Why Security Startups Fly – And Why They Crash

  /     /     /  
Publicated : 22/11/2024   Category : security


Why Security Startups Fly – And Why They Crash


What makes startups stand out in a market flooded with thousands of vendors? Funding experts and former founders share their thoughts.



Businesses want security against common and complex cyberthreats – and venture capitalists have their eyes on startups promising it. The latest fundings have permeated security news: Most recently, BitSight
raised
$60 million in Series D, Social SafeGuard
generated
$11 million in Series B, Preempt
secured
$17.5 million in Series B, and Agari
raised
$40 million in Series E.
Whats more, last year
broke records
for venture capital (VC) funding in cybersecurity, with 2017 ending with 248 deals totaling $4.06 billion. Much of the high funding went to established firms including CrowdStrike and Exabeam, but plenty also was invested in relatively new entrants and startups.
The modern security market is throbby and noisy and urgent, says Scott Petry, co-founder and CEO of Authentic8 and founder of Postini, which was acquired by Google and became Gmail. People are jumping into security because its a hot sector.
Its a relatively new problem for an industry unaccustomed to the spotlight. When he started Postini in 1999, Petry says, few people cared about security; most were focused on Web portals, applications, and data services. As a result, the company didnt get much respect. Now, with cyberattacks escalating, the landscape has shifted. Security pros truly invested in defense are often balanced by people angling to get part of the ubiquitous VC funding.
The challenge is, theres an awful lot of technology being thrown at the security problem, Petry says. But securitys problems often cant be traced to a lack of tech: As more money is allocated toward security tools, the number of breaches is also going up. Most arent caused by gaps in technology but oversights, he adds, such as Equifaxs leaving a Web server unpatched.
Right now, the security market is unhealthy, Petry explains. Vendors capitalize on customers fear and uncertainty, and customers hit with breaches will buy more tech to fix the problem instead of assessing its root cause. Its human nature, he admits. The same nature applies to venture capitalists and companies hoping to get funded.  
So where are those dollars going, and what are they being used for? Why do some startups stand out from others? And what will happen to the market as hundreds of vendors enter each year?
Where Investors are Investing 
If the problem isnt technology, where are the billions of investment dollars going?
Overall, the demand for cyber services is growing quite robustly, but there are so many companies that have been funded in the space that most are struggling, says Dave Cowan, partner at Bessemer Venture Partners. There are two major trends in todays security market, he says. One is working, one is not.
The displacement of the antivirus (AV) market is successful, he notes. Companies are turning off older antivirus agents and replacing them with next-gen systems built with a combination of endpoint detection, remediation, and attack prevention. Cowan cites Carbon Black, CrowdStrike, Cylance, Endgame, and SentinelOne as examples of next-gen AV success stories.
George Kurtz, co-founder and CEO of CrowdStrike, agrees that the ripest area for security investment is in endpoint protection. The challenge most companies will face is portfolio scope, he says. Do they offer the full spectrum of endpoint security, or do they target a small part of the solution?
Buyers have more choices than ever as new technologies and solutions continue to emerge, Kurtz says. Many companies are ready to replace their legacy AV with more effective and efficient solutions.
Whats not working so well: artificial intelligence (AI) for cybersecurity.
Most of the companies who have raised money from venture investors in the last few years have touted their algorithms as the basis for identifying attacks, Cowan says. Back in 2014, when the industry saw a spike in security breaches, businesses realized the stakes were getting higher and wanted visibility to detect sophisticated malware and advanced persistent threats.
The most enticing pitch was the application of AI to identify anomalies that could indicate an attack. Many startups were founded to detect suspicious activity, sending thousands of alerts to SOCs to experts who could only investigate a dozen per day. But detecting anomalies has little value to a business unless it has enough people to dig through those alerts and determine which are legitimate, Cowan says. Most alerts entering the SIEM dont even get seen.
However, Kurtz points out, startups focused on AI continue to appear on the market as founders aim to capitalize on the benefits of this technology. As they continue to explore use cases for AI, companies will continue to receive venture funding, Cowan adds.
Asheem Chandna, partner at Greylock Partners, anticipates the continued growth of technology including cloud-based solutions, solutions that combine on-premises with cloud, the application of machine learning and AI to security, and anything around identity. Identity analytics, identity, governance, and new authentication techniques will be increasingly important in the future, he says.
What Makes Startups Stand Out
First things first: The technology has to be useful and business-appropriate.
