Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:10 AM

Rapid Growth in Security Market Raises Question: How to Pick a Startup

VCs weigh in with their advice on how to select a startup with staying power when purchasing security solutions and services.

VCs have invested more than $2.7 billion into cybersecurity companies so far this year, funding a new round of startups in a market that already supports more than 1,400 vendors, according to estimates. Most experts agree that despite skyrocketing market growth, not all of these startups will survive.

For enterprises, the rapid growth of startups and new ventures presents an opportunity to find better, faster and cheaper solutions to security challenges. But it also presents a dilemma: how to choose startups that will be around for the long haul.

Market Growth

Information security spending is expected to surge to $101 billion by 2020 – up 36.5% from 2016 figures, according to IDC. Meanwhile, nearly 40% of organizations surveyed in Dark Reading's 2017 Security Spending Survey Report indicated they expect to spend 10% or more of their IT budgets on cybersecurity.

But rapid market growth doesn't automatically translate to success for the many startups entering the market. In fact, many venture capitalists believe a number of today's startups will eventually fail.

"Venture money is shifting to the winners in each category and those winners will get bigger. We're starting to see this shift happen now. What could eventually happen is some companies in this space will fall out and not survive," says Arun Mathew, a partner at venture capital firm Accel Partners. "Five years from now, it is more likely than not that we'll see fewer security companies than we do now, but it will happen gradually."

He adds that his sense is the industry overall is at a plateau in terms of an expansion.

Endpoint security is one sector where fallout is likely, Mathew says. "CrowdStrike is an endpoint company in our portfolio. At last count, there were 100 endpoint vendors - and not all of them will survive."

The security industry is currently undergoing a massive shift in the type of products and services customers are seeking and, as a result, as with any industry facing a large shift consolidation usually accompanies it, says Martin Casado, a general partner with venture capital firm Andreessen Horowitz. But that consolidation is usually followed by an explosion of new players similar to an occurrence of a Cambrian explosion, he adds. (A Cambrian explosion is the evolutionary burst that is believed to have created most major animal groups).

Strong Startup Partners

Startups offer a range of intriguing solutions for enterprises, ranging from next-gen antivirus to machine learning. Many startups promise to solve cybersecurity problems that still plague organizations, often with technology that is faster and cheaper than current alternatives.

But the harsh reality is that 25% of startups across all industries fail after the first year and 44% by the third, according to figures from Statistic Brain Research Institute. And in the information technology sector, specifically, only 37% are still operating after four years, the Statistic Brain report notes.

The question for enterprises, then, is how to choose a security startup that not only has good technology, but that will still be around to support it in a few years.

One data point is to look at emerging technologies that seem to be garnering the most traction among venture capitalists, who will help their financial future until they are ready to fly solo.

One factor to look for is the startup's ability to cut down on the noise in security operations, experts say. "The market is shifting to simplification. We now have more alerts than people want to deal with, so they are seeking ways to simplify the security operations center [SOC]," Casado says. Security for industrial IoT and physical security for drones, smart cameras, and smart locks are also areas to watch, he states.  

Consolidation of security technology in the data center is another shift occurring in the security industry, says Mathew. He notes customers want to standardize their security products across fewer platforms. Over a period of time, customers want to try everything, but then switch to just a few vendors, Mathew says.

Other security technologies that are catching attention include security detection and mitigation technology, along with application security, BYOD security, and intelligence and analytics security technologies, say industry analysts and experts.

Not Just a Technology Issue

Enterprises should not only evaluate a startup's technology, but its financial standing and its management before entering into a multi-year contract with a young company, experts say.

For example, evaluate the caliber of the venture capitalists who have invested in the company. Enterprises should ask themselves if it is a well-known, tier 1 venture capital company, says Aaron Jacobson, a principal at venture firm New Enterprise Associates (NEA).

Another critical area to consider is the experience of the management team.

"When you look at the management team, it helps if they have domain expertise, or have been a successful security entrepreneur in the past that is able to attract continued funding," Jacobson says. "Serial entrepreneurs will be more likely to make that company successful."                                                                                              

Request the startup's customer list and specifically look for organizations that are of similar size, industry, geography, and face common problems as your own organization, Mathew advises. Jacobson also noted companies need to ask the startup when was the last time they signed up a customer - if it has been awhile, then that should raise a red flag,

Members of the security industry can also be a valuable resource. "The security industry is a tight, close-knit group of people and you should talk to those in the industry who you respect and see if they have ever used the startup before," Mathew says.

Enterprises should also look for signs that a startup may soon be going under. One sign is an inability to raise another funding round from previous or new investors, Jacobson says.

"You should ask how long it's been since they raised money and did it come from existing investors," Jacobson says. "If they've had a lot of change in management and can't get investors, then that is a sign things are not going well."

Future Cybersecurity Startup Market

Before plunging into a contract to secure solutions or services from a cybersecurity startup, organizations should ask these five key questions:

  • When did your organization receive its last funding round and did it come from existing investors?
  • Who are your investors?
  • Can you tell me about your management team and their experience in this industry and running a startup?
  • How long has each of your management team members been with the company and did they replace someone?
  • Can you provide me a customer list and tell me the last time you signed up a customer?

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/31/2017 | 3:37:16 PM
perfect Dawn Kawamoto excellent article :)
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.