2018 represented a record year for venture capital investment into information security, but this isn’t a positive trend – and it definitely doesn’t mean we’re more secure.
An unwarranted percentage of solutions being funded are not solving the problems defenders face the most. And with high numbers of lackluster information security startups failing to meet the needs of their customers, you might expect downward pressure on valuations.
Instead, 2018 also saw record valuations, both because venture capital firms benefit from them, as will be explained in this article, and because so many investors are unfamiliar with the information security space and simply don’t know better. Defenders are beginning to be fed up, and there has to be a reckoning if we want progress in securing our digital systems.
In March 2019, tens of thousands of security professionals will descend upon San Francisco, making their way through a labyrinth of security solutions on display at the RSA Conference in a quest to find a solution that fits their specific needs. In their way stand 650 exhibitors, a cacophony of booth distractions ranging from delightful to distasteful, buzzwords assaulting their eyes in hundred-point font offering a cure for the latest and most vicious threats – threats that are more likely fantasy than reality for most attendees.
In classical Greek mythology, the heart of the labyrinth contains a Minotaur who devours all who come pass. In our modern information security reality, startups devour the dollars of security professionals and investors alike, with unproven promises luring the less informed into their grasp.
In 2018, over $5 billion was invested into information security startups in about 300 funding deals total, according to Crunchbase data. How does this large influx of capital improve security? Where does it get all of us, the people whose data needs protecting? Unfortunately, the answers are unclear.
It is entirely possible that the raging furnace of the information security startup / VC cycle actually is hurting our ability to defend against attacks. First, we must understand how these solutions are failing to meet the market’s needs. Second, we must look to investors and see how their incentives propel them to increase valuations despite lack of value.
Reading time for this article is about 20 minutes. Featured Infosec Bingo Composition by Kelly Shortridge, Image by Nipitpon Singad / EyeEm via Getty Images.
Information security startups are not addressing their customers’ most pressing challenges. Arguably, the more money flowing in, the less they are carefully researching how they can make the highest positive impact in a security program. It is fruitless to point a finger at one cause.
One factor is a gravitation towards what is cool from a technical perspective, compounded by a lack of consideration towards sustainable customer value. Another factor is a predilection for incremental improvements on existing solutions. Finally, the potency of flashy marketing can obfuscate deficiencies in the value security startups provide. All are worth exploring.
It is often easy to sniff out when founders wanted to flex their technical muscle and build something they thought was cool, rather than finding a customer problem they wanted to solve and figuring out how best to do so it. This backwards approach then requires these startups to search for – or worse, invent – a customer problem to solve with their ostensibly sexy technology.
As Esteban Gutierrez, Director of Information Security at a publicly-traded SaaS company, observed, “The VC crowds approach things from the perspective of ‘what problems can we find to make money off of?’ and not the perspective of what are actually the problems people are having with keeping their data safe, having easy control over access to their digital stuff, or how can we actually make things better (so much blockchain).”
There is a dreadful disconnect between what is important to security practitioners and the problems the majority of startups being funded are supposedly solving. The vast majority of information security teams do not spend their days stopping an unknowable threat, referred to as a “zero-day.”
Instead, they are focused on the routine and frustrating tasks such as threat modeling, policy definition and enforcement, risk reviews, configuration management – or if they’re lucky, working on automating these mundane tasks through custom scripting. Further, only after basics are met in the security “hierarchy of needs” can defenders even begin to consider addressing unknowable threats in a meaningful way.
Regulatory compliance – from HIPAA, PCI, and SOX to, most recently, GDPR – drives a substantial portion of budgets in information security, despite being considered the dullest segment of the industry. Compliance violations are what most often lead to fines or customer losses – not ultra-sophisticated attacks by nation-state actors. So, information security teams are instructed to spend their time avoiding these violations as the first priority of what their security program should cover.
Regrettably, the information security industry thrives on the drama of devastating vulnerabilities. In many cases, founders with security backgrounds concentrate on building technology to exclusively detect or stop the most sophisticated possible attacks. This pursuit represents the flipside of finding noteworthy vulnerabilities and developing elite exploits – the currency of respect within the industry with which these founders are familiar.
In contrast, one of the industry’s most recent massive successes happens to be an example of a good case of user research, despite investors initially disregarding its potential for explosive growth. Duo Security, which was acquired last year for $2.35 billion by Cisco, was founded by people with notable accomplishments in vulnerability research.
