Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/26/2013
06:56 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Follow The Dumb Security Money

When security companies raise big funding rounds and spend big bucks at security conferences, be afraid -- very afraid

It was amazing to see how excited folks were at the recent RSA Conference. Things were great! Every company was doing great! It was like hanging out with Tony the Tiger for a week. When things seem too good, they usually are and the contrarian in me goes into overdrive. I'm constantly looking for chinks in the armor, and over the past weekend I found it. I read two articles over the past week all excited that venture capital money is flowing back into security. We are now seeing security companies raising huge rounds of funding at what must be huge valuations. Being an analyst, I'm approached by lots of new security companies overflowing with VC cash, trying to get my attention. Having seen this cycle more than once, I know what time it is. It's the time when the dumb money returns to security.

The funding wave is usually driven by some new kind of overhyped problem, with dozens of companies launching largely the same ideas and technologies to solve said problems. In security we are fortunate to have 3. Between anything "cyber," BYOD, and advanced malware (which really means keep the Chinese out), security has become a board-level issue. And who hangs out with CEOs and board members? Right, the VCs. So inevitably VCs get interested in the market sector, especially if they perceive innovation happening. Especially if that innovation is magical and hard to understand (like security) for the typical business school pukes, who inhabit the lower rungs of the VC food chain and chase most of the deals.

No, I'm not talking out of my backside. I spent the better part of a decade working with VCs, both as a company founder and as a senior executive in venture-funded start-ups. When I was the company founder, we had pretty smart money for the first two investment rounds. This was when the Internet bubble was just forming and the investors had lots of security and telecom experience. By the time we were ready for the third round, we needed more money and the Internet bubble was exploding. We looked for smart money, but they didn't like the valuation or our momentum (or lack thereof). We found some dumb money and got the deal done. To be clear, they weren't dumb guys, but they didn't understand the security business. They were smart guys with too much money, trying to hard to get exposure to a hot market sector.

Then we learned that our technology partners were going to screw us. And they did. At around the same time the Internet bubble popped, and we sold that company for the remaining money on the balance sheet. But I learned a lot, so there's that.

Why do I bring up my tattered history? Because we are likely to see the same cycle repeat. It seems all a company has to do is say they do "BYOD," have an network anti-malware gateway, or do something related to security big data and they have VCs falling all over themselves to write checks. The companies will raise the money at valuations that are too high, setting expectations that are too high, and needing to spend like drunken sailors (for example, a 30x30 RSA Conference booth for a start-up) to perpetuate the myth of market leadership and momentum.

I've seen this movie before. So have you, but you may not have known that the catalyst for the crazy behavior was investors that paid too much to get a piece of these hot companies.

Contrast that with how smart VCs behave. These folks never left security. They've been in the market, usually as operating executives with extensive contacts with smart folks that build security products. They've been providing seed funding and early stage money for proven entrepreneurs for the past 5 years. You know, when security wasn't sexy. Before "cyber" became common CNN fodder. These investors provided the first money into companies like Palo Alto, even when it wasn't "cool" to build a new firewall. They stuck with a company like FireEye while they started and restarted three times to figure out and find their market. The smart VCs know the right security entrepreneurs and they will fund a company at any time, macro economics and hot market sectors be damned.

But even smart money isn't always right. I worked at a company that thought they were the next coming of Netscreen (you remember Netscreen, right?). They were wrong, but that didn't stop them from raising a lot of money at an insane valuation with a very smart VC leading the investment. That company ran into some challenges, which had nothing to do with hiring me as the marketing guy. That's my story and I'm sticking to it. They eventually got acquired, but the investors didn't make much money on that deal. Mostly because they bought too high and couldn't sell for enough to make it work. Even smart VCs don't always hit a home run, but they hit a lot of singles and doubles.

Turns out the dumb ones pretty much never home runs, and they don't hit many singles, either. When the lemmings start jumping into the frigid waters of security investing, it means the market is ready for a correction. We're starting to see some weakness from the public security companies, albeit after a stellar 2012 and very tough year over year comparisons. Does that mean we won't see innovation from some cool security companies? Of course not, innovation continues to happen every day. But the beanstalk doesn't grow to the sky and at some point, even the hot companies come back to Earth.

Why do you care? You just make this stuff work, right? You care because you lived through the Internet bubble, right? If you were in middle school or something back then, ask one of the grumpy old guys in your shop what happened when you made a big commitment to the "market leader," who then went belly up. You can probably still buy a Cobalt Server on eBay, just in case you were wondering. Now is the time to do extra diligence before making a strategic purchase on a product or service.

Or you can buy high and sell low. That's usually a good strategy for success.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13173
PUBLISHED: 2020-05-28
Initialization of the pcoip_credential_provider in Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows versions 19.11.1 and earlier creates an insecure named pipe, which allows an attacker to intercept sensitive information or possibly elevate privileges via pre-installing...
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
CVE-2020-11082
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
CVE-2020-5357
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
CVE-2020-13660
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.