The security industry is under-going a once-in-a-generation reset. But which startups and which technologies will make it to the next power on?
Something extraordinary and probably unparalleled is unfolding in the world of security startups that has the potential to reshape not only the security industry but perhaps also our understanding what a startup is.
If that sounds a bit over-blown, consider the sums of money investors have recently been throwing at almost anything with the words ‘security’ in the elevator pitch and on a scale that is as far from the norm as it is possible to imagine.
Examples are all around us, mostly money emanating from California’s Valley. In the first quarter of 2015 alone, funding in the US for the sector tipped over $1 billion (£ 670 million), up considerably on a year earlier that was itself considered buoyant. Since then it has become more fevered still with startups such as Illumio being handed $100 million in a Series C round which is good going for a firm that had been given tens of millions before leaving stealth mode less than a year ago.
Put a pin in the investment donkey almost anywhere on the board and you turn up big sums. How about Menlo Security ($25 million), BitSight ($23 million), or CounterTack ($25 million) to pick on a random selection from a recent and growing list of small firms pushing mostly untried but interesting technology.
The main areas of excitement these days are mobile security, security analytics including big data and almost anything that claims it help organisations secure and track where their data is and who is looking at it. Ideas for replacements for the long-crumbling edifice of anti-virus have also been popular, usually involving complex virtualisation, isolation and whitelisting. It’s precisely the stuff people can see not working well today but taken on a generation.
When did this all start and why? Macro-economics post-2008 are partly to blame, specifically the low returns and low interest rates that have sent investors scurrying to find better returns for risk capital than can be had on over-priced equity markets and in bubble-prone commodities. The history of tech is another lure – everyone knows that computing has generated massive returns as long as you can pick a winner from the long list of candidates. Technology is a tantalising and downright exciting way of taking a bet.
Let’s be clear, just because investors and VCs are ploughing money into security as if it’s a second coming from the dot.com era doesn’t mean that what they are doing is without rational foundation. Security is hot right now and for a justified reason – the security industry as it is currently configured through large vendors that mostly matured just before or around the 1990s has self-evidently failed to protect its customers well enough.
With numerous data breaches, cyber-attacks and imaginative scams galore, something is if not rotten in the state of security then at the least broken or badly malfunctioning.
The problem is that organisations of every size have bought tonnes of security in the last decade but every time they install a new security appliance or service and turn their backs for a few months, the criminals migrate to attack another weakness nobody thought would ever turn into a problem.
The defenders aren’t just behind the attackers as working to a timescale weeks, months or years out of synchronisation with them. It’s become a one-sided war with a guaranteed loser.
As the losses and geopolitical costs rise – especially for the US itself – everybody from government to security vendors agree this can’t continue or the security industry will turn into a glorified version of the front door and locks sector, little more than a basic protection system people don’t pay much for.
One important trend within this activity is the interest Silicon Valley investors are taking in startups and firms getting out of their geographical comfort zone and heading out beyond home territory. Once it would have been a handshake off Highway 101 or nothing, now US firms in other tech hotspots such as around Boston and Austin are regularly appearing on the funding lists at a rate unimaginable in the recent past.
Radically, some of these firms are taking plane trips to far-off, exotic places such as London, Europe and even Asia in search of customers, driven by investor demands to forge international presence faster than ever before. The US security market still rules but it’s no longer enough a story on its own.
But if there are ideas aplenty as to how security can be fixed by startups, intriguingly it is older firms that have really grabbed the opportunity to ride a helpful wave of reinvention. This is the real story we should pay attention to – established firms rejuvenating their mojo with something a bit different.
Recent funding rounds that catch the eye for this class of company include Venafi ($39 million), Checkmarx ($84 million) and the extraordinary $500 million round thrown at Palantir in June, only the latest in a number of large rounds for a company founded as long ago as 2004. This values a company remarkably few people outside the security industry have even heard of at a possible $20 billion.
In the UK, thirty year-old security software firm Sophos has now priced its IPO at the third attempt to gain itself a valuation of around $1.5 billion (£1 billion) , big money for anything UK-based with the words ‘security’ in its business description.
You could see this as an opportunistic money-grab by firms from the recent past but whatever the motivation it is rapidly redefining what we mean by important words such as ‘startup’. Until recently, startup was broadly speaking any recent company with a plausible funding round, an office and some staff. Then companies that hadn’t even launched – startups in stealth mode to use old terminology – started landing money before they’d done most of that. Startups could exist for years without anyone knowing about it.
By the time larger firms with money started landing the sorts of speculative money once reserved for brand new names, it was clear something was up. The idea of a startup has become about ideas, not money or ‘newness’. If you are a ten year-old firm with something hot nobody else is using you can suddenly get the cash to push it to market at double speed and certainly to uncover customers.
The word startup has always been slightly ambiguous. Big firms – even Google – have been known to talk up themselves as having a ‘startup’ mindset even though most people agree that this is an misappropriation of what the term should mean. Startups should always, must always, be in some way new or it’s just a perpetuation of what we already know about the world and nothing changes.
But don’t tell the investors who are busy betting big on cyber security without a care for any of this. Startups, security, and new technologies are going to fix the networks of the traumatised customers of security products before global economics shuts the door again for a while.
Everybody knows the money-train will stop at some point that doesn’t mean it won’t have been worth the ride.