Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


How Enterprises Can Harvest The Knowledge Of Security-Focused Venture Capitalists

Tomorrow's game-changing security startups are meeting with investors today. Here are some tips on how you take advantage of smart guidance from venture funding firms.

Second of two articles in a series on venture capital in security. Read the first installment, Venture Capital: The Lifeblood Behind Security Innovation, here.

One of security's most overused axioms is that "there’s no silver bullet" to cure all ills. But what if, someday, a silver bullet security product is developed? Who would be the first to know about the industry’s most revolutionary new technology?

The answer is simple: Follow the money. The road to security’s "next big thing" will almost certainly go through the investment firms that fund such new ventures. If you want to know where security technology is going -- and where it’s not -- it pays to do some research on what the industry’s top venture capital companies are doing.

Every day, VC investment firms that focus on cyber security meet with emerging companies that need cash to bring their products to market. Hundreds of startup firms pitch VCs in the shark tank, hawking everything from harebrained schemes to highly viable technologies already deep in beta test. The startups that make it through this filter -- and win the big investment money -- will be tomorrow’s most disruptive new vendors.

"One of the things that many enterprises overlook when they’re investigating new technologies is doing some due diligence on their financial viability," says David Cowan, a partner at Bessemer Venture Partners, which has funded some 32 IT security startups. "Any startup you’re considering will probably be losing money when you first meet with them. You want to know who are the VCs behind them -- that will give you a pretty good indicator on what their chances are."

Much like the enterprises that take a leap of faith by buying technology from a startup, VCs kiss a lot of frogs before they find the few emerging firms that will receive their millions of investment dollars. The prospective winners typically run a series of gauntlets before they hit it big, first auditioning for tens of thousands in angel funding, then auditioning again for a million or three in Series A. By the time you read about a startup receiving $10 million or more in Series B or C, its founding fathers have usually made dozens, if not hundreds, of presentations and demonstrations to prospective investors.

MACH37, a "cyber accelerator" organization that funds and trains entrepreneurs and young security companies on how to develop their ideas and bring them to market, offers a modest $50,000 to potential startups that enter its programs in the spring and fall. Just a few weeks ago, MACH37 announced that it has funded five startups from a list of more than 40 applicants -- all of them in their earliest stages of development.

"What we’re looking for is companies that have a concept that is solving real-world problems and that are truly different from what already exists out there," says Rick Gordon, managing partner of MACH37. "We know about the problems that enterprises are facing -- BYOD, cloud security, SDN. What we are looking for are companies that could potentially claim a significant portion of the market."

A startup that makes it through MACH37’s program or an angel funding round might then be considered for a larger round of funding by a VC firm such as Bessemer, Accel Partners, AGS, or Sequoia Capital. Many VC firms have programs in which they will meet with enterprise IT people and introduce them personally to security startups that might be a good fit.

"Today, if you’re an IT executive and you’re not doing a West Coast sweep of the VC companies, you’re missing some great opportunities," says George Kurtz, CEO and co-founder of emerging security firm CrowdStrike and a veteran entrepreneur in the security industry. "The VCs are in a great position to help you filter out the right startups to work with -- they’ve seen every company and heard every story. They understand the startups’ financial position and their long-term strategy. It’s a great way to vet the [startups] you might be considering bringing in."

Meetings with enterprise IT people are essential to VCs because they provide insight on key pain points and on the central security problems that enterprises are trying to solve. Through multiple conversations with CIOs and CSOs, venture capitalists form a picture of the security problem that eventually helps them decide which startups have a chance to make it big and which ones don’t.

"Before we invested in CrowdStrike, we talked to a lot of CIOs and asked their impressions of the problem and where they were feeling the pain," says Sameer Gandhi, a partner at Accel Partners, which has also funded many other startups that are well known today, such as Lookout, Tenable, and Sonatype. "One of the reasons we were excited about CrowdStrike was that we felt that they were working on a problem that a lot of enterprises have but that none of the incumbent vendors was currently able to solve. That’s something we were able to recognize by talking to CIOs."

Even if you don’t work for a large enterprise that might be invited to meet with a VC firm, you can use the intelligence gathered by VCs to help you choose the right startups to work with, experts say. Some VC companies have strong track records for consistently backing successful security startups, while others are still new at the game, they note. A wise security professional will consider a startup’s venture funding partners before climbing into bed with them.

Venture capital companies may also publish reports on industry trends that offer hints as to which problems they’ve identified and which categories of companies they are thinking about investing in, experts say. If several VCs have identified the same security trend and are putting their dollars behind it, it’s usually a good sign that products in that category are "safe" and that working with a startup might be an option.

But not all VCs that have invested in cyber security are highly savvy about the market, notes Adam Ghetti, co-founder and CEO of startup Ionic Security. "There are a lot of VCs in the space, but there are very few that really get it from all sides," Ghetti says. "There are security startups that can build a good business and sell at $100M, and there are security startups that have the potential to change the whole platform as we know it. Not all VCs understand that nuance."

