It’s a herd mentality out on Sand Hill Rd. Over the past few years, VCs shied away from many infrastructure and security companies, preferring to bet on cloud computing, mobile computing, and social networking startups.
Now that these markets are saturated and somewhat stagnant, VCs have returned to the information security market like the swallows of Capistrano. According to PWC and the National Venture Capital Association, security funding in 2012 was up 60% over dollars committed in 2010. Judging by the crowds at the RSA Conference in February, I’m sure that VC investment will grow precipitously in 2013 as well.
Yup, security-focused VCs are busier than a Sommelier at Madera in Menlo Park. Why the change of heart? Money. The Sand Hill Road phat cats are willing to bet on security because they see:
- IPO success stories. Imperva, PAN, and Qualys have all gone public over the last few years while FireEye is warming up in the on-deck circle. Few, if any, other technology sectors share this kind of success.
- Executive participation in cybersecurity. Between APTs, hacktivism, cyber war, and identity theft, mainstream news outlets have been far more active with cybersecurity coverage. These news stories have gotten the attention on mahogany row – ESG research indicates that 47% of enterprise CEOs have become more actively involved in defining cybersecurity strategy. Now that business executives see information security as business-critical, they should be willing to increase budgets and fast-track impactful projects.
- Increasing federal activity. President Obama issued an executive order and is once again pushing for legislation. In the past two weeks, POTUS discussed cybersecurity with the new Chinese President, and held a meeting with a panel of CEOs in Washington. The wheels turn slowly in Washington, but cybersecurity is getting more attention on both sides of the aisle. Cybersecurity legislation could open up the spending flood gates just like PCI DSS did around 2005.
- Quick enterprise opportunity. In spite of the fact that enterprises spend billions of dollars on security technologies, they remain extremely vulnerable to attack. Hackers have figured out effective ways to circumvent existing security controls forcing CISOs to purchase new security technologies on a steady basis. This is exactly how FireEye got in the enterprise door quickly and effectively.
For these reasons alone, information security startups have never been more attractive so VCs are pushing their agenda faster than a Tesla driving up the 280. Based upon the herd mentality, most of the money will flow into companies claiming to have a better mousetrap than PAN and FireEye but these markets are getting more crowded than breakfast at Buck’s in Woodside.
In my humble opinion, the money crowd should focus their attention in:
- Enterprise security operations automation. Forget all the fancy technology, the CISO and his/her staff can’t keep up with the workload – much of which is based on manual processes. Given the security skills shortage, they can’t hire their way out of this so they have a choice: Automation or Services. Both of these areas will grow making them ripe for investment today.
- Security middleware. Sophisticated enterprises still anchor information security with an army of point tools. They may settle on one vendor but it will take years to fully amortize all of the myriad technologies and appliances. A security software architecture that acts as integration glue could be a real winner.
- A security expert system. Yeah, I know this sounds like something Marvin Minsky might have suggested in 1975, but it would be a worthwhile technology today. CISOs need to change security tactics all the time based upon new threats, vulnerabilities, and IT initiatives. It would be great if they had some type of rules engine to help guide them through intelligent analysis around investigations, risk management, and remediation activities.
VCs tend to look for quick ROI so I’m not sure that anyone other than In-Q-Tel will have the patience for bigger more sophisticated projects. Nevertheless, there could be some grand slam homeruns for VCs and entrepreneurs who think outside the restrictive security box.