11:20 AM

How Enterprises Can Harvest The Knowledge Of Security-Focused Venture Capitalists

Tomorrow's game-changing security startups are meeting with investors today. Here are some tips on how you take advantage of smart guidance from venture funding firms.

Second of two articles in a series on venture capital in security. Read the first installment, Venture Capital: The Lifeblood Behind Security Innovation, here.

One of security's most overused axioms is that "there’s no silver bullet" to cure all ills. But what if, someday, a silver bullet security product is developed? Who would be the first to know about the industry’s most revolutionary new technology?

The answer is simple: Follow the money. The road to security’s "next big thing" will almost certainly go through the investment firms that fund such new ventures. If you want to know where security technology is going -- and where it’s not -- it pays to do some research on what the industry’s top venture capital companies are doing.

Every day, VC investment firms that focus on cyber security meet with emerging companies that need cash to bring their products to market. Hundreds of startup firms pitch VCs in the shark tank, hawking everything from harebrained schemes to highly viable technologies already deep in beta test. The startups that make it through this filter -- and win the big investment money -- will be tomorrow’s most disruptive new vendors.

"One of the things that many enterprises overlook when they’re investigating new technologies is doing some due diligence on their financial viability," says David Cowan, a partner at Bessemer Venture Partners, which has funded some 32 IT security startups. "Any startup you’re considering will probably be losing money when you first meet with them. You want to know who are the VCs behind them -- that will give you a pretty good indicator on what their chances are."

Much like the enterprises that take a leap of faith by buying technology from a startup, VCs kiss a lot of frogs before they find the few emerging firms that will receive their millions of investment dollars. The prospective winners typically run a series of gauntlets before they hit it big, first auditioning for tens of thousands in angel funding, then auditioning again for a million or three in Series A. By the time you read about a startup receiving $10 million or more in Series B or C, its founding fathers have usually made dozens, if not hundreds, of presentations and demonstrations to prospective investors.

MACH37, a "cyber accelerator" organization that funds and trains entrepreneurs and young security companies on how to develop their ideas and bring them to market, offers a modest $50,000 to potential startups that enter its programs in the spring and fall. Just a few weeks ago, MACH37 announced that it has funded five startups from a list of more than 40 applicants -- all of them in their earliest stages of development.

"What we’re looking for is companies that have a concept that is solving real-world problems and that are truly different from what already exists out there," says Rick Gordon, managing partner of MACH37. "We know about the problems that enterprises are facing -- BYOD, cloud security, SDN. What we are looking for are companies that could potentially claim a significant portion of the market."

A startup that makes it through MACH37’s program or an angel funding round might then be considered for a larger round of funding by a VC firm such as Bessemer, Accel Partners, AGS, or Sequoia Capital. Many VC firms have programs in which they will meet with enterprise IT people and introduce them personally to security startups that might be a good fit.

"Today, if you’re an IT executive and you’re not doing a West Coast sweep of the VC companies, you’re missing some great opportunities," says George Kurtz, CEO and co-founder of emerging security firm CrowdStrike and a veteran entrepreneur in the security industry. "The VCs are in a great position to help you filter out the right startups to work with -- they’ve seen every company and heard every story. They understand the startups’ financial position and their long-term strategy. It’s a great way to vet the [startups] you might be considering bringing in."

Meetings with enterprise IT people are essential to VCs because they provide insight on key pain points and on the central security problems that enterprises are trying to solve. Through multiple conversations with CIOs and CSOs, venture capitalists form a picture of the security problem that eventually helps them decide which startups have a chance to make it big and which ones don’t.

"Before we invested in CrowdStrike, we talked to a lot of CIOs and asked their impressions of the problem and where they were feeling the pain," says Sameer Gandhi, a partner at Accel Partners, which has also funded many other startups that are well known today, such as Lookout, Tenable, and Sonatype. "One of the reasons we were excited about CrowdStrike was that we felt that they were working on a problem that a lot of enterprises have but that none of the incumbent vendors was currently able to solve. That’s something we were able to recognize by talking to CIOs."

Even if you don’t work for a large enterprise that might be invited to meet with a VC firm, you can use the intelligence gathered by VCs to help you choose the right startups to work with, experts say. Some VC companies have strong track records for consistently backing successful security startups, while others are still new at the game, they note. A wise security professional will consider a startup’s venture funding partners before climbing into bed with them.

Venture capital companies may also publish reports on industry trends that offer hints as to which problems they’ve identified and which categories of companies they are thinking about investing in, experts say. If several VCs have identified the same security trend and are putting their dollars behind it, it’s usually a good sign that products in that category are "safe" and that working with a startup might be an option.

But not all VCs that have invested in cyber security are highly savvy about the market, notes Adam Ghetti, co-founder and CEO of startup Ionic Security. "There are a lot of VCs in the space, but there are very few that really get it from all sides," Ghetti says. "There are security startups that can build a good business and sell at $100M, and there are security startups that have the potential to change the whole platform as we know it. Not all VCs understand that nuance."

