Mobile

12/28/2017
09:10 AM
50%
50%

Rapid Growth in Security Market Raises Question: How to Pick a Startup

VCs weigh in with their advice on how to select a startup with staying power when purchasing security solutions and services.

VCs have invested more than $2.7 billion into cybersecurity companies so far this year, funding a new round of startups in a market that already supports more than 1,400 vendors, according to estimates. Most experts agree that despite skyrocketing market growth, not all of these startups will survive.

For enterprises, the rapid growth of startups and new ventures presents an opportunity to find better, faster and cheaper solutions to security challenges. But it also presents a dilemma: how to choose startups that will be around for the long haul.

Market Growth

Information security spending is expected to surge to $101 billion by 2020 – up 36.5% from 2016 figures, according to IDC. Meanwhile, nearly 40% of organizations surveyed in Dark Reading's 2017 Security Spending Survey Report indicated they expect to spend 10% or more of their IT budgets on cybersecurity.

But rapid market growth doesn't automatically translate to success for the many startups entering the market. In fact, many venture capitalists believe a number of today's startups will eventually fail.

"Venture money is shifting to the winners in each category and those winners will get bigger. We're starting to see this shift happen now. What could eventually happen is some companies in this space will fall out and not survive," says Arun Mathew, a partner at venture capital firm Accel Partners. "Five years from now, it is more likely than not that we'll see fewer security companies than we do now, but it will happen gradually."

He adds that his sense is the industry overall is at a plateau in terms of an expansion.

Endpoint security is one sector where fallout is likely, Mathew says. "CrowdStrike is an endpoint company in our portfolio. At last count, there were 100 endpoint vendors - and not all of them will survive."

The security industry is currently undergoing a massive shift in the type of products and services customers are seeking and, as a result, as with any industry facing a large shift consolidation usually accompanies it, says Martin Casado, a general partner with venture capital firm Andreessen Horowitz. But that consolidation is usually followed by an explosion of new players similar to an occurrence of a Cambrian explosion, he adds. (A Cambrian explosion is the evolutionary burst that is believed to have created most major animal groups).

Strong Startup Partners

Startups offer a range of intriguing solutions for enterprises, ranging from next-gen antivirus to machine learning. Many startups promise to solve cybersecurity problems that still plague organizations, often with technology that is faster and cheaper than current alternatives.

But the harsh reality is that 25% of startups across all industries fail after the first year and 44% by the third, according to figures from Statistic Brain Research Institute. And in the information technology sector, specifically, only 37% are still operating after four years, the Statistic Brain report notes.

The question for enterprises, then, is how to choose a security startup that not only has good technology, but that will still be around to support it in a few years.

One data point is to look at emerging technologies that seem to be garnering the most traction among venture capitalists, who will help their financial future until they are ready to fly solo.

One factor to look for is the startup's ability to cut down on the noise in security operations, experts say. "The market is shifting to simplification. We now have more alerts than people want to deal with, so they are seeking ways to simplify the security operations center [SOC]," Casado says. Security for industrial IoT and physical security for drones, smart cameras, and smart locks are also areas to watch, he states.  

Consolidation of security technology in the data center is another shift occurring in the security industry, says Mathew. He notes customers want to standardize their security products across fewer platforms. Over a period of time, customers want to try everything, but then switch to just a few vendors, Mathew says.

Other security technologies that are catching attention include security detection and mitigation technology, along with application security, BYOD security, and intelligence and analytics security technologies, say industry analysts and experts.

Not Just a Technology Issue

Enterprises should not only evaluate a startup's technology, but its financial standing and its management before entering into a multi-year contract with a young company, experts say.

For example, evaluate the caliber of the venture capitalists who have invested in the company. Enterprises should ask themselves if it is a well-known, tier 1 venture capital company, says Aaron Jacobson, a principal at venture firm New Enterprise Associates (NEA).

Another critical area to consider is the experience of the management team.

"When you look at the management team, it helps if they have domain expertise, or have been a successful security entrepreneur in the past that is able to attract continued funding," Jacobson says. "Serial entrepreneurs will be more likely to make that company successful."                                                                                              

Request the startup's customer list and specifically look for organizations that are of similar size, industry, geography, and face common problems as your own organization, Mathew advises. Jacobson also noted companies need to ask the startup when was the last time they signed up a customer - if it has been awhile, then that should raise a red flag,

Members of the security industry can also be a valuable resource. "The security industry is a tight, close-knit group of people and you should talk to those in the industry who you respect and see if they have ever used the startup before," Mathew says.

Enterprises should also look for signs that a startup may soon be going under. One sign is an inability to raise another funding round from previous or new investors, Jacobson says.

"You should ask how long it's been since they raised money and did it come from existing investors," Jacobson says. "If they've had a lot of change in management and can't get investors, then that is a sign things are not going well."

Future Cybersecurity Startup Market

Before plunging into a contract to secure solutions or services from a cybersecurity startup, organizations should ask these five key questions:

  • When did your organization receive its last funding round and did it come from existing investors?
  • Who are your investors?
  • Can you tell me about your management team and their experience in this industry and running a startup?
  • How long has each of your management team members been with the company and did they replace someone?
  • Can you provide me a customer list and tell me the last time you signed up a customer?

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Anabraga
50%
50%
Anabraga,
User Rank: Apprentice
12/31/2017 | 3:37:16 PM
perfect
perfect Dawn Kawamoto excellent article :)
How to Attract More Women Into Cybersecurity - Now
Dawn Kawamoto, Associate Editor, Dark Reading,  1/12/2018
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Which CISO 'Tribe' Do You Belong To?
Kelly Sheridan, Associate Editor, Dark Reading,  1/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.