Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/17/2016
12:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How To Become A Cybersecurity Entrepreneur In A Crowded Market

If you want to build the next great cybersecurity startup, use your expertise, then follow these three simple suggestions.

Declines in venture funding often paralyze the technology community. Talk of bubbles, dying unicorns, and austerity can surge for weeks following a negative report. In response, many entrepreneurs hit pause on their dreams, believing they should wait for more favorable conditions. That approach is often misguided. 

In our work as venture capital investors, we see this dynamic in the cybersecurity market today. In July, tech market analysts at CB Insights predicted that 2016 will see $3B in cybersecurity funding with over 300 deals. A year earlier, in 2015, analysts saw $3.75B invested in 336 cybersecurity deals. Barring some miracle, investments will continue to decline year over year.

When we drilled into the CB Insights data, we found an important discrepancy. The relative volumes of Series A, B, C, D, and E+ rounds have not changed significantly in 2016. In fact, the deal share of Series A rounds increased three percent. Conversely, ‘Seed’ and ‘Angel’ deals declined from 37 percent to 31 percent, a five-year low. This trend suggests that incumbents have doubled down in crowded niches, and would-be founders have hesitated.

Counterintuitively, the downturn in funding could offer ideal conditions for entrepreneurs. To find out, let’s begin with a question: What’s behind this decrease in early-stage investments? There are several factors:

Known Areas of Security Became Crowded with Strong Players
Established verticals like endpoint protection and network security are oversaturated. Even newer markets like SCADA security and cyber deception have at least 10 to 20 vendors each. VCs prefer not to support new startups in red oceans. Thus, funding in these areas has and will continue to decline.

CISOs Are Overwhelmed by the Variety of Solutions
Thanks to the dense competition, chief information security officers (CISOs) are overwhelmed with options, and that affects funding. Every day, cybersecurity startups bombard CISOs with dozens of similar products. That creates an undue burden on CISOs who don’t have the time to evaluate, purchase, and maintain a basket of point solutions. They’d rather choose broad platforms from established vendors. Frankly, a brand-name cybersecurity platform is easier to justify to shareholders, board members, and fellow executives. With CISOs hesitant to choose early-stage startups, VCs have scaled back funding.  

Non-specialized investors wanted in
Perhaps most tellingly, investors without cybersecurity experience entered the market when it was bullish. Lacking the expertise to evaluate cybersecurity technologies, they financed startups with minimal differentiation and questionable leadership. The consequent bloating of valuations and over-saturation raised the costs of marketing, sales, and talent acquisition for everyone. Funding has slowed, in part, because it peaked unnaturally. Experienced cybersecurity investors want to let crowded cybersecurity markets fizzle.

So, if you’re a wannabe entrepreneur on the fence of launching a cybersecurity startup, is now really the time to do it? Absolutely yes.

Remember, funding conditions don’t change cybersecurity’s raison d'être. Breaches happen daily, and cybercrime will cost businesses over $2 trillion annually by 2019, according to Juniper Research. Think about what we expressed above: your would-be competitors are likely stuck in red oceans and might lack access to additional funding. Right now, you can choose a blue ocean and face less competition than you would in bullish conditions.

Consider, too, that enterprises face a global shortage of cybersecurity talent. According to Cisco, the world has 1 million unfilled cybersecurity jobs, and that number could reach 1.5 million by 2019. Peninsula Press estimates that the U.S. alone has 209,000 vacant roles. When we consult our network of high-caliber CISOs, they consistently voice demand for solutions that manage, orchestrate, and automate cybersecurity. Enterprises can’t adopt new technologies and compensate for the talent deficit – not without advances in cybersecurity. 

Takeaways and Opportunities for the Security Pro
That dilemma raises an interesting challenge for enterprise security professionals as new technologies spur the need for new and innovative security solutions.  

Cybersecurity almost always finds a new market two to three years after a disruptive technology emerges. Virtual containers, autonomous vehicles, and drones, for instance, have created some of the latest and greatest opportunities in cybersecurity. Right now, someone is inventing a technology that will spawn massive security issues. Who better to spot it than you? Why not make your move while capital is tied down in yesterday’s cybersecurity solutions? Why not approach CISOs with technologies they haven’t seen?  

If you want to build the next great cybersecurity startup, we offer several suggestions:

First, recognize that brilliant technology doesn’t equate to a great product or viable business model. Perform due diligence on the markets in which you see opportunities. Build to sell, otherwise VCs will pass.

Second, understand the thin line between an emerging space and a non-existent one. The examples we mentioned – autonomous vehicles, virtual containers, and drones – they were nonexistent only a couple of years ago. Their security was an afterthought, and afterthoughts can make billion-dollar businesses.

However, if you create a technology before the market is ripe, you’ll spend precious capital educating the world on a problem that doesn’t exist. And then, if that problem does come to fruition, the second wave of startups will reap the benefits of your spending and hard work.   

Third, build platforms, not features. As mentioned, CISOs have had enough with point solutions, which are what startups initially make. Even when you’re small, think big. Initially, design your solution to integrate with common security portfolios. In the long term, solve a set of interrelated problems. Among CISOs, you want a reputation for handling all security dimensions of an indispensable technology.  

With the right team and point of view, entrepreneurs can thrive in cybersecurity, and tight funding can even provide a competitive edge because cybersecurity is not a fad, it’s a central problem of digital society. If you’re on the fence, that notion should give you comfort. Let tough funding conditions be a source of opportunity, not paralysis.

Iren Reznikov  of YL Ventures also contributed to this article.

Related Content:

 

Yoav Leitersdorf and Ofer Schreiber are Managing Partner and Partner, respectively, at YL Ventures, which invests early in cybersecurity, cloud computing, big data, and software-as-a-service software companies, and accelerates their evolution via strategic advice and Silicon ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lucysecurity
50%
50%
lucysecurity,
User Rank: Apprentice
10/23/2016 | 2:54:26 PM
Is the Cybersecurity Market really crowded?
Thank you for this interesting article! We're sad to hear that there is a decreasing amount of early-stage investements. But we're not shure if it is due the factors you mentioned
  • Known Areas of Security Became Crowded with Strong Players: We absolutely agree that there is a kind of saturation. But when you look at the products and services from a closer view, then you'll recognize that the offerings often base on old fashioned concepts (acronym 1.0) and most of the stuff is absolutely overpriced. There's an huge space for innovation, the market is not ready for consolidation and amazonification yet.
  • CISOs are Overwhelmed by Variety: This is not in line with our perception. As a Software product company for IT-Security Awareness Products the CISO is one of our main buyer personas or at least an important influencer. Those CSOs we're in contact do not look like that they are overrun with products or services.
  • Non-specialized investors in the security market: The only thing we can say is that we've been approached by non-specialized investors only! And we are definitively a cybersecurity startup (okay, we're Swiss...)


We absolutely agree on the opportunities you mentioned. Of course you should build cybersecurity platforms and you are right that great technology only is not a sellable product or a viable business model. And of course, timing is elementary, don't be to early and not to late. We're convinced, that the time is right for real products, which can be bought and used out of the box with no or low consulting services on top - and which VCs will love!

Best regards, Palo from LUCY
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.