Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

2015: The Year Of The Security Startup – Or Letdown

While stealth startup Ionic and other newcomers promise to change the cyber security game, ISC8 may be the first of many to head for the showers.

Over the last two years, the IT security industry has welcomed scores of new firms to the market. Investment firms poured some $1.74 billion into cyber security in 2013. While all of the numbers for 2014 aren’t all in, the early figures suggest that nearly as much was invested last year. It’s estimated that there are more than 500 private firms currently offering security products today -- most of them startups punching their tickets for a lottery to provide an answer to the spiraling data breach/loss problem.

But even if the cyber security market hits the astronomical figure of $76.9 billion in spending projected by Gartner in 2015, there is little chance that all of those startups will enjoy a slice of the pie. The fact is that 2015 will likely separate at least some of the winners and losers in the info security race -- and possibly slough off some of the pretenders to reveal the true game-changers in security technology.

On Tuesday, for example, the stealth startup Ionic Security will announce that it has secured some $40.1 million in C series funding from Meritech Capital Partners, an investment firm that specializes in funding companies that are on the precipice of market-altering product entries. Ionic, which has now secured more than $78 million in anticipation of an April launch, is promising a game-changing approach to security: the encryption of data from the moment of inception to the moment of retirement, no matter where the data goes or resides.

Meritech, which has funded such successful security firms as Fortinet, Imperva, Sourcefire, and Veracode, believes that Ionic may have an even better chance to break the cyberproduct mold. "Ionic has an opportunity unlike any we’ve ever looked at before," says Mike Gordon, managing director at the investment firm. "The industry has recognized that data breaches have become inevitable. This technology has a chance to make them irrelevant."

Still in stealth mode, Ionic executives are reluctant to unveil the "secret sauce" behind the company’s new approach yet. But Meritech says it has seen the technology working among early adopters, and Gordon believes it will shake conventional wisdom about security defenses and practices. "People have looked on [Ionic’s] website and said that what they are promising can’t be done," Gordon says. "But we’ve seen it working."

Of course, Ionic isn’t the only startup promising to change the face of security -- and getting funding to do so. Shape Security, for example, also received $40 million in funding in 2014. Ping Identity collected $35 million. Rapid7 garnered more than $30 million last year, and the list goes on. Across the investment spectrum, venture capital firms are placing their bets on companies that they believe might change the face of the cyber security problem.

On the other end of the spectrum, however, some of yesterday’s “hot security startups” are now among today’s market casualties. On Friday, former investment darling ISC8, which had received some $70 million in invested capital, announced that it will file Chapter 11 bankruptcy in the state of California. ISC8, which offers a sensor-based, near-real-time technology that promised to identity malware threats ahead of conventional perimeter security tools to limit the damage they might cause, is selling all of its assets in an auction with a starting bid of approximately $8.2 million.

Even with some $70 million behind it, ISC8 did not create the game-changing difference it promised at its launch. Yet, less than two years ago, startup FireEye went public and raised more than $300 million and a valuation of more than $2.3 billion. Cisco paid $2.7 billion to acquire Sourcefire in 2013. Clearly, there is a brass ring to be grabbed for startups that have the technology -- and the business acumen -- to prove that their products truly are game-changers.

In 2015, companies with names such as Ionic, Shape Security, NORSE Corp., and Power Fingerprinting will be among the many startups that have a chance to break new ground in the race to develop the next game-changing security technology. Dark Reading offers a peek at 20 of those companies in its 20 Startups To Watch In 2015 feature, which was published a week ago. Perhaps Ionic – and/or a few of the other many startups on the horizon -- will take the industry even farther than FireEye did a year or so ago. With so many enterprises suffering security breaches, there is a real thirst for technology that completely rethinks the security problem.

But for the other 490 or so private companies and startups that are entering the cyber security derby, it could be another long year. There are dozens of potential game-changers out there -- but there’s only one game. Only the strongest startups will have the technology, skills, and resources needed to battle it to the end.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/15/2015 | 12:37:21 PM
Security + Compliance
Absolutely more startups. There is a need and companies will be born or evolve to address that need. But here is the thing - with security, Compliance is also becoming an important agenda. Almost every regulation out there is being re-visited to address security and data protection concerns. Both, security and compliance have to be addressed and just like us, many other startups will help solve the problem. One of the biggest misconceptions out there is that just because you are secure then automatically you become compliant and vice versa. This needs to change. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 10:23:53 AM
Re: more than any other data/IT field ...
I don't disagree that there will be are some really interesting, game-changing things going on in security technology -- and I hope all of the startups in those markets succeed. But there is more to being successful than having the best technology. Also, VCs invest in many projetcs knowing that they only need a few to win in order to earn their return on investment.. 
User Rank: Strategist
1/14/2015 | 10:09:36 AM
Re: more than any other data/IT field ...
Marilyn ... that surprises me some. Maybe it's the incessant drumbeat of (ahem) "SMAC" vendors, but I'd assumed, in the startup realm, there would be more of a crazy landgrab on the emerging side (particularly from the mobile/app side of things). It seems that security has never been the "sexy" sector, so I'm willing to concede that there may be many more varities of small and startup infosec vendors. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 9:29:26 AM
Re: more than any other data/IT field ...
I'm not Tim but my 2 cents: I think there will be a higher failure  rate for security startups simply because there are just more of them.  
User Rank: Strategist
1/13/2015 | 5:56:38 PM
more than any other data/IT field ...
Tim, do you see a wider acceptance for security startups to fail as opposed to, say, a predictive analytics vendor? My thinking is that there is an greater allowance for small, unknown protection to fall by the wayside based on the nature of the market they work in. 
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to This issue does not affect: QNAP...
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.