jump to navigation

Investment and innovation in security October 9, 2009

Posted by jonathanpenn in uncategorized.

Last week I attended a small investor/entrepreneur event in Palo Alto run by the Global Security Challenge (GSC). There were about 50 -70 people in attendance: a mix of entrepreneurs, VCs and other investors, and other companies interested in emerging and innovative technologies (ie, potential acquirers and tech/channel partners).

The heart of the event was indeed a competition: several companies gave their elevator pitches to the crowd, followed by a more detailed presentation privately in front of a panel of judges. I guess you could say it’s sort of a blend between Star Search and Star Chamber. At the end, the winners (there were two: one for “startups” and one for “SMEs”, as defined by their revenues) were announced, who each received some additional investment money as a prize.

In between the pitches and the announcement of winners, I had the pleasure of moderating a panel on the state and future of security investment and innovation. It was a great set of participants: Asheem Chandna (Partner at Greylock Partners), Jay Chaudhry (CEO of Zscaler, and former CEO of CipherTrust), Jon Fisher (former CEO of Bharosa, and author of Strategic Entrepreneurism), Ed Batts (of DLA Piper LLP), and Amit Raikar (a Business Development manager in with Symantec’s Enterprise Security Group).

When assessing the state of innovation and investment in security, there were several areas of contention as well as consensus. I won’t ascribe any statements to any panelist, and it’s not the case that all the participants even agree with this, but here are my own take-aways from the conversation:

  1. Investment in security is down, and the opportunity for entrepreneurs isn’t what it used to be. This will remain the case for at least a few years. Most IT security segments aren’t going to yield the next big company. In many cases, there won’t be a next big company. Most acquisitions in security are valued under $50m, so entrepreneurs make big bucks in IT security right now. There are a few areas of IT in general getting attention. Clean tech, biotech, and other areas are capturing the greater attention and dollars of investors. This does not spell the end for security innovation, but it does represent a pause.
  2. Where are the big investments and big opportunities? There was not a lot of consensus on this, but here’s my sense.
    • Fraud. Fraud is discretely identifiable as a multibillion dollar problem today. However, most of the antifraud solutions I see today are really authentication solutions, and that’s not what we need – no more risk-based authentication, no IP geolocation, no OTP over SMS. The problem isn’t only account takeover; though that’s certainly an issue, a lot of fraud occurs without accounts and you often have fraud even when people are who they purport to be.  What’s needed are solutions in the areas of device and identity analytics/reputation that have nothing to do with login and accounts (companies like Iovation, ThreatMETRIX, or Ethoca) and transaction analysis (Cybersource, Norkom, etc.)
    • Consumer security in the areas of identity and privacy. Consumer security concerns have moved off the desktop. The big worry for consumers isn’t malware on their machines, it’s that their identities and identity data can get compromised in other ways. Another big issue is privacy of their web activity: sites visited, items bought/browsed, and search terms entered. Unlike PII, this is information that is not given with consent, but gathered surreptitiously; and consumers are a lot more concerned about this information than much of their PII or other personal data.
    • Cloud-based security. In 5 years, there will probably be a few big companies that are fairly or very small today.  Four of those five will have cloud-based solutions. That is to say, cloud (or SaaS, if you like) will be the delivery model; it’s not that they will offer security of the cloud, but in the cloud.
    • Homeland security / physical security. Physical security is now IT-enabled: it’s no longer just gates, guards and guns. Video analytics, event monitoring and management, managed services, provisioning, and many other areas are ripe for opportunity. Then there’s  the whole homeland security area: billions of dollars are being spent on IT-based security systems that have nothing to do with “IT security” in the classic sense (ie, security of an organization’s IT systems). TWIC and CIP efforts, border control, anti-terrorism efforts, etc. The IT security market is dwarfed by this activity; just as a gauge to what IT security folks are missing, I recently attended the ASIS conference in Anaheim, and estimate that the size of that show was about 5x-8x bigger than the RSA Conference.
  3. Consolidation in the IT security industry will continue through 2010. Valuations are historically low (or at least back to historical normality). Big vendors are sitting on lots of cash. Everyone is eyeing the market and there are some good opportunities. Also, smaller companies with unproven technologies are having a harder time getting market traction. I’ve written about this in my report “VC Trends In IT Security”, which analyzes about $700m of investment activity in the IT Security market during 2008.


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: