Wednesday, July 13, 2005

Too Many Security Startups?

The night I closed our investment in my 12th data security deal, Cyota, my wife Nathalie took me to see the Bourne Supremacy in Mountain View. On the way, she asked why I seem to keep investing in what sounds like the same company over and over. That's a fair question, and one that many people ask about the VC industry in general.

As we approached the theater, I tried to think of how to explain the fluid nature of the data security threat. Walking in (thanks to Fandango we righteously bypassed the long lines of teenagers), I noticed that the theater had just implemented its own security program to mitigate Movie View Theft by patrons who would watch a second film without paying. Instead of collecting tickets at the front door, tickets were now collected at the two hallways off the lobby, to where customers were ushered out as each film ended. No ticket, no second movie.

So I said: watch this. I stood by the front door, waited for a lull in traffic, and then nonchalantly proferred my hand toward the next approaching bevy of teenagers. "Tickets" I murmured.

Once the first victim handed me his ticket, the rest were cake. Tickets accumulated in my hand as my victims jabbered on about football games and SAT prep. I collected half a dozen and stopped. A good 5 minutes passed before they wafted over to the hallway, encountering another ticket stand (by then I could have sold the tickets to folks standing in line). Another 2 minutes passed as they tried to figure out which of them had the tickets! As it dawned on them that they had been phished, I returned their assets (and thankfully they didn't kick mine).

Security systems are not like computers or network switches, which improve over time and asymptotically approach perfection. To quote Justin Label, security is a Man v. Man problem, not Man v. Nature. Creative and motivated thieves respond to every new security system with a workaround, and so the best we can ever hope to do with the safety of our computer networks is tread water.

That's why we will always need more startups--hungry, brilliant teams that innovate new defenses against phish, pharm, spim, spam, malware, keystroke logs, worms, slipstreamers, spoofs, bitlets and packetflies (ok, I just made up those last two).

I'm not saying that enterprises like to buy stuff from itty bitty startups. Of course they prefer Integrated Suites deployed on Unified Appliances with Management Consoles and Event Correllation, all packaged up in nice yellow boxes from big companies with beefy, publicly funded balance sheets. And if the suite doesn't stand up to new attacks, other enterprises will suffer downtime too, providing an excuse that promises the buyer some hope of job security. Think of wildebeasts, who survive by sticking to the middle of the herd.

But yesterday's security suite can never withstand today's attacks, and so the suites need a constant injection of startup-style innovation. The big acquisitions that characterized data security for the last 2 years (Neoteris, Riptech, Recourse, Pedastal, Netsec, Entercept, Okena, Intruvert...) do not signal a phase of consolidation (as widely reported); the M&A trend, rather, is a fixture of the new ecosystem.

And so Bessemer continues to launch new companies in partnership with the industry's best and brightest minds in data security, like Dan Farmer (Elemental), Bruce Schneier (Counterpane), MIT Professor Ron Rivest (VeriSign), MIT Professor Saman Amarasinghe (Determina), Paul Mockapetris (Nominum), Mark Maiffret (eEye), Gene Spafford and Gene Kim (Tripwire).

It was right after I affirmed this final proclamation that Nathalie kissed me on the cheek and said: Shut up, now, the movie's starting.


  1. Anonymous10:17 AM

    Totally agree David. So great to see the stance that "industry consolidation" is vapor. When I started covering security for Gartner in 2000 there were 500 security companies world wide. Now my count is approaching 1,500. In the meantime there have been a few dozen acquistions and about five failures (Pilot Networks, Gillium, are the only two that come to mind).

    security is not like ERM, or CRM, or CAD/CAM. It does not go through a maturation cycle leading to consolidation.

    Keep posting. This is great stuff.

  2. Its kind of interesting that you bio claims you are Jewish and athiest (a bit incompatible). In your post though you note that man-vs-man is different than man-vs-nature. Man really does have a special place in the world. :)

  3. Anonymous8:05 PM

    It's time to come home now David. The French are harmless as always



  4. "But yesterday's security suite can never withstand today's attacks, and so the suites need a constant injection of startup-style innovation."

    You know I actually disagree with you in regards to securing the enterprise. While I do agree that people are constantly finding new ways to exploit software through malicous code and hacking, the basic methods of how networks and systems are exploited havent changed very much. New viruses, worms and hacking techniques are discovered at a rate of about 16 per day but the basic methodologies really havent changed. What seems like change is realy the technology catching up. Only it doesnt feel that way because we all think that security threats pose a daily challenge. While it is true that security incidents are growing rapidly, hacking still remains very rare and most virus and spyware infections only slow performance. In fact my own subjective experience working with enterprise and mid-market companies on security suggests that it is more normal for them to have vulnerabilities that could easily be exploited by any script kiddie with access to nessus, nmap and a search engine, than it is for them to even be up-to-date on patches. Why? Because when companies get hacked or a worm takes them down they expereince tremendous pain, but this just doesn't happen all that often. Its kind of like earthquake insurance and I don't know anybody that has an earthquake policy.

    I'll try to explain with a semi-concise example of technology catching up to old techniques in security. First companies started deploying firewalls block private networks from public access. Next the focus shifted to vulnerability assessment to ensure that access granted through the firewall to web/mail/file/etc. servers couldn't exploit weakneses in the operating system or pre-packaged applications. The next growth area seems to be web-application assessment tools that attempt to find vulnerabilities in proprietary web-applications. So in 10 years of security evolution we've now gotten to the point where companies can use automated tools to secure their propietary web applications. Yet hackers didn't just spawn the idea for injecting sql code into a proprietary web application to exploit it last week... in fact its often how systems have been compromised over the last 10 years. The difference is that 10 years ago there was much lower hanging fruit in that without a firewall many attacker simply waltzed into the network they were targeting. With the exception of things like wireless attacks that have spawned from new technologies, security incidents revolve around the same types of exploits they always have: social engineering, unintentional exposure of network access, operating system and application vulnerabilites and password cracking.

  5. Anonymous1:09 PM

    Great post ...

    Start shameless self promotion: Want to invest in another security company?
    We're taking video surveillance to a hosted services model. We get the data offsite in real time via the broadband connection (even an asymmetric one) and provide a recurring revenue model to the channel.
    End shameless self promotion.

    Anyone ever pitch you on a blog post before? It was my first time.