Yet, to their credit, they understood that the foundation of most attacks affecting enterprises is not the stuff of groundbreaking research papers, but attackers with databases of passwords, simply trying them out to see which still worked – hence Duo Security’s innovation of two-factor authentication that was exceptionally easy to use. By understanding the typical enterprise user’s workflows, Duo Security’s team figured out the best way to integrate security into the enterprise’s work, without adding friction.
Few information security startups are following Duo Security’s lead, however. As Gutierrez noted, “A lot of VC-backed information security startups don’t actually start their conversation with ‘is this problem you’re having?’ There are some startups that do it this way, and those are the interesting ones I talk to.”
This general lack of customer understanding includes assumptions about the effectiveness of startups’ products within the customer’s environment. Information security startups’ value propositions are often predicated on the assumption of underlying orderliness within their customers’ security programs. This assumption couldn’t be further from reality.
Anne Marie Zettlemoyer, who sits on the board of SSH Communications Security, pointed out, “The reality is that the functionality of many tools requires the hygiene of an environment to be pretty strong to begin with and substantially maintained as well. Why is there so much ‘consulting’ added onto the product for implementation? Because the tool has no chance of either working or showing the business that it is working if you don’t have basics like identity and access management, inventory of assets, network visibility, data classification, incident response plans, etc., in a decent place.”
Another reason why information security startups’ tools fail to provide value in customer environments is because they focus on developing a niche feature, rather than a true product. A product solves a problem in a range of contexts. A feature adds value to a product, but is likely for a specific context.
In other words, a product is valuable on its own; a feature needs something else to provide its full value. It is far easier for a customer to describe the bit of supplemental value they’d like to extract from an existing product than to articulate how the way they do their work might need a fundamental overhaul.
For example, when asked, you might wish your vacuum cleaner had a more comfortable grip or more power to reduce cleaning time. You would likely be unimpressed by a company that sold an add-on to your vacuum that provided just one of those improved features, but you might be delighted by the prospect of an autonomous robot vacuum cleaner, which saves both your grip and your time.
In information security, we often only see the incremental progress upon existing solutions, slight tweaks that create only a sliver of value more than what is currently deployed – not innovative products that reflect a deep understanding of why customers are dissatisfied. This lack of any significant alleviation of customer pain points results from the willingness of investors to fund concepts and the pervasiveness of limited trials – both of which distract from investing in the less-glamorous and more exacting goal of long-term value creation.
Zettlemoyer explained, “Why are we failing when there are so many ‘solutions’ out there? I think a very strong causation is that many of these tools are good ‘in concept.’ They might have a limited PoC [Proof of Concept] or PoV [Proof of Value], but are they [the vendor, the VC, and the customer] asking the question, ‘What does it take to make sure this tool is adding sustained value?’”
This trend towards incremental improvement is also what leads to the extreme fragmentation of solutions within information security, making it even harder for defenders to figure out what will actually solve their challenges. To those outside of the industry, you may view “information security” as a singular category of products. However, there are dozens of subsectors within security that each have their own cluster of vendors.
As Will Lin, a Founding Investor and Principal at Forgepoint Capital, noted, “It’s possible to invest in 40+ security companies that don’t compete against each other. There are multiple customer categories in security and customers on average have 75 security vendors in their environment.” One investment bank lists a stunning 46 sub-categories within information security in their market map.
By way of analogy, imagine if you look around your house and notice it’s dirty. The logical approach would be to create a list of things to do to clean each room, identify the tools needed to do each of those things (vacuum, mop, duster, etc.), buy the tools if you don’t have them, and then go room by room, cleaning.
Now imagine that the only stores from which you can buy vacuums, mops, and dusters tell you things like, “your old vacuum cleaner just won’t do, this one is nuclear-powered and also self-propelled.” They also start identifying rooms in your house that are dubiously rooms, like crawl spaces, and propose solutions to clean those rooms.
If you spend all day at the department store being pitched on increasingly outlandish cleaning products – perhaps a trained army of rats with dusters, and a cat to catch and eat all the rats after they’re done – not only will you probably buy something very useless, but your house also won’t get cleaned.
You can imagine the frustration and helplessness you might feel at being pushed to buy all these unnecessary solutions. You might even be angry when realizing investors were pouring money into these startups to power marketing meant to overwhelm you, rather than to create tools that actually help you. Information security startups overcome the need to prove usefulness with aggressive marketing.