Attacks/Breaches
10/17/2016
12:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How To Become A Cybersecurity Entrepreneur In A Crowded Market

If you want to build the next great cybersecurity startup, use your expertise, then follow these three simple suggestions.

Declines in venture funding often paralyze the technology community. Talk of bubbles, dying unicorns, and austerity can surge for weeks following a negative report. In response, many entrepreneurs hit pause on their dreams, believing they should wait for more favorable conditions. That approach is often misguided. 

In our work as venture capital investors, we see this dynamic in the cybersecurity market today. In July, tech market analysts at CB Insights predicted that 2016 will see $3B in cybersecurity funding with over 300 deals. A year earlier, in 2015, analysts saw $3.75B invested in 336 cybersecurity deals. Barring some miracle, investments will continue to decline year over year.

When we drilled into the CB Insights data, we found an important discrepancy. The relative volumes of Series A, B, C, D, and E+ rounds have not changed significantly in 2016. In fact, the deal share of Series A rounds increased three percent. Conversely, ‘Seed’ and ‘Angel’ deals declined from 37 percent to 31 percent, a five-year low. This trend suggests that incumbents have doubled down in crowded niches, and would-be founders have hesitated.

Counterintuitively, the downturn in funding could offer ideal conditions for entrepreneurs. To find out, let’s begin with a question: What’s behind this decrease in early-stage investments? There are several factors:

Known Areas of Security Became Crowded with Strong Players
Established verticals like endpoint protection and network security are oversaturated. Even newer markets like SCADA security and cyber deception have at least 10 to 20 vendors each. VCs prefer not to support new startups in red oceans. Thus, funding in these areas has and will continue to decline.

CISOs Are Overwhelmed by the Variety of Solutions
Thanks to the dense competition, chief information security officers (CISOs) are overwhelmed with options, and that affects funding. Every day, cybersecurity startups bombard CISOs with dozens of similar products. That creates an undue burden on CISOs who don’t have the time to evaluate, purchase, and maintain a basket of point solutions. They’d rather choose broad platforms from established vendors. Frankly, a brand-name cybersecurity platform is easier to justify to shareholders, board members, and fellow executives. With CISOs hesitant to choose early-stage startups, VCs have scaled back funding.  

Non-specialized investors wanted in
Perhaps most tellingly, investors without cybersecurity experience entered the market when it was bullish. Lacking the expertise to evaluate cybersecurity technologies, they financed startups with minimal differentiation and questionable leadership. The consequent bloating of valuations and over-saturation raised the costs of marketing, sales, and talent acquisition for everyone. Funding has slowed, in part, because it peaked unnaturally. Experienced cybersecurity investors want to let crowded cybersecurity markets fizzle.

So, if you’re a wannabe entrepreneur on the fence of launching a cybersecurity startup, is now really the time to do it? Absolutely yes.

Remember, funding conditions don’t change cybersecurity’s raison d'être. Breaches happen daily, and cybercrime will cost businesses over $2 trillion annually by 2019, according to Juniper Research. Think about what we expressed above: your would-be competitors are likely stuck in red oceans and might lack access to additional funding. Right now, you can choose a blue ocean and face less competition than you would in bullish conditions.

Consider, too, that enterprises face a global shortage of cybersecurity talent. According to Cisco, the world has 1 million unfilled cybersecurity jobs, and that number could reach 1.5 million by 2019. Peninsula Press estimates that the U.S. alone has 209,000 vacant roles. When we consult our network of high-caliber CISOs, they consistently voice demand for solutions that manage, orchestrate, and automate cybersecurity. Enterprises can’t adopt new technologies and compensate for the talent deficit – not without advances in cybersecurity. 

Takeaways and Opportunities for the Security Pro
That dilemma raises an interesting challenge for enterprise security professionals as new technologies spur the need for new and innovative security solutions.  

Cybersecurity almost always finds a new market two to three years after a disruptive technology emerges. Virtual containers, autonomous vehicles, and drones, for instance, have created some of the latest and greatest opportunities in cybersecurity. Right now, someone is inventing a technology that will spawn massive security issues. Who better to spot it than you? Why not make your move while capital is tied down in yesterday’s cybersecurity solutions? Why not approach CISOs with technologies they haven’t seen?  

If you want to build the next great cybersecurity startup, we offer several suggestions:

First, recognize that brilliant technology doesn’t equate to a great product or viable business model. Perform due diligence on the markets in which you see opportunities. Build to sell, otherwise VCs will pass.

Second, understand the thin line between an emerging space and a non-existent one. The examples we mentioned – autonomous vehicles, virtual containers, and drones – they were nonexistent only a couple of years ago. Their security was an afterthought, and afterthoughts can make billion-dollar businesses.

However, if you create a technology before the market is ripe, you’ll spend precious capital educating the world on a problem that doesn’t exist. And then, if that problem does come to fruition, the second wave of startups will reap the benefits of your spending and hard work.   

Third, build platforms, not features. As mentioned, CISOs have had enough with point solutions, which are what startups initially make. Even when you’re small, think big. Initially, design your solution to integrate with common security portfolios. In the long term, solve a set of interrelated problems. Among CISOs, you want a reputation for handling all security dimensions of an indispensable technology.  

With the right team and point of view, entrepreneurs can thrive in cybersecurity, and tight funding can even provide a competitive edge because cybersecurity is not a fad, it’s a central problem of digital society. If you’re on the fence, that notion should give you comfort. Let tough funding conditions be a source of opportunity, not paralysis.

Iren Reznikov  of YL Ventures also contributed to this article.

Related Content:

 

Yoav Leitersdorf and Ofer Schreiber are Managing Partner and Partner, respectively, at YL Ventures, which invests early in cybersecurity, cloud computing, big data, and software-as-a-service software companies, and accelerates their evolution via strategic advice and Silicon ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lucysecurity
50%
50%
lucysecurity,
User Rank: Apprentice
10/23/2016 | 2:54:26 PM
Is the Cybersecurity Market really crowded?
Thank you for this interesting article! We're sad to hear that there is a decreasing amount of early-stage investements. But we're not shure if it is due the factors you mentioned
  • Known Areas of Security Became Crowded with Strong Players: We absolutely agree that there is a kind of saturation. But when you look at the products and services from a closer view, then you'll recognize that the offerings often base on old fashioned concepts (acronym 1.0) and most of the stuff is absolutely overpriced. There's an huge space for innovation, the market is not ready for consolidation and amazonification yet.
  • CISOs are Overwhelmed by Variety: This is not in line with our perception. As a Software product company for IT-Security Awareness Products the CISO is one of our main buyer personas or at least an important influencer. Those CSOs we're in contact do not look like that they are overrun with products or services.
  • Non-specialized investors in the security market: The only thing we can say is that we've been approached by non-specialized investors only! And we are definitively a cybersecurity startup (okay, we're Swiss...)


We absolutely agree on the opportunities you mentioned. Of course you should build cybersecurity platforms and you are right that great technology only is not a sellable product or a viable business model. And of course, timing is elementary, don't be to early and not to late. We're convinced, that the time is right for real products, which can be bought and used out of the box with no or low consulting services on top - and which VCs will love!

Best regards, Palo from LUCY
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: At least with wireless, my coffee's more secure.
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.