Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

2015: The Year Of The Security Startup – Or Letdown

While stealth startup Ionic and other newcomers promise to change the cyber security game, ISC8 may be the first of many to head for the showers.

Over the last two years, the IT security industry has welcomed scores of new firms to the market. Investment firms poured some $1.74 billion into cyber security in 2013. While all of the numbers for 2014 aren’t all in, the early figures suggest that nearly as much was invested last year. It’s estimated that there are more than 500 private firms currently offering security products today -- most of them startups punching their tickets for a lottery to provide an answer to the spiraling data breach/loss problem.

But even if the cyber security market hits the astronomical figure of $76.9 billion in spending projected by Gartner in 2015, there is little chance that all of those startups will enjoy a slice of the pie. The fact is that 2015 will likely separate at least some of the winners and losers in the info security race -- and possibly slough off some of the pretenders to reveal the true game-changers in security technology.

On Tuesday, for example, the stealth startup Ionic Security will announce that it has secured some $40.1 million in C series funding from Meritech Capital Partners, an investment firm that specializes in funding companies that are on the precipice of market-altering product entries. Ionic, which has now secured more than $78 million in anticipation of an April launch, is promising a game-changing approach to security: the encryption of data from the moment of inception to the moment of retirement, no matter where the data goes or resides.

Meritech, which has funded such successful security firms as Fortinet, Imperva, Sourcefire, and Veracode, believes that Ionic may have an even better chance to break the cyberproduct mold. "Ionic has an opportunity unlike any we’ve ever looked at before," says Mike Gordon, managing director at the investment firm. "The industry has recognized that data breaches have become inevitable. This technology has a chance to make them irrelevant."

Still in stealth mode, Ionic executives are reluctant to unveil the "secret sauce" behind the company’s new approach yet. But Meritech says it has seen the technology working among early adopters, and Gordon believes it will shake conventional wisdom about security defenses and practices. "People have looked on [Ionic’s] website and said that what they are promising can’t be done," Gordon says. "But we’ve seen it working."

Of course, Ionic isn’t the only startup promising to change the face of security -- and getting funding to do so. Shape Security, for example, also received $40 million in funding in 2014. Ping Identity collected $35 million. Rapid7 garnered more than $30 million last year, and the list goes on. Across the investment spectrum, venture capital firms are placing their bets on companies that they believe might change the face of the cyber security problem.

On the other end of the spectrum, however, some of yesterday’s “hot security startups” are now among today’s market casualties. On Friday, former investment darling ISC8, which had received some $70 million in invested capital, announced that it will file Chapter 11 bankruptcy in the state of California. ISC8, which offers a sensor-based, near-real-time technology that promised to identity malware threats ahead of conventional perimeter security tools to limit the damage they might cause, is selling all of its assets in an auction with a starting bid of approximately $8.2 million.

Even with some $70 million behind it, ISC8 did not create the game-changing difference it promised at its launch. Yet, less than two years ago, startup FireEye went public and raised more than $300 million and a valuation of more than $2.3 billion. Cisco paid $2.7 billion to acquire Sourcefire in 2013. Clearly, there is a brass ring to be grabbed for startups that have the technology -- and the business acumen -- to prove that their products truly are game-changers.

In 2015, companies with names such as Ionic, Shape Security, NORSE Corp., and Power Fingerprinting will be among the many startups that have a chance to break new ground in the race to develop the next game-changing security technology. Dark Reading offers a peek at 20 of those companies in its 20 Startups To Watch In 2015 feature, which was published a week ago. Perhaps Ionic – and/or a few of the other many startups on the horizon -- will take the industry even farther than FireEye did a year or so ago. With so many enterprises suffering security breaches, there is a real thirst for technology that completely rethinks the security problem.

But for the other 490 or so private companies and startups that are entering the cyber security derby, it could be another long year. There are dozens of potential game-changers out there -- but there’s only one game. Only the strongest startups will have the technology, skills, and resources needed to battle it to the end.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Secureslice
50%
50%
Secureslice,
User Rank: Apprentice
1/15/2015 | 12:37:21 PM
Security + Compliance
Absolutely more startups. There is a need and companies will be born or evolve to address that need. But here is the thing - with security, Compliance is also becoming an important agenda. Almost every regulation out there is being re-visited to address security and data protection concerns. Both, security and compliance have to be addressed and just like us, many other startups will help solve the problem. One of the biggest misconceptions out there is that just because you are secure then automatically you become compliant and vice versa. This needs to change. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 10:23:53 AM
Re: more than any other data/IT field ...
I don't disagree that there will be are some really interesting, game-changing things going on in security technology -- and I hope all of the startups in those markets succeed. But there is more to being successful than having the best technology. Also, VCs invest in many projetcs knowing that they only need a few to win in order to earn their return on investment.. 
IMjustinkern
50%
50%
IMjustinkern,
User Rank: Strategist
1/14/2015 | 10:09:36 AM
Re: more than any other data/IT field ...
Marilyn ... that surprises me some. Maybe it's the incessant drumbeat of (ahem) "SMAC" vendors, but I'd assumed, in the startup realm, there would be more of a crazy landgrab on the emerging side (particularly from the mobile/app side of things). It seems that security has never been the "sexy" sector, so I'm willing to concede that there may be many more varities of small and startup infosec vendors. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:29:26 AM
Re: more than any other data/IT field ...
I'm not Tim but my 2 cents: I think there will be a higher failure  rate for security startups simply because there are just more of them.  
IMjustinkern
50%
50%
IMjustinkern,
User Rank: Strategist
1/13/2015 | 5:56:38 PM
more than any other data/IT field ...
Tim, do you see a wider acceptance for security startups to fail as opposed to, say, a predictive analytics vendor? My thinking is that there is an greater allowance for small, unknown protection to fall by the wayside based on the nature of the market they work in. 
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5087
PUBLISHED: 2019-11-21
An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools 1.0.7. An integer overflow can occur while calculating the row's allocation size, that could be exploited to corrupt memory and eventually execute arbitrary code....
CVE-2019-5509
PUBLISHED: 2019-11-21
ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account.
CVE-2019-6693
PUBLISHED: 2019-11-21
Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacker with access to the backup file to decipher the sensitive data, via knowledge of the hard-coded key. The aforementioned sensitive data includes users' passwords (except the admini...
CVE-2019-17272
PUBLISHED: 2019-11-21
All versions of ONTAP Select Deploy administration utility are susceptible to a vulnerability which when successfully exploited could allow an administrative user to escalate their privileges.
CVE-2019-17650
PUBLISHED: 2019-11-21
An Improper Neutralization of Special Elements used in a Command vulnerability in one of FortiClient for Mac OS root processes, may allow a local user of the system on which FortiClient is running to execute unauthorized code as root by bypassing a security check.