Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:56 PM
Mike Rothman
Mike Rothman

Follow The Dumb Security Money

When security companies raise big funding rounds and spend big bucks at security conferences, be afraid -- very afraid

It was amazing to see how excited folks were at the recent RSA Conference. Things were great! Every company was doing great! It was like hanging out with Tony the Tiger for a week. When things seem too good, they usually are and the contrarian in me goes into overdrive. I'm constantly looking for chinks in the armor, and over the past weekend I found it. I read two articles over the past week all excited that venture capital money is flowing back into security. We are now seeing security companies raising huge rounds of funding at what must be huge valuations. Being an analyst, I'm approached by lots of new security companies overflowing with VC cash, trying to get my attention. Having seen this cycle more than once, I know what time it is. It's the time when the dumb money returns to security.

The funding wave is usually driven by some new kind of overhyped problem, with dozens of companies launching largely the same ideas and technologies to solve said problems. In security we are fortunate to have 3. Between anything "cyber," BYOD, and advanced malware (which really means keep the Chinese out), security has become a board-level issue. And who hangs out with CEOs and board members? Right, the VCs. So inevitably VCs get interested in the market sector, especially if they perceive innovation happening. Especially if that innovation is magical and hard to understand (like security) for the typical business school pukes, who inhabit the lower rungs of the VC food chain and chase most of the deals.

No, I'm not talking out of my backside. I spent the better part of a decade working with VCs, both as a company founder and as a senior executive in venture-funded start-ups. When I was the company founder, we had pretty smart money for the first two investment rounds. This was when the Internet bubble was just forming and the investors had lots of security and telecom experience. By the time we were ready for the third round, we needed more money and the Internet bubble was exploding. We looked for smart money, but they didn't like the valuation or our momentum (or lack thereof). We found some dumb money and got the deal done. To be clear, they weren't dumb guys, but they didn't understand the security business. They were smart guys with too much money, trying to hard to get exposure to a hot market sector.

Then we learned that our technology partners were going to screw us. And they did. At around the same time the Internet bubble popped, and we sold that company for the remaining money on the balance sheet. But I learned a lot, so there's that.

Why do I bring up my tattered history? Because we are likely to see the same cycle repeat. It seems all a company has to do is say they do "BYOD," have an network anti-malware gateway, or do something related to security big data and they have VCs falling all over themselves to write checks. The companies will raise the money at valuations that are too high, setting expectations that are too high, and needing to spend like drunken sailors (for example, a 30x30 RSA Conference booth for a start-up) to perpetuate the myth of market leadership and momentum.

I've seen this movie before. So have you, but you may not have known that the catalyst for the crazy behavior was investors that paid too much to get a piece of these hot companies.

Contrast that with how smart VCs behave. These folks never left security. They've been in the market, usually as operating executives with extensive contacts with smart folks that build security products. They've been providing seed funding and early stage money for proven entrepreneurs for the past 5 years. You know, when security wasn't sexy. Before "cyber" became common CNN fodder. These investors provided the first money into companies like Palo Alto, even when it wasn't "cool" to build a new firewall. They stuck with a company like FireEye while they started and restarted three times to figure out and find their market. The smart VCs know the right security entrepreneurs and they will fund a company at any time, macro economics and hot market sectors be damned.

But even smart money isn't always right. I worked at a company that thought they were the next coming of Netscreen (you remember Netscreen, right?). They were wrong, but that didn't stop them from raising a lot of money at an insane valuation with a very smart VC leading the investment. That company ran into some challenges, which had nothing to do with hiring me as the marketing guy. That's my story and I'm sticking to it. They eventually got acquired, but the investors didn't make much money on that deal. Mostly because they bought too high and couldn't sell for enough to make it work. Even smart VCs don't always hit a home run, but they hit a lot of singles and doubles.

Turns out the dumb ones pretty much never home runs, and they don't hit many singles, either. When the lemmings start jumping into the frigid waters of security investing, it means the market is ready for a correction. We're starting to see some weakness from the public security companies, albeit after a stellar 2012 and very tough year over year comparisons. Does that mean we won't see innovation from some cool security companies? Of course not, innovation continues to happen every day. But the beanstalk doesn't grow to the sky and at some point, even the hot companies come back to Earth.

Why do you care? You just make this stuff work, right? You care because you lived through the Internet bubble, right? If you were in middle school or something back then, ask one of the grumpy old guys in your shop what happened when you made a big commitment to the "market leader," who then went belly up. You can probably still buy a Cobalt Server on eBay, just in case you were wondering. Now is the time to do extra diligence before making a strategic purchase on a product or service.

Or you can buy high and sell low. That's usually a good strategy for success.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...