Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


How Enterprises Can Harvest The Knowledge Of Security-Focused Venture Capitalists

Tomorrow's game-changing security startups are meeting with investors today. Here are some tips on how you take advantage of smart guidance from venture funding firms.

Second of two articles in a series on venture capital in security. Read the first installment, Venture Capital: The Lifeblood Behind Security Innovation, here.

One of security's most overused axioms is that "there’s no silver bullet" to cure all ills. But what if, someday, a silver bullet security product is developed? Who would be the first to know about the industry’s most revolutionary new technology?

The answer is simple: Follow the money. The road to security’s "next big thing" will almost certainly go through the investment firms that fund such new ventures. If you want to know where security technology is going -- and where it’s not -- it pays to do some research on what the industry’s top venture capital companies are doing.

Every day, VC investment firms that focus on cyber security meet with emerging companies that need cash to bring their products to market. Hundreds of startup firms pitch VCs in the shark tank, hawking everything from harebrained schemes to highly viable technologies already deep in beta test. The startups that make it through this filter -- and win the big investment money -- will be tomorrow’s most disruptive new vendors.

"One of the things that many enterprises overlook when they’re investigating new technologies is doing some due diligence on their financial viability," says David Cowan, a partner at Bessemer Venture Partners, which has funded some 32 IT security startups. "Any startup you’re considering will probably be losing money when you first meet with them. You want to know who are the VCs behind them -- that will give you a pretty good indicator on what their chances are."

Much like the enterprises that take a leap of faith by buying technology from a startup, VCs kiss a lot of frogs before they find the few emerging firms that will receive their millions of investment dollars. The prospective winners typically run a series of gauntlets before they hit it big, first auditioning for tens of thousands in angel funding, then auditioning again for a million or three in Series A. By the time you read about a startup receiving $10 million or more in Series B or C, its founding fathers have usually made dozens, if not hundreds, of presentations and demonstrations to prospective investors.

MACH37, a "cyber accelerator" organization that funds and trains entrepreneurs and young security companies on how to develop their ideas and bring them to market, offers a modest $50,000 to potential startups that enter its programs in the spring and fall. Just a few weeks ago, MACH37 announced that it has funded five startups from a list of more than 40 applicants -- all of them in their earliest stages of development.

"What we’re looking for is companies that have a concept that is solving real-world problems and that are truly different from what already exists out there," says Rick Gordon, managing partner of MACH37. "We know about the problems that enterprises are facing -- BYOD, cloud security, SDN. What we are looking for are companies that could potentially claim a significant portion of the market."

A startup that makes it through MACH37’s program or an angel funding round might then be considered for a larger round of funding by a VC firm such as Bessemer, Accel Partners, AGS, or Sequoia Capital. Many VC firms have programs in which they will meet with enterprise IT people and introduce them personally to security startups that might be a good fit.

"Today, if you’re an IT executive and you’re not doing a West Coast sweep of the VC companies, you’re missing some great opportunities," says George Kurtz, CEO and co-founder of emerging security firm CrowdStrike and a veteran entrepreneur in the security industry. "The VCs are in a great position to help you filter out the right startups to work with -- they’ve seen every company and heard every story. They understand the startups’ financial position and their long-term strategy. It’s a great way to vet the [startups] you might be considering bringing in."

Meetings with enterprise IT people are essential to VCs because they provide insight on key pain points and on the central security problems that enterprises are trying to solve. Through multiple conversations with CIOs and CSOs, venture capitalists form a picture of the security problem that eventually helps them decide which startups have a chance to make it big and which ones don’t.

"Before we invested in CrowdStrike, we talked to a lot of CIOs and asked their impressions of the problem and where they were feeling the pain," says Sameer Gandhi, a partner at Accel Partners, which has also funded many other startups that are well known today, such as Lookout, Tenable, and Sonatype. "One of the reasons we were excited about CrowdStrike was that we felt that they were working on a problem that a lot of enterprises have but that none of the incumbent vendors was currently able to solve. That’s something we were able to recognize by talking to CIOs."

Even if you don’t work for a large enterprise that might be invited to meet with a VC firm, you can use the intelligence gathered by VCs to help you choose the right startups to work with, experts say. Some VC companies have strong track records for consistently backing successful security startups, while others are still new at the game, they note. A wise security professional will consider a startup’s venture funding partners before climbing into bed with them.

Venture capital companies may also publish reports on industry trends that offer hints as to which problems they’ve identified and which categories of companies they are thinking about investing in, experts say. If several VCs have identified the same security trend and are putting their dollars behind it, it’s usually a good sign that products in that category are "safe" and that working with a startup might be an option.

But not all VCs that have invested in cyber security are highly savvy about the market, notes Adam Ghetti, co-founder and CEO of startup Ionic Security. "There are a lot of VCs in the space, but there are very few that really get it from all sides," Ghetti says. "There are security startups that can build a good business and sell at $100M, and there are security startups that have the potential to change the whole platform as we know it. Not all VCs understand that nuance."

