The persistent and recent security hacks reported in the media remind me that we are unsafe. In spite of many dollars and much effort, the arms race against black-hat initiatives continues.
Security is a sector that continues to intrigue me. At my previous firm, I was a founding investor in Bit9, which recently announced a major financing, which Sequoia led. CEO Patrick Morley is a rock star.
Yet, the sector also concerns me. Few start-ups will hit Bit9’s inflection point. Few companies can recruit a Patrick Morley, who knows when to up the burn and when to hold off.
Many security start-ups have capital-intensive business models involving many expensive field sales people. Get it right, and you’re golden. Get it wrong, and you’re sucking down a lot of capital quickly. You get it half-right, and you still need a lot of VC money, which means the start-up’s founders may not make much money in an exit.
Would love to hear from folks about next-gen business models for security.
Jo –
As a Risk professional, I couldn’t agree with you more; there isn’t a day that goes bye where you can’t find an article or report of a security breech somewhere. Some are external (Black Hat) but the vast majority are inside jobs (disgruntled employees or simply employees trying to “get around” the layers of security that are in place); let me explain – the bank that I work for has a control standard that states that “no confidential or restricted information will be stored locally on any device” and should be kept on the “shared” drive provided to the employee. Each year the Bank logs over 15,000 reports of lost devices (laptops, smartphones, thumb drives); the biggest issue with these reported losses is not the value of the device itself but of the data stored on those devices.
I believe that part of any good security plan should involve employee training and “social engineering”. We have become very good at detecting and averting DoS (Denial of Service) attacks, phishing, Trojan Horse attacks and other various potential vulnerabilities and incidents. Our biggest problem is still the “human factor”.
So to your question about a business plan for a startup security firm, here are my thoughts:
1. Any business model should include a good SETA (Security Education, Training and Awareness) program.
2. There are myriad of tools and applications out there that perform penetration testing, network scanning, patch vulnerability testing, etc.; get away from becoming technology centric and take a more holistic approach – to wit – more of a consultancy than a software vendor.
Thank you for your though provoking insight. I look forward to your comments!
Hi Sebastian, thanks for writing. I think we think the same way. We’ve actually looked at a few companies looking to “productize” SETA, but haven’t found folks who have succeeded in doing that. Usually, what we find is services companies with some product “leave behind,” but the unit economics aren’t that interesting due to the need for customized content.