The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over. That's a fair question, and one that many people ask about the VC industry in general.
As we approached the theater, I tried to think of how to explain the fluid nature of the data security threat. Walking in (thanks to Fandango we righteously bypassed the long lines of teenagers), I noticed that the theater had just implemented its own security program to mitigate Movie View Theft by patrons who would watch a second film without paying. Instead of collecting tickets at the front door, tickets were now collected at the two hallways off the lobby, to where customers were ushered out as each film ended. No ticket, no second movie.
So I said: watch this. I stood by the front door, waited for a lull in traffic, and then nonchalantly proferred my hand toward the next approaching bevy of teenagers. "Tickets" I murmured.
Once the first victim handed me his ticket, the rest were cake. Tickets accumulated in my hand as my victims jabbered on about football games and SAT prep. I collected half a dozen and stopped. A good 5 minutes passed before they wafted over to the hallway, encountering another ticket stand (by then I could have sold the tickets to folks standing in line). Another 2 minutes passed as they tried to figure out which of them had the tickets! As it dawned on them that they had been phished, I returned their assets (and thankfully they didn't kick mine).
Security systems are not like computers or network switches, which improve over time and asymptotically approach perfection. To quote Justin Label, security is a Man v. Man problem, not Man v. Nature. Creative and motivated thieves respond to every new security system with a workaround, and so the best we can ever hope to do with the safety of our computer networks is tread water.
That's why we will always need more startups--hungry, brilliant teams that innovate new defenses against phish, pharm, spim, spam, malware, keystroke logs, worms, slipstreamers, spoofs, bitlets and packetflies (ok, I just made up those last two).
I'm not saying that enterprises like to buy stuff from itty bitty startups. Of course they prefer Integrated Suites deployed on Unified Appliances with Management Consoles and Event Correllation, all packaged up in nice yellow boxes from big companies with beefy, publicly funded balance sheets. And if the suite doesn't stand up to new attacks, other enterprises will suffer downtime too, providing an excuse that promises the buyer some hope of job security. Think of wildebeasts, who survive by sticking to the middle of the herd.
But yesterday's security suite can never withstand today's attacks, and so the suites need a constant injection of startup-style innovation. The big acquisitions that characterized data security for the last 2 years (Neoteris, Riptech, Recourse, Pedastal, Netsec, Entercept, Okena, Intruvert...) do not signal a phase of consolidation (as widely reported); the M&A trend, rather, is a fixture of the new ecosystem.
And so Bessemer continues to launch new companies in partnership with the industry's best and brightest minds in data security, like Dan Farmer (Elemental), Bruce Schneier (Counterpane), MIT Professor Ron Rivest (VeriSign), MIT Professor Saman Amarasinghe (Determina), Paul Mockapetris (Nominum), Mark Maiffret (eEye), Gene Spafford and Gene Kim (Tripwire).
It was right after I affirmed this final proclamation that Nathalie kissed me on the cheek and said: Shut up, now, the movie's starting.