Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/26/2013
06:56 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Follow The Dumb Security Money

When security companies raise big funding rounds and spend big bucks at security conferences, be afraid -- very afraid

It was amazing to see how excited folks were at the recent RSA Conference. Things were great! Every company was doing great! It was like hanging out with Tony the Tiger for a week. When things seem too good, they usually are and the contrarian in me goes into overdrive. I'm constantly looking for chinks in the armor, and over the past weekend I found it. I read two articles over the past week all excited that venture capital money is flowing back into security. We are now seeing security companies raising huge rounds of funding at what must be huge valuations. Being an analyst, I'm approached by lots of new security companies overflowing with VC cash, trying to get my attention. Having seen this cycle more than once, I know what time it is. It's the time when the dumb money returns to security.

The funding wave is usually driven by some new kind of overhyped problem, with dozens of companies launching largely the same ideas and technologies to solve said problems. In security we are fortunate to have 3. Between anything "cyber," BYOD, and advanced malware (which really means keep the Chinese out), security has become a board-level issue. And who hangs out with CEOs and board members? Right, the VCs. So inevitably VCs get interested in the market sector, especially if they perceive innovation happening. Especially if that innovation is magical and hard to understand (like security) for the typical business school pukes, who inhabit the lower rungs of the VC food chain and chase most of the deals.

No, I'm not talking out of my backside. I spent the better part of a decade working with VCs, both as a company founder and as a senior executive in venture-funded start-ups. When I was the company founder, we had pretty smart money for the first two investment rounds. This was when the Internet bubble was just forming and the investors had lots of security and telecom experience. By the time we were ready for the third round, we needed more money and the Internet bubble was exploding. We looked for smart money, but they didn't like the valuation or our momentum (or lack thereof). We found some dumb money and got the deal done. To be clear, they weren't dumb guys, but they didn't understand the security business. They were smart guys with too much money, trying to hard to get exposure to a hot market sector.

Then we learned that our technology partners were going to screw us. And they did. At around the same time the Internet bubble popped, and we sold that company for the remaining money on the balance sheet. But I learned a lot, so there's that.

Why do I bring up my tattered history? Because we are likely to see the same cycle repeat. It seems all a company has to do is say they do "BYOD," have an network anti-malware gateway, or do something related to security big data and they have VCs falling all over themselves to write checks. The companies will raise the money at valuations that are too high, setting expectations that are too high, and needing to spend like drunken sailors (for example, a 30x30 RSA Conference booth for a start-up) to perpetuate the myth of market leadership and momentum.

I've seen this movie before. So have you, but you may not have known that the catalyst for the crazy behavior was investors that paid too much to get a piece of these hot companies.

Contrast that with how smart VCs behave. These folks never left security. They've been in the market, usually as operating executives with extensive contacts with smart folks that build security products. They've been providing seed funding and early stage money for proven entrepreneurs for the past 5 years. You know, when security wasn't sexy. Before "cyber" became common CNN fodder. These investors provided the first money into companies like Palo Alto, even when it wasn't "cool" to build a new firewall. They stuck with a company like FireEye while they started and restarted three times to figure out and find their market. The smart VCs know the right security entrepreneurs and they will fund a company at any time, macro economics and hot market sectors be damned.

But even smart money isn't always right. I worked at a company that thought they were the next coming of Netscreen (you remember Netscreen, right?). They were wrong, but that didn't stop them from raising a lot of money at an insane valuation with a very smart VC leading the investment. That company ran into some challenges, which had nothing to do with hiring me as the marketing guy. That's my story and I'm sticking to it. They eventually got acquired, but the investors didn't make much money on that deal. Mostly because they bought too high and couldn't sell for enough to make it work. Even smart VCs don't always hit a home run, but they hit a lot of singles and doubles.

Turns out the dumb ones pretty much never home runs, and they don't hit many singles, either. When the lemmings start jumping into the frigid waters of security investing, it means the market is ready for a correction. We're starting to see some weakness from the public security companies, albeit after a stellar 2012 and very tough year over year comparisons. Does that mean we won't see innovation from some cool security companies? Of course not, innovation continues to happen every day. But the beanstalk doesn't grow to the sky and at some point, even the hot companies come back to Earth.

Why do you care? You just make this stuff work, right? You care because you lived through the Internet bubble, right? If you were in middle school or something back then, ask one of the grumpy old guys in your shop what happened when you made a big commitment to the "market leader," who then went belly up. You can probably still buy a Cobalt Server on eBay, just in case you were wondering. Now is the time to do extra diligence before making a strategic purchase on a product or service.

Or you can buy high and sell low. That's usually a good strategy for success.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.