The Age of Resilience – Security in 2017

Security is one of the few tech sectors that thrives primarily thanks to the cruel intentions of bad actors. White hats and black hats exist symbiotically. Without the criminal element to create demand, CISOs would just hang up their spurs and call it a day.

While the tension between adversaries is a necessary function of the security industry, and spurs innovation, 2016 was an especially brutal year for the good guys.

So let’s begin 2017 with a sense of gratitude, because at least 2016 is behind us and having seen the best that black hats have thrown at our collective networks last year, now is the time for the white hats to respond.

From meddling with elections to the IoT bot DDOS attacks, we experienced pain, but I believe we are entering a golden age of security automation and resilience.


Security is still hot

This market is Yuge

Gartner estimates that the security market size will be $120bn by 2020. In my While last year’s predictions for the market were significantly higher ($170 billion vs. $120 billion) the size of the industry is vast. A few unicorns can still range across the market without poking horns into each other’s eyes.


And look at the services portion of the market pie – it’s $55 billion — big getting bigger. If you are a security startup and think it’s all about auto-magical products, think again. Forget that VC mantra of all product and no service — listen to your customer. Managed security service providers are growing at triple digit rates. Even though it’s somewhat annoying, a self-congratulatory pat on the back is necessary here – we called this “need for security services” last year.

The incumbents need help 

All the major security companies – Symantec, Cisco, HP, Juniper – cannot move fast enough. Partnerships and acquisitions are the way.

As of November 2016, Momentum Partners tracked over 120 mergers and acquisitions transactions worth over $17 billion. Symantec acquired Blue Coat for $4.7bn and Lifelock for another $2.3bn. At Bluecoat, Greg Clark and Mike Fey grew by acquisitions.

They are now leading Symantec, so expect more acquisitions. And partnerships. Cisco completed its twelfth security acquisition – Cloudlock – this year. Oracle acquired CASB Palerra and DNS provider Dyn. And HP, Juniper, and Microsoft are likely to get on the prowl soon.


VC Investments cross $4bn

In 2016, VC investments crossed $4 billion. At least three venture capital funds are dedicated largely to security – Trident Cyber Security, Allegis Capital and TenEleven Ventures.  When we cut the investment data (sourced from Pitchbook & Momentum Partners) by number of deals done, this market is flattening.

The number and size of later stage investments and rounds continue to grow as do their valuations. For entrepreneurs the message is clear — investors will fund your growth, not your powerpoint slideware. Seed stage valuations are lower, which is good for seed stage investors like me.


But the counterpoint is that I also see a lot of noise, me-toos and junk. Tracking some 1200 companies, these sub-sectors are obviously overheated. Put it differently, over $20bn has been invested in 1700+ security companies since 2010. By any estimates, less than 10% are profitable. And while we have a few Unicorns, we have yet to see meaningful exits.


Capital invested since 2010 ($bn)

Number of companies

Security & Vulnerability Management



Web and App Security



Network Security



Identity & Access



Endpoint Protection




May God bless America… and my CISO

Religious overtones aside, it’s time we put the spotlight on the soldiers of the digital age. It will be sometime before we start giving out Congressional medals of honor to CISOs – the silent majority who protect our data every day. In the meantime, take a minute to empathise with their condition.

A typical CISO has to deal with at least twenty five different technology solutions to identify, protect, detect, respond  and remediate their assets. And the range of assets include applications, data, endpoints, networks and identity. Stuart McClure, CEO of Cylance pointed out that the CISOs are often the fall guys when things go wrong. Their role has been relegated to a Chief Apology Officer. The C suite / board needs to understand that a CISO is the soldier on the front lines. They need to be respected, honored and protected, sometimes from their own management hubris. And when they are done with protection, the sales guys never stop.


2017 – The Age of Resilience

As we look at 2017, it’s evident that the CISO has moved from “we will be hacked someday” to “we are already compromised” to “give me that disaster recovery solution NOW.” It doesn’t get any worse. The mindset has moved precipitously towards hot backups in the age of ransomware and DDOS.

This is leading to new opportunities such as splinternet, where new companies will create tightly controlled overlay networks. Networks and security are no longer separate conversations and this trend will create a whole new set of opportunities over the next five years. Notwithstanding the regulatory / data residency laws, the push for a closed network is driven by the fact that security will never keep us 100% safe. So its time to extend the span of control into the traffic.

Other growth trends include the push for automation in the era of talent shortage. The hype of AI has already set in but a lot of remains to be proven.

The 2016 DARPA Cyber Grand Challenge was an epic milestone but its commercial implications are yet to be achieved. With 86% workloads anticipated to move to the cloud by 2020, data center security is rapidly gaining traction. Visibility and orchestration are major themes that are playing out well.

Before Amazon Web Services kills everyone and reigns the world, several startups are optimistic enough to address this market opportunity. As we look at IoT, physical security becomes of paramount importance. Companies like DeDrone (backed by Menlo Ventures) are redefining data center security.

Industrial automation and oil/gas verticals are amidst major overhaul. Tom Le, Executive Director of Cyber, GE Digital Wurldtech remarked that “OT is at least 15 years behind IT, and that gap is only growing wider.” ExxonMobil is working with Lockheed Martin to develop process automation infrastructure. By some estimates is a $40 billion expenditure. Companies like Security Matters (backed by Bosch Ventures) Tempered Networks (backed by Ignition, Rally Capital) Indegy (backed by Aspect Ventures) and Nozomi Networks (backed by GGV) have raised capital in 2016 to solve for “critical infrastructure” security.

Lines and dots interconnecting, conceptual illustration.

Image courtesy of Getty Images.

What must change

As we look at 2017, I hope for three changes:

Security vendor accountability ought to get better. We can no longer operate, as some accuse us to be, as snake oil salesmen. Fear driven tactics never work in the long haul. Shame on us when ransomware ‘vendors’ offer SLAs and we cannot. Shame on us if we cannot “red team” our own security products.

Secondly, design matters. Our products are not for nerds but for noobies. They have just arrived, on their second day in that SOC. They should be able to use your products, integrate it easily without a CISSP / PhD.

Finally, security sales should induce less nausea and more joy. Bob Lord, CISO of Yahoo who has been beset with “got a minute?” sales calls pleads, “Never pitch a transaction. Please.”  So let’s aim to solve problems and win customers for life. That’s better than being slick and winning a deal. Lets empower the frontlines. Because it impacts all of us.