Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:10 AM

Rapid Growth in Security Market Raises Question: How to Pick a Startup

VCs weigh in with their advice on how to select a startup with staying power when purchasing security solutions and services.

VCs have invested more than $2.7 billion into cybersecurity companies so far this year, funding a new round of startups in a market that already supports more than 1,400 vendors, according to estimates. Most experts agree that despite skyrocketing market growth, not all of these startups will survive.

For enterprises, the rapid growth of startups and new ventures presents an opportunity to find better, faster and cheaper solutions to security challenges. But it also presents a dilemma: how to choose startups that will be around for the long haul.

Market Growth

Information security spending is expected to surge to $101 billion by 2020 – up 36.5% from 2016 figures, according to IDC. Meanwhile, nearly 40% of organizations surveyed in Dark Reading's 2017 Security Spending Survey Report indicated they expect to spend 10% or more of their IT budgets on cybersecurity.

But rapid market growth doesn't automatically translate to success for the many startups entering the market. In fact, many venture capitalists believe a number of today's startups will eventually fail.

"Venture money is shifting to the winners in each category and those winners will get bigger. We're starting to see this shift happen now. What could eventually happen is some companies in this space will fall out and not survive," says Arun Mathew, a partner at venture capital firm Accel Partners. "Five years from now, it is more likely than not that we'll see fewer security companies than we do now, but it will happen gradually."

He adds that his sense is the industry overall is at a plateau in terms of an expansion.

Endpoint security is one sector where fallout is likely, Mathew says. "CrowdStrike is an endpoint company in our portfolio. At last count, there were 100 endpoint vendors - and not all of them will survive."

The security industry is currently undergoing a massive shift in the type of products and services customers are seeking and, as a result, as with any industry facing a large shift consolidation usually accompanies it, says Martin Casado, a general partner with venture capital firm Andreessen Horowitz. But that consolidation is usually followed by an explosion of new players similar to an occurrence of a Cambrian explosion, he adds. (A Cambrian explosion is the evolutionary burst that is believed to have created most major animal groups).

Strong Startup Partners

Startups offer a range of intriguing solutions for enterprises, ranging from next-gen antivirus to machine learning. Many startups promise to solve cybersecurity problems that still plague organizations, often with technology that is faster and cheaper than current alternatives.

But the harsh reality is that 25% of startups across all industries fail after the first year and 44% by the third, according to figures from Statistic Brain Research Institute. And in the information technology sector, specifically, only 37% are still operating after four years, the Statistic Brain report notes.

The question for enterprises, then, is how to choose a security startup that not only has good technology, but that will still be around to support it in a few years.

One data point is to look at emerging technologies that seem to be garnering the most traction among venture capitalists, who will help their financial future until they are ready to fly solo.

One factor to look for is the startup's ability to cut down on the noise in security operations, experts say. "The market is shifting to simplification. We now have more alerts than people want to deal with, so they are seeking ways to simplify the security operations center [SOC]," Casado says. Security for industrial IoT and physical security for drones, smart cameras, and smart locks are also areas to watch, he states.  

Consolidation of security technology in the data center is another shift occurring in the security industry, says Mathew. He notes customers want to standardize their security products across fewer platforms. Over a period of time, customers want to try everything, but then switch to just a few vendors, Mathew says.

Other security technologies that are catching attention include security detection and mitigation technology, along with application security, BYOD security, and intelligence and analytics security technologies, say industry analysts and experts.

Not Just a Technology Issue

Enterprises should not only evaluate a startup's technology, but its financial standing and its management before entering into a multi-year contract with a young company, experts say.

For example, evaluate the caliber of the venture capitalists who have invested in the company. Enterprises should ask themselves if it is a well-known, tier 1 venture capital company, says Aaron Jacobson, a principal at venture firm New Enterprise Associates (NEA).

Another critical area to consider is the experience of the management team.

"When you look at the management team, it helps if they have domain expertise, or have been a successful security entrepreneur in the past that is able to attract continued funding," Jacobson says. "Serial entrepreneurs will be more likely to make that company successful."                                                                                              

Request the startup's customer list and specifically look for organizations that are of similar size, industry, geography, and face common problems as your own organization, Mathew advises. Jacobson also noted companies need to ask the startup when was the last time they signed up a customer - if it has been awhile, then that should raise a red flag,

Members of the security industry can also be a valuable resource. "The security industry is a tight, close-knit group of people and you should talk to those in the industry who you respect and see if they have ever used the startup before," Mathew says.

Enterprises should also look for signs that a startup may soon be going under. One sign is an inability to raise another funding round from previous or new investors, Jacobson says.

"You should ask how long it's been since they raised money and did it come from existing investors," Jacobson says. "If they've had a lot of change in management and can't get investors, then that is a sign things are not going well."

Future Cybersecurity Startup Market

Before plunging into a contract to secure solutions or services from a cybersecurity startup, organizations should ask these five key questions:

  • When did your organization receive its last funding round and did it come from existing investors?
  • Who are your investors?
  • Can you tell me about your management team and their experience in this industry and running a startup?
  • How long has each of your management team members been with the company and did they replace someone?
  • Can you provide me a customer list and tell me the last time you signed up a customer?

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/31/2017 | 3:37:16 PM
perfect Dawn Kawamoto excellent article :)
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.