We can see what is hot. But how long will it be hot for?
Spotting growth sectors in security is easy. But long-term trends are always about underlying changes in the way technology is used
Ignore the look of certainty and grandiose statements of purpose that emanate from big tech firms, nobody in the security industry is absolutely sure where the industry is going. But if in doubt when making a startup investment, one way is to study where technology is taking the world more generally and follow that lead.
Hitherto, protecting established business systems has been the main driver for startups, building on an older generation of proprietary big-budget platforms offering high-performance firewalling and with application layer security, through IPS and SIEM. More recently this has been supplemented by security-as-a-service threat analytics and forensics, biometrics, single sign-on (SSO), identity and access management (IAM) and of course mobile.
In a sense, business security is a sort of accumulation where the roll-out of new systems requires a new layer of security to be added. For instance, investing in mobile technology makes single-sign on and identity management a necessity, which in turn demands better authentication which might also include biometrics. Naturally, the mobile device has to be protected too.
As emerging technologies at varying states of maturity, all of this benefits startups, which pop up with the right answer to these problems and there are numerous examples of new and relatively new firms jumping on these speeding trains. One is mobile security firm Lookout, a young star that has attracted several sizable funding rounds, including $150 million in August 2014. Another might be the slightly older Centrify, an SSO, which scored a $42 million round earlier the same year.
More lateral ideas are now also attracting money as they carve out new security niches that really didn’t exist two or three years ago. There are a handful of examples of this, starting with TrapX, a firm whose main product, DeceptionGrid, uses the clever principle of sucking malware into attacking bogus resources as a way of camouflaging the real ones.
Likewise, there are a clutch of often very new firms tackling old problems such as how to keep malware out of corporate networks using better detection, blocking and threat intelligence. It should be less fashionable – endpoint security is widely seen as a percentages game with poor odds – and yet startups such as Shape Security (website security), Ionic Security (monitoring data wherever it is, or moves), and Norse (attack intelligence, including the ‘darkweb’) have quite quickly found the funding and customers to turn themselves into companies to watch.
Standing back a bit, It’s apparent that the renaissance in endpoint security is wrapped up in the extraordinary sequence of breaches, nation state attacks and software vulnerabilities that have left the corporate security of the early 21st Century full of holes. Without these events it is doubtful that many of these firms would have been funded at all. It is about mending the old problems that the better known brands have struggled to contain let alone stop.
But we should try to remember that the important story is always about the new stuff nobody has quite worked out yet and chief contender for that title must be the sprawling and increasingly messy landscape of the Internet of Things (IoT). Depending on your definition, this is a universe of devices that stretches from health monitoring and vehicle tracking at one end to home automation hubs, surveillance, smartwatches, TV sets and more or less anything that can be turned on using electricity at the other.
The term ‘Internet of Things’ sounds confused, as if lumping together everything that doesn’t quite fit anywhere else using the word ‘Thing’ explains itself. As with all new technology at the moment this is less about events – something going wrong – than hyped platforms and the companies elbowing each other to establish them. This will mature in time and when it does a new generation of firms will have to think of ways of enabling the new features it brings without also asking people to simply trust the probably flawed security of untested platforms.
The fashion for better, cleverer corporate security isn’t forever and is a phase driven by events. Some of the biggest investors know this, especially the ones with a cultural connection to security themselves such as Intel Capital, Cisco Investments, Rackspace, Symantec (which now has its own incubator) Google Ventures and Samsung.
This is the warning that the security startups serving corporate security should heed – get money, customers and scale now because the investor interest will wane, possibly sooner rather than later. The next phase of security industry growth, which could start at any minute, will be about what is new.