Ontario has all the pieces to become a cybersecurity hub — but will it be able to put them together?
Cybersecurity is a growing concern for governments, businesses, and internet users around the world. Last week, notably, the WannaCry ransomware attack — which encrypted files on target devices and forced users to pay $300 or more to have them restored— hit an estimated 300,000 computers in 150 countries, infecting major systems such as the U.K.’s National Health Service and Germany’s Deutsche Bahn railway. Some experts believe this will be just the first in a series of similar attacks.
Yet cybersecurity also presents a business opportunity — particularly for Ontario. That’s according to a 2016 Deloitte report commissioned by the Ontario Centres of Excellence and the Toronto Financial Services Alliance.
“Because of the size of the financial community in Ontario and the government in Ottawa, we have a great opportunity to create a whole infrastructure of startup companies and early-stage companies that have got cybersecurity expertise that can meet their needs,” says Tom Corr, president and chief executive of the OCE.
Take SecureKey Technologies for example. The Toronto-based company started out as a payments service for consumers but soon found a different problem that needed solving: people have too many online passwords and can’t remember those they use only once or twice a year. That’s costly for businesses and other organizations; for example, until 2012, every time a user reset their password on a federal website, it cost the government $40, according to Andre Boysen, SecureKey’s chief identity officer.
So the company came up with a fix: partner with financial institutions and allow customers to use their bank logins to access government sites. It’s a secure and convenient solution, since online-banking customers use those sites more often and are more likely to remember their passwords for them. SecureKey won a contract in 2011 to provide its solution to all federal departments and agencies, which “helped build the business into what it is today,” Boysen says.
SecureKey’s story illustrates an important finding in the Deloitte report: the financial-services sector and governments in Ontario can provide local cybersecurity companies with opportunities to partner early on, ultimately helping them succeed abroad, too. “It gives them a ton of credibility when they’re trying to sell across the world,” Corr says.
The report estimates the global cybersecurity market was worth $106 billion in 2015, and that it will reach $170 billion by 2020. Ontario is well-positioned to benefit from that growth. “We found that Ontario has all the ingredients to become a global hub for cybersecurity innovation,” the report reads, “but has not yet reached the scale and gravity necessary to compete at the highest levels.”
The authors figure there are more than 90 small and medium-size cybersecurity businesses in Ontario, of which about 75 per cent are currently active. These companies raised $250 million in venture-capital funding from 2011 to 2015.
“It speaks well to the potential for economic growth in this area,” Corr says, predicting the quarter-billion already raised will be dwarfed by what’s to come over the next four years. “There’s so much activity going on, not only in Ontario, but across the world, that the funding going into cyber security is going to grow dramatically.”
Still, the report says, jurisdictions that foster greater collaboration between the public and private sectors could attract even more funding: “Faced with increasing global competition, Ontario cannot rely on continued organic growth. Focused and immediate intervention by public, private actors to develop cybersecurity talent, encourage access to markets, and build on Ontario’s strengths to develop next generation cybersecurity products and services is required.”
The number of deals in Ontario is not growing at the same rate as in other hubs, the authors say: in 2015, for example, the U.K. surpassed Ontario in cybersecurity venture-capital funding for the first time.
The problem in Ontario, Corr says, is that while early-stage capital is usually available to local companies, late-stage startup funding for businesses looking to scale up is harder to come by. It’s at that point investors from Silicon Valley or the U.S. East Coast tend to swoop in and snap up these companies. “As part of that,” Corr says, “they’ll move their operations down to the U.S. — so that’s really where the danger is.”
Corr says the provincial government has tried to address the problem with a Scale-Up Voucher program, announced late last year. There are also organizations like OMERS Ventures, he says, “who are making significant investments in startup companies. They have a lot of money, but it’s nowhere near enough to sustain the companies that should get funded.”
Finding the right people for the jobs is tough, too. Even though Ontario has a highly educated population and a huge talent pool to draw from, the report says, companies from the biggest banks to the smallest startups have trouble finding the employees they need. There’s a global shortage of cybersecurity workers, estimated to reach 1.5 million by 2020.
The Deloitte report notes that Ontario universities offer a “relatively low number of dedicated cybersecurity programs” but more than 175 individual courses. What they need most urgently are cross-disciplinary programs that encourage new thinking in cybersecurity, combining technological expertise with financial, political, and economic studies.
“The talent pool is definitely in Toronto, but there’s a lot of competition,” Boysen says. “Sometimes we do have challenges recruiting because there’s a lot of offers for people who have skills. What you have to do is have a persuasive thing that people want to work on.”