Its important that a cyber company not only develop a strong defense, but develop one that works within enterprise organizations, Cowan says, noting that its important for security leaders to also consider how useful a new tool might be. Thinking about how the enterprise can actually use what youre doing is an important factor to success.
On a micro level, businesses building security tech should tackle smaller issues instead of trying to do everything. What Ive seen interesting, successful companies do is focus on solving a specific and narrow problem, Petry explains. Many companies are trying to take too big a bite of the apple.
No single startup can solve all problems – the security landscape is incredibly diverse, he notes – but they can build expertise in one area. If it can solve a narrow problem quickly, acquire customers, and move on, a startup can build its business much more easily. Solve a problem, do it well, and solve it for more people, Petry sums up.
Successful startups employ people who know how to exploit a network, Cowan points out. It takes a hacker to stop a hacker, he says, and Silicon Valley doesnt have many hackers. New companies aiming to deter and prevent major attacks, especially nation-state threats, need to build their products around the expertise of someone who has been in the attackers seat. Its for their benefit and the benefit of their future customers.
Hiring the right financial expertise is also critical, Kurtz adds. Business is fundamentally a numbers game that relies on financial and hiring strategies. A CEO must hire employees who understand, and can perform against, the basic principle of good financial health.
Deciding Whether a Startup Is Worth the Money
A challenge for security leaders shopping in a market rife with vendors
is deciding
which technologies are worth their limited budgets. If youre an IT manager and debating the pros and cons of testing a new tool, how can you tell whether the startup behind it is here to stay?
The first thing to consider is the quality of its technology team, Chandna says. Its unlikely youre going to get a world-class solution if the quality of the tech team isnt stellar, he says, so look at the backgrounds of a startups founders. Where did they previously work? What did they last build?
Next, think about how the company markets its product. You want to work with one that explains its concept in a use-case-driven way that addresses your problem, and not as a technology looking for a problem to fix. In the security space, its important to build technology that fits with existing architecture as opposed to a tool that works in theory but is hard to use.
Companies that are successful tend to be customer-centric and innovate in a customer-centric way, Chandna says. An important piece of that, for security companies, is being able to demonstrate a security solution … that works in combination with what the customer already has. You dont want a solution that will require you to overhaul your systems.
Finally, he says, consider the quality of the investor backing a startup. If a trusted VC has confidence the company will be around, its a good sign, Chandna explains.
Looking Ahead: If and When the Bubble Will Pop
The security market has thousands of vendors competing for customers and hundreds more entering each year. It seems the industry will maximize its capacity at some point. But will it?
Experts are undecided. Two things will keep the security bubble from popping, says Petry, and the first is ongoing security risk. Businesses will continue to lose data, meaning they will continue to spend more money on tools promising to prevent future incidents.
The second will be the limited capacity of major organizations to cover all of their bases. Established vendors spending hundreds of millions of dollars on security wont have the resources to develop new systems in-house, so theyll acquire smaller startups building them.
For startups, Kurtz advises committing to customer success, hiring top talent in a remote workforce, and creating a mission that employees are confident in. They should also get comfortable with failure, he explains, especially as tech continues to evolve. Those who succeed will be able to keep up with changes in technology, and businesses in the market for new tech should pay attention to them.
The Silicon Valley mantra of fail fast, fail often rings true for many tech entrepreneurs, but I believe its equally important to evolve even faster after failures, he says. While good companies are those that can excel quickly, the best companies are those that have a long-term vision and know where they are headed.
Attackers changing strategies will also influence the shape of startups coming into the market, anticipates Gary Golomb, chief research officer at Awake Security. Companies that hard-code specific protections into their tech will have a harder time because they wont be able to keep up with advanced attackers, as opposed to platforms that can accommodate new detections.
The ability of attackers to shift tactics rapidly and intelligently based on a targets security measures means that the startups that get funding and succeed will be those that have a platform approach where new detections can be added easily, whether by the startup or the customer, Golomb says.
Related Content:
20 Cybersecurity Vendors Getting Venture Capital Love
First Women-Led Cybersecurity Venture Capital Firm Launches
The Startup Challenge: Safe in the Cloud from Day One
6 M&A Security Tips
 
 
 
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Why Security Startups Fly – And Why They Crash