King, Chief Strategy Officer at Boston-based Veracode, cybersecurity spending in Boston “continues to be strong,” and while economic factors could change this at a moment’s notice, the region “has all the building blocks” to remain a dominant player in the cybersecurity game.

“Security folks are part of a tight community and the close-knit nature of Boston helps breed collaboration and innovation,” King says.

“I think Boston will continue to be home to both established and emerging cybersecurity players. I think we’ll see increased interest and involvement from the academic institutions to fill the gap for cybersecurity talent.

And I think we have room for even better collaboration across the venture capital community, cybersecurity community and academic communities, to address the technical and social issues around security and privacy in the digital world.”