VCs have invested more than $2.7 billion into cybersecurity companies so far this year, funding a new round of startups in a market that already supports more than 1,400 vendors, according to estimates. Most experts agree that despite skyrocketing market growth, not all of these startups will survive.
For enterprises, the rapid growth of startups and new ventures presents an opportunity to find better, faster and cheaper solutions to security challenges. But it also presents a dilemma: how to choose startups that will be around for the long haul.
Information security spending is expected to surge to $101 billion by 2020 – up 36.5% from 2016 figures, according to IDC. Meanwhile, nearly 40% of organizations surveyed in Dark Reading's 2017 Security Spending Survey Report indicated they expect to spend 10% or more of their IT budgets on cybersecurity.
But rapid market growth doesn't automatically translate to success for the many startups entering the market. In fact, many venture capitalists believe a number of today's startups will eventually fail.
"Venture money is shifting to the winners in each category and those winners will get bigger. We're starting to see this shift happen now. What could eventually happen is some companies in this space will fall out and not survive," says Arun Mathew, a partner at venture capital firm Accel Partners. "Five years from now, it is more likely than not that we'll see fewer security companies than we do now, but it will happen gradually."
He adds that his sense is the industry overall is at a plateau in terms of an expansion.
Endpoint security is one sector where fallout is likely, Mathew says. "CrowdStrike is an endpoint company in our portfolio. At last count, there were 100 endpoint vendors - and not all of them will survive."
The security industry is currently undergoing a massive shift in the type of products and services customers are seeking and, as a result, as with any industry facing a large shift consolidation usually accompanies it, says Martin Casado, a general partner with venture capital firm Andreessen Horowitz. But that consolidation is usually followed by an explosion of new players similar to an occurrence of a Cambrian explosion, he adds. (A Cambrian explosion is the evolutionary burst that is believed to have created most major animal groups).
Strong Startup Partners
Startups offer a range of intriguing solutions for enterprises, ranging from next-gen antivirus to machine learning. Many startups promise to solve cybersecurity problems that still plague organizations, often with technology that is faster and cheaper than current alternatives.
But the harsh reality is that 25% of startups across all industries fail after the first year and 44% by the third, according to figures from Statistic Brain Research Institute. And in the information technology sector, specifically, only 37% are still operating after four years, the Statistic Brain report notes.
The question for enterprises, then, is how to choose a security startup that not only has good technology, but that will still be around to support it in a few years.
One data point is to look at emerging technologies that seem to be garnering the most traction among venture capitalists, who will help their financial future until they are ready to fly solo.
One factor to look for is the startup's ability to cut down on the noise in security operations, experts say. "The market is shifting to simplification. We now have more alerts than people want to deal with, so they are seeking ways to simplify the security operations center [SOC]," Casado says. Security for industrial IoT and physical security for drones, smart cameras, and smart locks are also areas to watch, he states.
Consolidation of security technology in the data center is another shift occurring in the security industry, says Mathew. He notes customers want to standardize their security products across fewer platforms. Over a period of time, customers want to try everything, but then switch to just a few vendors, Mathew says.
Other security technologies that are catching attention include security detection and mitigation technology, along with application security, BYOD security, and intelligence and analytics security technologies, say industry analysts and experts.
Not Just a Technology Issue
Enterprises should not only evaluate a startup's technology, but its financial standing and its management before entering into a multi-year contract with a young company, experts say.
For example, evaluate the caliber of the venture capitalists who have invested in the company. Enterprises should ask themselves if it is a well-known, tier 1 venture capital company, says Aaron Jacobson, a principal at venture firm New Enterprise Associates (NEA).
Another critical area to consider is the experience of the management team.
"When you look at the management team, it helps if they have domain expertise, or have been a successful security entrepreneur in the past that is able to attract continued funding," Jacobson says. "Serial entrepreneurs will be more likely to make that company successful."
Request the startup's customer list and specifically look for organizations that are of similar size, industry, geography, and face common problems as your own organization, Mathew advises. Jacobson also noted companies need to ask the startup when was the last time they signed up a customer - if it has been awhile, then that should raise a red flag,
Members of the security industry can also be a valuable resource. "The security industry is a tight, close-knit group of people and you should talk to those in the industry who you respect and see if they have ever used the startup before," Mathew says.
Enterprises should also look for signs that a startup may soon be going under. One sign is an inability to raise another funding round from previous or new investors, Jacobson says.
"You should ask how long it's been since they raised money and did it come from existing investors," Jacobson says. "If they've had a lot of change in management and can't get investors, then that is a sign things are not going well."
Future Cybersecurity Startup Market
Before plunging into a contract to secure solutions or services from a cybersecurity startup, organizations should ask these five key questions:
- When did your organization receive its last funding round and did it come from existing investors?
- Who are your investors?
- Can you tell me about your management team and their experience in this industry and running a startup?
- How long has each of your management team members been with the company and did they replace someone?
- Can you provide me a customer list and tell me the last time you signed up a customer?