Second of two articles in a series on venture capital in security. Read the first installment, Venture Capital: The Lifeblood Behind Security Innovation, here.
One of security's most overused axioms is that "there’s no silver bullet" to cure all ills. But what if, someday, a silver bullet security product is developed? Who would be the first to know about the industry’s most revolutionary new technology?
The answer is simple: Follow the money. The road to security’s "next big thing" will almost certainly go through the investment firms that fund such new ventures. If you want to know where security technology is going -- and where it’s not -- it pays to do some research on what the industry’s top venture capital companies are doing.
Every day, VC investment firms that focus on cyber security meet with emerging companies that need cash to bring their products to market. Hundreds of startup firms pitch VCs in the shark tank, hawking everything from harebrained schemes to highly viable technologies already deep in beta test. The startups that make it through this filter -- and win the big investment money -- will be tomorrow’s most disruptive new vendors.
"One of the things that many enterprises overlook when they’re investigating new technologies is doing some due diligence on their financial viability," says David Cowan, a partner at Bessemer Venture Partners, which has funded some 32 IT security startups. "Any startup you’re considering will probably be losing money when you first meet with them. You want to know who are the VCs behind them -- that will give you a pretty good indicator on what their chances are."
Much like the enterprises that take a leap of faith by buying technology from a startup, VCs kiss a lot of frogs before they find the few emerging firms that will receive their millions of investment dollars. The prospective winners typically run a series of gauntlets before they hit it big, first auditioning for tens of thousands in angel funding, then auditioning again for a million or three in Series A. By the time you read about a startup receiving $10 million or more in Series B or C, its founding fathers have usually made dozens, if not hundreds, of presentations and demonstrations to prospective investors.
MACH37, a "cyber accelerator" organization that funds and trains entrepreneurs and young security companies on how to develop their ideas and bring them to market, offers a modest $50,000 to potential startups that enter its programs in the spring and fall. Just a few weeks ago, MACH37 announced that it has funded five startups from a list of more than 40 applicants -- all of them in their earliest stages of development.
"What we’re looking for is companies that have a concept that is solving real-world problems and that are truly different from what already exists out there," says Rick Gordon, managing partner of MACH37. "We know about the problems that enterprises are facing -- BYOD, cloud security, SDN. What we are looking for are companies that could potentially claim a significant portion of the market."
A startup that makes it through MACH37’s program or an angel funding round might then be considered for a larger round of funding by a VC firm such as Bessemer, Accel Partners, AGS, or Sequoia Capital. Many VC firms have programs in which they will meet with enterprise IT people and introduce them personally to security startups that might be a good fit.
"Today, if you’re an IT executive and you’re not doing a West Coast sweep of the VC companies, you’re missing some great opportunities," says George Kurtz, CEO and co-founder of emerging security firm CrowdStrike and a veteran entrepreneur in the security industry. "The VCs are in a great position to help you filter out the right startups to work with -- they’ve seen every company and heard every story. They understand the startups’ financial position and their long-term strategy. It’s a great way to vet the [startups] you might be considering bringing in."
Meetings with enterprise IT people are essential to VCs because they provide insight on key pain points and on the central security problems that enterprises are trying to solve. Through multiple conversations with CIOs and CSOs, venture capitalists form a picture of the security problem that eventually helps them decide which startups have a chance to make it big and which ones don’t.
"Before we invested in CrowdStrike, we talked to a lot of CIOs and asked their impressions of the problem and where they were feeling the pain," says Sameer Gandhi, a partner at Accel Partners, which has also funded many other startups that are well known today, such as Lookout, Tenable, and Sonatype. "One of the reasons we were excited about CrowdStrike was that we felt that they were working on a problem that a lot of enterprises have but that none of the incumbent vendors was currently able to solve. That’s something we were able to recognize by talking to CIOs."
Even if you don’t work for a large enterprise that might be invited to meet with a VC firm, you can use the intelligence gathered by VCs to help you choose the right startups to work with, experts say. Some VC companies have strong track records for consistently backing successful security startups, while others are still new at the game, they note. A wise security professional will consider a startup’s venture funding partners before climbing into bed with them.
Venture capital companies may also publish reports on industry trends that offer hints as to which problems they’ve identified and which categories of companies they are thinking about investing in, experts say. If several VCs have identified the same security trend and are putting their dollars behind it, it’s usually a good sign that products in that category are "safe" and that working with a startup might be an option.
But not all VCs that have invested in cyber security are highly savvy about the market, notes Adam Ghetti, co-founder and CEO of startup Ionic Security. "There are a lot of VCs in the space, but there are very few that really get it from all sides," Ghetti says. "There are security startups that can build a good business and sell at $100M, and there are security startups that have the potential to change the whole platform as we know it. Not all VCs understand that nuance."
And there are some organizations, such as the Security Innovation Network (SINET), that help enterprises to vet the plethora of startups on the market and identify those with promise. In 2010, SINET chose FireEye Inc. -- then a new company that had some innovative ideas about identifying zero-day malware -- as one of 16 emerging companies to feature in its annual showcase. Today, FireEye is one of the best known and most highly capitalized companies in the security industry.
While many enterprises remain reluctant to invest in startup technologies for functions as important as security, that conservatism may be unwarranted, according to Bessemer’s Cowan.
"I’m not sure the risk is as great as enterprises might think," Cowan says. "If you look at what happens to startups, very few of them ever really disappear. They might get acquired, but even if that happens, they’re usually still supported. And the cost of switching vendors in security is still relatively low -- it’s not like most companies have a huge legacy of products that they would have to replace.
"In fact, there are some advantages to getting in and working with a startup early. For one thing, when you work with a startup, you get their full attention -- they may not have very many customers, so you’re high on their priority list. The key is to find startups that are transparent about what they do. If they won’t tell you how their technology works, that’s not a good sign."
Unlike hardware or operating systems, security is not a market that lends itself to "durable" solutions, Cowan observes. The pace of cyberattacks and the rapid evolution of defenses don’t favor a long-term solution, so choosing an established vendor isn’t necessarily a better choice than choosing a startup.
"The best you can ever do in cyber security is to tread water," says Cowan. "The best solution today will not be the best solution five years from now. Your best option is to stay flexible."