And there are some organizations, such as the Security Innovation Network (SINET), that help enterprises to vet the plethora of startups on the market and identify those with promise. In 2010, SINET chose FireEye Inc. -- then a new company that had some innovative ideas about identifying zero-day malware -- as one of 16 emerging companies to feature in its annual showcase. Today, FireEye is one of the best known and most highly capitalized companies in the security industry.

While many enterprises remain reluctant to invest in startup technologies for functions as important as security, that conservatism may be unwarranted, according to Bessemer’s Cowan.

"I’m not sure the risk is as great as enterprises might think," Cowan says. "If you look at what happens to startups, very few of them ever really disappear. They might get acquired, but even if that happens, they’re usually still supported. And the cost of switching vendors in security is still relatively low -- it’s not like most companies have a huge legacy of products that they would have to replace.

"In fact, there are some advantages to getting in and working with a startup early. For one thing, when you work with a startup, you get their full attention -- they may not have very many customers, so you’re high on their priority list. The key is to find startups that are transparent about what they do. If they won’t tell you how their technology works, that’s not a good sign."

Unlike hardware or operating systems, security is not a market that lends itself to "durable" solutions, Cowan observes. The pace of cyberattacks and the rapid evolution of defenses don’t favor a long-term solution, so choosing an established vendor isn’t necessarily a better choice than choosing a startup.

"The best you can ever do in cyber security is to tread water," says Cowan. "The best solution today will not be the best solution five years from now. Your best option is to stay flexible."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/8/2014 | 9:39:48 PM
Re: Cyber Security Solutions - Innovation Trumps Size
Great points, Bob -- you answered some of the questions I raised in the comments in response to your remarks at the end of my Part 1 story! I do think that the relationship between security executives and venture investors like yourself is one that has huge potential for benefit on BOTH sides, and I hope that Dark Reading can facilitate more discussion between security-focused VCs and security professionals such as those in our community. I hope you'll continue to add your insight to our news and analysis pieces!
User Rank: Apprentice
5/8/2014 | 8:24:19 PM
Cyber Security Solutions - Innovation Trumps Size

Nice follow-up piece Tim.  As a venture capital investor in cyber security innovation, we spend a lot of time with enterprise customers to: 1) understand where they see the threat vectors based on their technology infrastructure and business profile, and 2) to seek input into the opportunities we are evaluating.  The symbiosis here is to draw connections between those with the problems and those looking to provide the solutions.  Historically, enterprise customers have been reticent to purchase solutions from young companies for the reasons you articulated through your two pieces,  Cyber is definitely an exception to that generalization.  Frankly, the nature of cyber threats evolves and morphs faster than most legacy solution providers can track.  Experienced customers understand this and turn to the start-up community out of necessity – they simply don't have a choice in many cases. The cutting edge innovation is coming out of Silicon Valley (and other innovation clusters) and the imperative to "get it right" with cyber security outweighs the risk of engaging with a start-up company in many cases.  Look to the resignation of the Target CEO earlier this week when you think about the consequences of getting it wrong in cyber.  Expect to see more of this in the future.  Maybe this is a reason why you see groups like Blackstone actually setting aside a pool of capital to engage and work with cutting edge cyber innovators to provide advanced cyber security solutions for their portfolio companies.

User Rank: Strategist
4/30/2014 | 4:28:01 PM
Re: Vested interest
Thanks Lorna, you make a great point. To get the full value of the VC community, you need to track multiple VCs and get their varying points of view. But it's still a lot easier to evaluate (in your scenario) four promising startups than to start from scratch and listen to pitches from dozens of unknowns. Another point I might make is that many startups, such as FireEye and CrowdStrike, are actually getting funding from multiple VCs, so it's not a one-sponsor, one-startup situation. If you see 3-4 VCs that know security backing a single startup, that's a good sign that there might be a there there.
User Rank: Strategist
4/30/2014 | 4:23:05 PM
Re: VC explosion
Great points, Kelly. Interestingly, according to numbers from Thomson Reuters, the number of security companies receiving funding was actually down slightly between 2012 and 2013 -- there were a lot of startups funded in the 2011-12 years. However, I think what we're noticing is that startups are getting a lot more traction than they did during those years -- a startup today has a real chance of breaking into an enterprise and building a business relatively quickly, as we saw with FireEye, Palo Alto Networks and CrowdStrike. There's a real opportunity for a new company to make the grade.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/30/2014 | 4:14:25 PM
VC explosion
There is a lot of VC activity going on lately in security. Nearly once a week, there's been a new VC funding announcement from one startup or another. I'm wondering how this compares with a year ago, or even six months ago.
Lorna Garey
Lorna Garey,
User Rank: Ninja
4/30/2014 | 2:31:50 PM
Vested interest
Tim, Any given VC is going to have a strong incentive to recommend to enterprise CIOs/CISOs the startups it's invested in. So, you might visit four VCs asking about X problem and get four promising solutions. I guess that's actually better than the alternative, but how do you recommend sorting through the possibilities?  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...