Thoughts from RSA and the Climate for Security Startups
Just getting back from a few days at RSA. We kicked it off Sunday night with a boldstart founders and execs dinner where we talked about what’s next in cybersecurity with some of our portfolio companies like security scorecard, bigid, snyk, stealth co and many friends from the industry representing strategic partners and IT buyers. After a couple more days of straight security talk with lots of new vendors, VCs, strategics and CISOs, I wanted to share a few observations. Many of these are not earth shattering but important to cover nonetheless.
- There are way too many cyber security startups. A record $3b went into these companies in 2016 and $2.5b in 2015. Many startups are features or products and not businesses. Each category and mini category used to only have a few vendors and now you can expect up to 10. Lots will struggle and go out of business and industry consolidation is ahead.
- That being said, cyber security budgets keep increasing! Banks like JP Morgan spent $500mm on security and yet they are still not secure. While many large cos will still buy from best of breed startup vendors, the landscape is changing as Palo Alto Networks and Symantec keep incorporating new tech and provide an integrated seamless stack.
- Which leads me to my next point. One CISO of a large bank told me that his team met with over 300 vendors last year. Large companies can’t possibly integrate all of these disparate technologies and the more you have, the more false positives you have.
- Rise of Nation State attacks — more sophisticated and deadly — many are targeting the largest financial institutions.
- There is a huge skills gap as there isn’t enough amazing talent to meet the demand.
- If you look at security market into 3 phases, before, during and after an attack, most money used to go in before phase. Now more is going into the during and after phase.
- Hackers are also using machine learning and so it is a cat and mouse game.
- Despite all of this, the weakest link is still people and social engineering. Simple fixes like patching vulnerabilities and 2 factor authentication can go a long way in preventing some of this mess. Getting rid of passwords can also help — biometrics? Anti-phishing, employee training?
- Assume you are breached — find needle in haystack — better use of machine learning to automate work flows on incident response and back end vs playing cat and mouse game of guarding the gates.
- US more at risk of cyber attacks than other countries — critical infrastructure is not state owned and we are more interconnected than many other countries — we have more to lose.
- Seeing more and more folks come out of NSA and our offensive and defensive cyber teams to start new companies — reminds me of all of the startups with IDF alumni.
- Does move to cloud change security landscape — do we need security purpose built for that or can old box vendors, etc adapt to this world of changing end points.
- Dev Sec Ops finally getting attention — as we move to world of continuous integration and deployment, incorporating security as early as possible will be critical and this means with the developers.
- Is PII and GDPR real? The more conversations I had it sounds like there will be some teeth and huge penalties for not following these regs.
- Security is now a business issue – corporate boards are aware and want to understand their risk posture.
- All is not lost! Funding for security startups will slow down this year from last year’s $3b, but there will still be plenty of cash flowing for those lucky few who can show escape velocity.
- Just don’t tell CISOs that all the stuff they bought is junk and they need a forklift upgrade — find a way to add value to existing layer and you can always weave your way deeper into their processes and infrastructure.
Also published on BeyondVC