The upcoming RSA security conference is going to be larger than ever since one of the hottest trends today is Cyber Security. High visibility hacks on corporate giants like Sony, Target, JPMorgan Chase and Home Depot have resulted in unprecedented amount of media coverage for the space. Needless to say, venture capital funding followed suit and according to CBInsights cyber security startups raised $2.4B in 269 deals last year.
There is no question that the cyber security world is going through a paradigm shift. The outdated methodology of protecting the enterprise perimeter from outside threats does not work anymore: On the one hand attackers have become much more sophisticated and moved from generic malware to targeted attacks, and on the other hand the enterprise perimeter became more vulnerable as it got extended to the cloud and with the consumerization of IT. Therefore, it makes sense that a new wave of next-generation cyber security startups are working on solving the problem.
However, there is a big difference between building a great new malware detection/protection/evasion tool and building a large company. Yet it seems to me that the majority of the cyber startups out there are confusing the two as most of them are building point solutions. Unfortunately, this is even more true in Israel where it seems like every new batch of 8200 graduates starts a company that protects against the kind of attacks the founders had experienced during their military service.
I can see how easy it is for investors and founders to get carried away in this environment. Every new attack that gets revealed is like a large marketing campaign for the industry. This puts the enterprise Chief Information Security Officers (CISO) under a lot of pressure. Instead of operating in the background like he is used to, the CISO is suddenly invited to board meetings where he has to explain how he plans to defend against the recent breach in the news. It is not enough that protecting the enterprise is difficult (or most likely impossible), the CISO gets even more confused when every startup he meets comes with a different solution that is supposed to be the best. What the terrified CISO ends up doing is throwing every new solution in the lab or in some part of the network. Since most of the enterprises are vulnerable, many of the startups which get deployed are able to detect breaches. Yet, the real problem is not detecting breaches but being able to sort through the noise and signals that all the security products in the network generate.
In the end, the CISO wouldn’t be able to deal with many point solutions and will want something that solves everything in one place. This means that some of the startups will get acquired by larger security vendors and others will just disappear. The real problem is the large amount of VC funding in the space which forces startups to significantly increase burn rate in order to stay ahead of competition. Therefore, the winners will not necessarily be the startups with the best technology but more likely the ones that raise more capital and have the means to survive and pick up the ones that fail along the way.
I believe that undisciplined investors who invest in high valuations in cyber will end up losing money, and many entrepreneurs who raised too much capital will be surprised when they realize how little their equity is worth on the end of the day.