Why Security Startups Fly – And Why They Crash
What makes startups stand out in a market flooded with thousands of vendors? Funding experts and former founders share their thoughts.
Businesses want security against common and complex cyberthreats – and venture capitalists have their eyes on startups promising it. The latest fundings have permeated security news: Most recently, BitSight raised $60 million in Series D, Social SafeGuard generated $11 million in Series B, Preempt secured $17.5 million in Series B, and Agari raised $40 million in Series E.
What's more, last year broke records for venture capital (VC) funding in cybersecurity, with 2017 ending with 248 deals totaling $4.06 billion. Much of the high funding went to established firms including CrowdStrike and Exabeam, but plenty also was invested in relatively new entrants and startups.
The modern security market is "throbby and noisy and urgent," says Scott Petry, co-founder and CEO of Authentic8 and founder of Postini, which was acquired by Google and became Gmail. "People are jumping into security because it's a hot sector."
It's a relatively new problem for an industry unaccustomed to the spotlight. When he started Postini in 1999, Petry says, few people cared about security; most were focused on Web portals, applications, and data services. As a result, the company didn't get much respect. Now, with cyberattacks escalating, the landscape has shifted. Security pros truly invested in defense are often balanced by people angling to get part of the ubiquitous VC funding.
"The challenge is, there's an awful lot of technology being thrown at the security problem," Petry says. But security's problems often can't be traced to a lack of tech: As more money is allocated toward security tools, the number of breaches is also going up. Most aren't caused by gaps in technology but oversights, he adds, such as Equifax's leaving a Web server unpatched.
Right now, the security market is unhealthy, Petry explains. Vendors capitalize on customers' fear and uncertainty, and customers hit with breaches will buy more tech to fix the problem instead of assessing its root cause. "It's human nature," he admits. "The same nature applies to venture capitalists and companies hoping to get funded."
So where are those dollars going, and what are they being used for? Why do some startups stand out from others? And what will happen to the market as hundreds of vendors enter each year?
Where Investors are Investing
If the problem isn't technology, where are the billions of investment dollars going?
"Overall, the demand for cyber services is growing quite robustly, but there are so many companies that have been funded in the space that most are struggling," says Dave Cowan, partner at Bessemer Venture Partners. There are two major trends in today's security market, he says. One is working, one is not.
The displacement of the antivirus (AV) market is successful, he notes. Companies are turning off older antivirus agents and replacing them with next-gen systems built with a combination of endpoint detection, remediation, and attack prevention. Cowan cites Carbon Black, CrowdStrike, Cylance, Endgame, and SentinelOne as examples of next-gen AV success stories.
George Kurtz, co-founder and CEO of CrowdStrike, agrees that the ripest area for security investment is in endpoint protection. The challenge most companies will face is portfolio scope, he says. Do they offer the full spectrum of endpoint security, or do they target a small part of the solution?
"Buyers have more choices than ever as new technologies and solutions continue to emerge," Kurtz says. "Many companies are ready to replace their legacy AV with more effective and efficient solutions."
What's not working so well: artificial intelligence (AI) for cybersecurity.
"Most of the companies who have raised money from venture investors in the last few years have touted their algorithms as the basis for identifying attacks," Cowan says. Back in 2014, when the industry saw a spike in security breaches, businesses realized the stakes were getting higher and wanted visibility to detect sophisticated malware and advanced persistent threats.
The most enticing pitch was the application of AI to identify anomalies that could indicate an attack. Many startups were founded to detect suspicious activity, sending thousands of alerts to SOCs to experts who could only investigate a dozen per day. But detecting anomalies has little value to a business unless it has enough people to dig through those alerts and determine which are legitimate, Cowan says. Most alerts entering the SIEM don't even get seen.
However, Kurtz points out, startups focused on AI continue to appear on the market as founders aim to capitalize on the benefits of this technology. As they continue to explore use cases for AI, companies will continue to receive venture funding, Cowan adds.
Asheem Chandna, partner at Greylock Partners, anticipates the continued growth of technology including cloud-based solutions, solutions that combine on-premises with cloud, the application of machine learning and AI to security, and anything around identity. Identity analytics, identity, governance, and new authentication techniques will be increasingly important in the future, he says.