And there are some organizations, such as the Security Innovation Network (SINET), that help enterprises to vet the plethora of startups on the market and identify those with promise. In 2010, SINET chose FireEye Inc. -- then a new company that had some innovative ideas about identifying zero-day malware -- as one of 16 emerging companies to feature in its annual showcase. Today, FireEye is one of the best known and most highly capitalized companies in the security industry.

While many enterprises remain reluctant to invest in startup technologies for functions as important as security, that conservatism may be unwarranted, according to Bessemer’s Cowan.

"I’m not sure the risk is as great as enterprises might think," Cowan says. "If you look at what happens to startups, very few of them ever really disappear. They might get acquired, but even if that happens, they’re usually still supported. And the cost of switching vendors in security is still relatively low -- it’s not like most companies have a huge legacy of products that they would have to replace.

"In fact, there are some advantages to getting in and working with a startup early. For one thing, when you work with a startup, you get their full attention -- they may not have very many customers, so you’re high on their priority list. The key is to find startups that are transparent about what they do. If they won’t tell you how their technology works, that’s not a good sign."

Unlike hardware or operating systems, security is not a market that lends itself to "durable" solutions, Cowan observes. The pace of cyberattacks and the rapid evolution of defenses don’t favor a long-term solution, so choosing an established vendor isn’t necessarily a better choice than choosing a startup.

"The best you can ever do in cyber security is to tread water," says Cowan. "The best solution today will not be the best solution five years from now. Your best option is to stay flexible."

Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/8/2014 | 9:39:48 PM
Re: Cyber Security Solutions - Innovation Trumps Size
Great points, Bob -- you answered some of the questions I raised in the comments in response to your remarks at the end of my Part 1 story! I do think that the relationship between security executives and venture investors like yourself is one that has huge potential for benefit on BOTH sides, and I hope that Dark Reading can facilitate more discussion between security-focused VCs and security professionals such as those in our community. I hope you'll continue to add your insight to our news and analysis pieces!
User Rank: Apprentice
5/8/2014 | 8:24:19 PM
Cyber Security Solutions - Innovation Trumps Size

Nice follow-up piece Tim.  As a venture capital investor in cyber security innovation, we spend a lot of time with enterprise customers to: 1) understand where they see the threat vectors based on their technology infrastructure and business profile, and 2) to seek input into the opportunities we are evaluating.  The symbiosis here is to draw connections between those with the problems and those looking to provide the solutions.  Historically, enterprise customers have been reticent to purchase solutions from young companies for the reasons you articulated through your two pieces,  Cyber is definitely an exception to that generalization.  Frankly, the nature of cyber threats evolves and morphs faster than most legacy solution providers can track.  Experienced customers understand this and turn to the start-up community out of necessity – they simply don't have a choice in many cases. The cutting edge innovation is coming out of Silicon Valley (and other innovation clusters) and the imperative to "get it right" with cyber security outweighs the risk of engaging with a start-up company in many cases.  Look to the resignation of the Target CEO earlier this week when you think about the consequences of getting it wrong in cyber.  Expect to see more of this in the future.  Maybe this is a reason why you see groups like Blackstone actually setting aside a pool of capital to engage and work with cutting edge cyber innovators to provide advanced cyber security solutions for their portfolio companies.

User Rank: Strategist
4/30/2014 | 4:28:01 PM
Re: Vested interest
Thanks Lorna, you make a great point. To get the full value of the VC community, you need to track multiple VCs and get their varying points of view. But it's still a lot easier to evaluate (in your scenario) four promising startups than to start from scratch and listen to pitches from dozens of unknowns. Another point I might make is that many startups, such as FireEye and CrowdStrike, are actually getting funding from multiple VCs, so it's not a one-sponsor, one-startup situation. If you see 3-4 VCs that know security backing a single startup, that's a good sign that there might be a there there.
User Rank: Strategist
4/30/2014 | 4:23:05 PM
Re: VC explosion
Great points, Kelly. Interestingly, according to numbers from Thomson Reuters, the number of security companies receiving funding was actually down slightly between 2012 and 2013 -- there were a lot of startups funded in the 2011-12 years. However, I think what we're noticing is that startups are getting a lot more traction than they did during those years -- a startup today has a real chance of breaking into an enterprise and building a business relatively quickly, as we saw with FireEye, Palo Alto Networks and CrowdStrike. There's a real opportunity for a new company to make the grade.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/30/2014 | 4:14:25 PM
VC explosion
There is a lot of VC activity going on lately in security. Nearly once a week, there's been a new VC funding announcement from one startup or another. I'm wondering how this compares with a year ago, or even six months ago.
Lorna Garey
Lorna Garey,
User Rank: Ninja
4/30/2014 | 2:31:50 PM
Vested interest
Tim, Any given VC is going to have a strong incentive to recommend to enterprise CIOs/CISOs the startups it's invested in. So, you might visit four VCs asking about X problem and get four promising solutions. I guess that's actually better than the alternative, but how do you recommend sorting through the possibilities?  
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.