Cloud
4/30/2014
11:20 AM
Connect Directly
RSS
E-Mail
50%
50%

How Enterprises Can Harvest The Knowledge Of Security-Focused Venture Capitalists

Tomorrow's game-changing security startups are meeting with investors today. Here are some tips on how you take advantage of smart guidance from venture funding firms.

Second of two articles in a series on venture capital in security. Read the first installment, Venture Capital: The Lifeblood Behind Security Innovation, here.

One of security's most overused axioms is that "there’s no silver bullet" to cure all ills. But what if, someday, a silver bullet security product is developed? Who would be the first to know about the industry’s most revolutionary new technology?

The answer is simple: Follow the money. The road to security’s "next big thing" will almost certainly go through the investment firms that fund such new ventures. If you want to know where security technology is going -- and where it’s not -- it pays to do some research on what the industry’s top venture capital companies are doing.

Every day, VC investment firms that focus on cyber security meet with emerging companies that need cash to bring their products to market. Hundreds of startup firms pitch VCs in the shark tank, hawking everything from harebrained schemes to highly viable technologies already deep in beta test. The startups that make it through this filter -- and win the big investment money -- will be tomorrow’s most disruptive new vendors.

"One of the things that many enterprises overlook when they’re investigating new technologies is doing some due diligence on their financial viability," says David Cowan, a partner at Bessemer Venture Partners, which has funded some 32 IT security startups. "Any startup you’re considering will probably be losing money when you first meet with them. You want to know who are the VCs behind them -- that will give you a pretty good indicator on what their chances are."

Much like the enterprises that take a leap of faith by buying technology from a startup, VCs kiss a lot of frogs before they find the few emerging firms that will receive their millions of investment dollars. The prospective winners typically run a series of gauntlets before they hit it big, first auditioning for tens of thousands in angel funding, then auditioning again for a million or three in Series A. By the time you read about a startup receiving $10 million or more in Series B or C, its founding fathers have usually made dozens, if not hundreds, of presentations and demonstrations to prospective investors.

MACH37, a "cyber accelerator" organization that funds and trains entrepreneurs and young security companies on how to develop their ideas and bring them to market, offers a modest $50,000 to potential startups that enter its programs in the spring and fall. Just a few weeks ago, MACH37 announced that it has funded five startups from a list of more than 40 applicants -- all of them in their earliest stages of development.

"What we’re looking for is companies that have a concept that is solving real-world problems and that are truly different from what already exists out there," says Rick Gordon, managing partner of MACH37. "We know about the problems that enterprises are facing -- BYOD, cloud security, SDN. What we are looking for are companies that could potentially claim a significant portion of the market."

A startup that makes it through MACH37’s program or an angel funding round might then be considered for a larger round of funding by a VC firm such as Bessemer, Accel Partners, AGS, or Sequoia Capital. Many VC firms have programs in which they will meet with enterprise IT people and introduce them personally to security startups that might be a good fit.

"Today, if you’re an IT executive and you’re not doing a West Coast sweep of the VC companies, you’re missing some great opportunities," says George Kurtz, CEO and co-founder of emerging security firm CrowdStrike and a veteran entrepreneur in the security industry. "The VCs are in a great position to help you filter out the right startups to work with -- they’ve seen every company and heard every story. They understand the startups’ financial position and their long-term strategy. It’s a great way to vet the [startups] you might be considering bringing in."

Meetings with enterprise IT people are essential to VCs because they provide insight on key pain points and on the central security problems that enterprises are trying to solve. Through multiple conversations with CIOs and CSOs, venture capitalists form a picture of the security problem that eventually helps them decide which startups have a chance to make it big and which ones don’t.

"Before we invested in CrowdStrike, we talked to a lot of CIOs and asked their impressions of the problem and where they were feeling the pain," says Sameer Gandhi, a partner at Accel Partners, which has also funded many other startups that are well known today, such as Lookout, Tenable, and Sonatype. "One of the reasons we were excited about CrowdStrike was that we felt that they were working on a problem that a lot of enterprises have but that none of the incumbent vendors was currently able to solve. That’s something we were able to recognize by talking to CIOs."

Even if you don’t work for a large enterprise that might be invited to meet with a VC firm, you can use the intelligence gathered by VCs to help you choose the right startups to work with, experts say. Some VC companies have strong track records for consistently backing successful security startups, while others are still new at the game, they note. A wise security professional will consider a startup’s venture funding partners before climbing into bed with them.

Venture capital companies may also publish reports on industry trends that offer hints as to which problems they’ve identified and which categories of companies they are thinking about investing in, experts say. If several VCs have identified the same security trend and are putting their dollars behind it, it’s usually a good sign that products in that category are "safe" and that working with a startup might be an option.

But not all VCs that have invested in cyber security are highly savvy about the market, notes Adam Ghetti, co-founder and CEO of startup Ionic Security. "There are a lot of VCs in the space, but there are very few that really get it from all sides," Ghetti says. "There are security startups that can build a good business and sell at $100M, and there are security startups that have the potential to change the whole platform as we know it. Not all VCs understand that nuance."