What Makes Startups Stand Out
First things first: The technology has to be useful and business-appropriate.
"It's important that a cyber company not only develop a strong defense, but develop one that works within enterprise organizations," Cowan says, noting that it's important for security leaders to also consider how useful a new tool might be. "Thinking about how the enterprise can actually use what you're doing is an important factor to success."
On a micro level, businesses building security tech should tackle smaller issues instead of trying to do everything. "What I've seen interesting, successful companies do is focus on solving a specific and narrow problem," Petry explains. "Many companies are trying to take too big a bite of the apple."
No single startup can solve all problems – the security landscape is incredibly diverse, he notes – but they can build expertise in one area. If it can solve a narrow problem quickly, acquire customers, and move on, a startup can build its business much more easily. "Solve a problem, do it well, and solve it for more people," Petry sums up.
Successful startups employ people who know how to exploit a network, Cowan points out. It takes a hacker to stop a hacker, he says, and Silicon Valley doesn't have many hackers. New companies aiming to deter and prevent major attacks, especially nation-state threats, need to build their products around the expertise of someone who has been in the attacker's seat. It's for their benefit and the benefit of their future customers.
Hiring the right financial expertise is also critical, Kurtz adds. Business is fundamentally a numbers game that relies on financial and hiring strategies. A CEO must hire employees who understand, and can perform against, the basic principle of good financial health.
Deciding Whether a Startup Is Worth the Money
A challenge for security leaders shopping in a market rife with vendors is deciding which technologies are worth their limited budgets. If you're an IT manager and debating the pros and cons of testing a new tool, how can you tell whether the startup behind it is here to stay?
The first thing to consider is the quality of its technology team, Chandna says. It's unlikely you're going to get a world-class solution if the quality of the tech team isn't "stellar," he says, so look at the backgrounds of a startup's founders. Where did they previously work? What did they last build?
Next, think about how the company markets its product. You want to work with one that explains its concept in a use-case-driven way that addresses your problem, and not as a technology looking for a problem to fix. In the security space, it's important to build technology that fits with existing architecture as opposed to a tool that works in theory but is hard to use.
"Companies that are successful tend to be customer-centric and innovate in a customer-centric way," Chandna says. "An important piece of that, for security companies, is being able to demonstrate a security solution … that works in combination with what the customer already has." You don't want a solution that will require you to overhaul your systems.
Finally, he says, consider the quality of the investor backing a startup. If a trusted VC has confidence the company will be around, it's a good sign, Chandna explains.
Looking Ahead: If and When the Bubble Will Pop
The security market has thousands of vendors competing for customers and hundreds more entering each year. It seems the industry will maximize its capacity at some point. But will it?
Experts are undecided. Two things will keep the security bubble from popping, says Petry, and the first is ongoing security risk. Businesses will continue to lose data, meaning they will continue to spend more money on tools promising to prevent future incidents.
The second will be the limited capacity of major organizations to cover all of their bases. Established vendors spending hundreds of millions of dollars on security won't have the resources to develop new systems in-house, so they'll acquire smaller startups building them.
For startups, Kurtz advises committing to customer success, hiring top talent in a remote workforce, and creating a mission that employees are confident in. They should also get comfortable with failure, he explains, especially as tech continues to evolve. Those who succeed will be able to keep up with changes in technology, and businesses in the market for new tech should pay attention to them.
"The Silicon Valley mantra of 'fail fast, fail often' rings true for many tech entrepreneurs, but I believe it's equally important to evolve even faster after failures," he says. "While good companies are those that can excel quickly, the best companies are those that have a long-term vision and know where they are headed."
Attackers' changing strategies will also influence the shape of startups coming into the market, anticipates Gary Golomb, chief research officer at Awake Security. Companies that hard-code specific protections into their tech will have a harder time because they won't be able to keep up with advanced attackers, as opposed to platforms that can accommodate new detections.
"The ability of attackers to shift tactics rapidly and intelligently based on a target's security measures means that the startups that get funding and succeed will be those that have a platform approach where new detections can be added easily, whether by the startup or the customer," Golomb says.
Related Content:
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
About the Author
You May Also Like