And there are some organizations, such as the Security Innovation Network (SINET), that help enterprises to vet the plethora of startups on the market and identify those with promise. In 2010, SINET chose FireEye Inc. -- then a new company that had some innovative ideas about identifying zero-day malware -- as one of 16 emerging companies to feature in its annual showcase. Today, FireEye is one of the best known and most highly capitalized companies in the security industry.

While many enterprises remain reluctant to invest in startup technologies for functions as important as security, that conservatism may be unwarranted, according to Bessemer’s Cowan.

"I’m not sure the risk is as great as enterprises might think," Cowan says. "If you look at what happens to startups, very few of them ever really disappear. They might get acquired, but even if that happens, they’re usually still supported. And the cost of switching vendors in security is still relatively low -- it’s not like most companies have a huge legacy of products that they would have to replace.

"In fact, there are some advantages to getting in and working with a startup early. For one thing, when you work with a startup, you get their full attention -- they may not have very many customers, so you’re high on their priority list. The key is to find startups that are transparent about what they do. If they won’t tell you how their technology works, that’s not a good sign."

Unlike hardware or operating systems, security is not a market that lends itself to "durable" solutions, Cowan observes. The pace of cyberattacks and the rapid evolution of defenses don’t favor a long-term solution, so choosing an established vendor isn’t necessarily a better choice than choosing a startup.

"The best you can ever do in cyber security is to tread water," says Cowan. "The best solution today will not be the best solution five years from now. Your best option is to stay flexible."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/8/2014 | 9:39:48 PM
Re: Cyber Security Solutions - Innovation Trumps Size
Great points, Bob -- you answered some of the questions I raised in the comments in response to your remarks at the end of my Part 1 story! I do think that the relationship between security executives and venture investors like yourself is one that has huge potential for benefit on BOTH sides, and I hope that Dark Reading can facilitate more discussion between security-focused VCs and security professionals such as those in our community. I hope you'll continue to add your insight to our news and analysis pieces!
User Rank: Apprentice
5/8/2014 | 8:24:19 PM
Cyber Security Solutions - Innovation Trumps Size

Nice follow-up piece Tim.  As a venture capital investor in cyber security innovation, we spend a lot of time with enterprise customers to: 1) understand where they see the threat vectors based on their technology infrastructure and business profile, and 2) to seek input into the opportunities we are evaluating.  The symbiosis here is to draw connections between those with the problems and those looking to provide the solutions.  Historically, enterprise customers have been reticent to purchase solutions from young companies for the reasons you articulated through your two pieces,  Cyber is definitely an exception to that generalization.  Frankly, the nature of cyber threats evolves and morphs faster than most legacy solution providers can track.  Experienced customers understand this and turn to the start-up community out of necessity – they simply don't have a choice in many cases. The cutting edge innovation is coming out of Silicon Valley (and other innovation clusters) and the imperative to "get it right" with cyber security outweighs the risk of engaging with a start-up company in many cases.  Look to the resignation of the Target CEO earlier this week when you think about the consequences of getting it wrong in cyber.  Expect to see more of this in the future.  Maybe this is a reason why you see groups like Blackstone actually setting aside a pool of capital to engage and work with cutting edge cyber innovators to provide advanced cyber security solutions for their portfolio companies.

User Rank: Strategist
4/30/2014 | 4:28:01 PM
Re: Vested interest
Thanks Lorna, you make a great point. To get the full value of the VC community, you need to track multiple VCs and get their varying points of view. But it's still a lot easier to evaluate (in your scenario) four promising startups than to start from scratch and listen to pitches from dozens of unknowns. Another point I might make is that many startups, such as FireEye and CrowdStrike, are actually getting funding from multiple VCs, so it's not a one-sponsor, one-startup situation. If you see 3-4 VCs that know security backing a single startup, that's a good sign that there might be a there there.
User Rank: Strategist
4/30/2014 | 4:23:05 PM
Re: VC explosion
Great points, Kelly. Interestingly, according to numbers from Thomson Reuters, the number of security companies receiving funding was actually down slightly between 2012 and 2013 -- there were a lot of startups funded in the 2011-12 years. However, I think what we're noticing is that startups are getting a lot more traction than they did during those years -- a startup today has a real chance of breaking into an enterprise and building a business relatively quickly, as we saw with FireEye, Palo Alto Networks and CrowdStrike. There's a real opportunity for a new company to make the grade.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/30/2014 | 4:14:25 PM
VC explosion
There is a lot of VC activity going on lately in security. Nearly once a week, there's been a new VC funding announcement from one startup or another. I'm wondering how this compares with a year ago, or even six months ago.
Lorna Garey
Lorna Garey,
User Rank: Ninja
4/30/2014 | 2:31:50 PM
Vested interest
Tim, Any given VC is going to have a strong incentive to recommend to enterprise CIOs/CISOs the startups it's invested in. So, you might visit four VCs asking about X problem and get four promising solutions. I guess that's actually better than the alternative, but how do you recommend sorting through the possibilities?  
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...