And there are some organizations, such as the Security Innovation Network (SINET), that help enterprises to vet the plethora of startups on the market and identify those with promise. In 2010, SINET chose FireEye Inc. -- then a new company that had some innovative ideas about identifying zero-day malware -- as one of 16 emerging companies to feature in its annual showcase. Today, FireEye is one of the best known and most highly capitalized companies in the security industry.

While many enterprises remain reluctant to invest in startup technologies for functions as important as security, that conservatism may be unwarranted, according to Bessemer’s Cowan.

"I’m not sure the risk is as great as enterprises might think," Cowan says. "If you look at what happens to startups, very few of them ever really disappear. They might get acquired, but even if that happens, they’re usually still supported. And the cost of switching vendors in security is still relatively low -- it’s not like most companies have a huge legacy of products that they would have to replace.

"In fact, there are some advantages to getting in and working with a startup early. For one thing, when you work with a startup, you get their full attention -- they may not have very many customers, so you’re high on their priority list. The key is to find startups that are transparent about what they do. If they won’t tell you how their technology works, that’s not a good sign."

Unlike hardware or operating systems, security is not a market that lends itself to "durable" solutions, Cowan observes. The pace of cyberattacks and the rapid evolution of defenses don’t favor a long-term solution, so choosing an established vendor isn’t necessarily a better choice than choosing a startup.

"The best you can ever do in cyber security is to tread water," says Cowan. "The best solution today will not be the best solution five years from now. Your best option is to stay flexible."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
5/8/2014 | 9:39:48 PM
Re: Cyber Security Solutions - Innovation Trumps Size
Great points, Bob -- you answered some of the questions I raised in the comments in response to your remarks at the end of my Part 1 story! I do think that the relationship between security executives and venture investors like yourself is one that has huge potential for benefit on BOTH sides, and I hope that Dark Reading can facilitate more discussion between security-focused VCs and security professionals such as those in our community. I hope you'll continue to add your insight to our news and analysis pieces!
BobAckerman
50%
50%
BobAckerman,
User Rank: Apprentice
5/8/2014 | 8:24:19 PM
Cyber Security Solutions - Innovation Trumps Size

Nice follow-up piece Tim.  As a venture capital investor in cyber security innovation, we spend a lot of time with enterprise customers to: 1) understand where they see the threat vectors based on their technology infrastructure and business profile, and 2) to seek input into the opportunities we are evaluating.  The symbiosis here is to draw connections between those with the problems and those looking to provide the solutions.  Historically, enterprise customers have been reticent to purchase solutions from young companies for the reasons you articulated through your two pieces,  Cyber is definitely an exception to that generalization.  Frankly, the nature of cyber threats evolves and morphs faster than most legacy solution providers can track.  Experienced customers understand this and turn to the start-up community out of necessity – they simply don't have a choice in many cases. The cutting edge innovation is coming out of Silicon Valley (and other innovation clusters) and the imperative to "get it right" with cyber security outweighs the risk of engaging with a start-up company in many cases.  Look to the resignation of the Target CEO earlier this week when you think about the consequences of getting it wrong in cyber.  Expect to see more of this in the future.  Maybe this is a reason why you see groups like Blackstone actually setting aside a pool of capital to engage and work with cutting edge cyber innovators to provide advanced cyber security solutions for their portfolio companies.

DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
4/30/2014 | 4:28:01 PM
Re: Vested interest
Thanks Lorna, you make a great point. To get the full value of the VC community, you need to track multiple VCs and get their varying points of view. But it's still a lot easier to evaluate (in your scenario) four promising startups than to start from scratch and listen to pitches from dozens of unknowns. Another point I might make is that many startups, such as FireEye and CrowdStrike, are actually getting funding from multiple VCs, so it's not a one-sponsor, one-startup situation. If you see 3-4 VCs that know security backing a single startup, that's a good sign that there might be a there there.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
4/30/2014 | 4:23:05 PM
Re: VC explosion
Great points, Kelly. Interestingly, according to numbers from Thomson Reuters, the number of security companies receiving funding was actually down slightly between 2012 and 2013 -- there were a lot of startups funded in the 2011-12 years. However, I think what we're noticing is that startups are getting a lot more traction than they did during those years -- a startup today has a real chance of breaking into an enterprise and building a business relatively quickly, as we saw with FireEye, Palo Alto Networks and CrowdStrike. There's a real opportunity for a new company to make the grade.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/30/2014 | 4:14:25 PM
VC explosion
There is a lot of VC activity going on lately in security. Nearly once a week, there's been a new VC funding announcement from one startup or another. I'm wondering how this compares with a year ago, or even six months ago.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
4/30/2014 | 2:31:50 PM
Vested interest
Tim, Any given VC is going to have a strong incentive to recommend to enterprise CIOs/CISOs the startups it's invested in. So, you might visit four VCs asking about X problem and get four promising solutions. I guess that's actually better than the alternative, but how do you recommend sorting through the possibilities?  
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.