The infosec reckoning has arrived

After years of bubbling valuations and buzzword-laden marketing, customers are getting smart around data protection

2018 represented a record year for venture capital investment into information security, but this isn’t a positive trend – and it definitely doesn’t mean we’re more secure.

An unwarranted percentage of solutions being funded are not solving the problems defenders face the most. And with high numbers of lackluster information security startups failing to meet the needs of their customers, you might expect downward pressure on valuations. 

Instead, 2018 also saw record valuations, both because venture capital firms benefit from them, as will be explained in this article, and because so many investors are unfamiliar with the information security space and simply don’t know better. Defenders are beginning to be fed up, and there has to be a reckoning if we want progress in securing our digital systems.

In March 2019, tens of thousands of security professionals will descend upon San Francisco, making their way through a labyrinth of security solutions on display at the RSA Conference in a quest to find a solution that fits their specific needs. In their way stand 650 exhibitors, a cacophony of booth distractions ranging from delightful to distasteful, buzzwords assaulting their eyes in hundred-point font offering a cure for the latest and most vicious threats – threats that are more likely fantasy than reality for most attendees. 

In classical Greek mythology, the heart of the labyrinth contains a Minotaur who devours all who come pass. In our modern information security reality, startups devour the dollars of security professionals and investors alike, with unproven promises luring the less informed into their grasp.

In 2018, over $5 billion was invested into information security startups in about 300 funding deals total, according to Crunchbase data. How does this large influx of capital improve security? Where does it get all of us, the people whose data needs protecting? Unfortunately, the answers are unclear. 

It is entirely possible that the raging furnace of the information security startup / VC cycle actually is hurting our ability to defend against attacks. First, we must understand how these solutions are failing to meet the market’s needs. Second, we must look to investors and see how their incentives propel them to increase valuations despite lack of value.

Reading time for this article is about 20 minutes. Featured Infosec Bingo Composition by Kelly Shortridge, Image by Nipitpon Singad / EyeEm via Getty Images.

Solutions in search of a problem 

Information security startups are not addressing their customers’ most pressing challenges. Arguably, the more money flowing in, the less they are carefully researching how they can make the highest positive impact in a security program. It is fruitless to point a finger at one cause. 

One factor is a gravitation towards what is cool from a technical perspective, compounded by a lack of consideration towards sustainable customer value. Another factor is a predilection for incremental improvements on existing solutions. Finally, the potency of flashy marketing can obfuscate deficiencies in the value security startups provide. All are worth exploring.

It is often easy to sniff out when founders wanted to flex their technical muscle and build something they thought was cool, rather than finding a customer problem they wanted to solve and figuring out how best to do so it. This backwards approach then requires these startups to search for – or worse, invent – a customer problem to solve with their ostensibly sexy technology. 

As Esteban Gutierrez, Director of Information Security at a publicly-traded SaaS company, observed, “The VC crowds approach things from the perspective of ‘what problems can we find to make money off of?’ and not the perspective of what are actually the problems people are having with keeping their data safe, having easy control over access to their digital stuff, or how can we actually make things better (so much blockchain).” 

There is a dreadful disconnect between what is important to security practitioners and the problems the majority of startups being funded are supposedly solving. The vast majority of information security teams do not spend their days stopping an unknowable threat, referred to as a “zero-day.” 

Instead, they are focused on the routine and frustrating tasks such as threat modeling, policy definition and enforcement, risk reviews, configuration management – or if they’re lucky, working on automating these mundane tasks through custom scripting. Further, only after basics are met in the security “hierarchy of needs” can defenders even begin to consider addressing unknowable threats in a meaningful way. 

Regulatory compliance – from HIPAA, PCI, and SOX to, most recently, GDPR – drives a substantial portion of budgets in information security, despite being considered the dullest segment of the industry. Compliance violations are what most often lead to fines or customer losses – not ultra-sophisticated attacks by nation-state actors. So, information security teams are instructed to spend their time avoiding these violations as the first priority of what their security program should cover.

Regrettably, the information security industry thrives on the drama of devastating vulnerabilities. In many cases, founders with security backgrounds concentrate on building technology to exclusively detect or stop the most sophisticated possible attacks. This pursuit represents the flipside of finding noteworthy vulnerabilities and developing elite exploits – the currency of respect within the industry with which these founders are familiar. 

In contrast, one of the industry’s most recent massive successes happens to be an example of a good case of user research, despite investors initially disregarding its potential for explosive growth. Duo Security, which was acquired last year for $2.35 billion by Cisco, was founded by people with notable accomplishments in vulnerability research. 

Yet, to their credit, they understood that the foundation of most attacks affecting enterprises is not the stuff of groundbreaking research papers, but attackers with databases of passwords, simply trying them out to see which still worked – hence Duo Security’s innovation of two-factor authentication that was exceptionally easy to use. By understanding the typical enterprise user’s workflows, Duo Security’s team figured out the best way to integrate security into the enterprise’s work, without adding friction. 

Few information security startups are following Duo Security’s lead, however. As Gutierrez noted, “A lot of VC-backed information security startups don’t actually start their conversation with ‘is this problem you’re having?’ There are some startups that do it this way, and those are the interesting ones I talk to.” 

This general lack of customer understanding includes assumptions about the effectiveness of startups’ products within the customer’s environment. Information security startups’ value propositions are often predicated on the assumption of underlying orderliness within their customers’ security programs. This assumption couldn’t be further from reality. 

Anne Marie Zettlemoyer, who sits on the board of SSH Communications Security, pointed out, “The reality is that the functionality of many tools requires the hygiene of an environment to be pretty strong to begin with and substantially maintained as well. Why is there so much ‘consulting’ added onto the product for implementation? Because the tool has no chance of either working or showing the business that it is working if you don’t have basics like identity and access management, inventory of assets, network visibility, data classification, incident response plans, etc., in a decent place.”

There’s too much focus on incremental tools

Another reason why information security startups’ tools fail to provide value in customer environments is because they focus on developing a niche feature, rather than a true product. A product solves a problem in a range of contexts. A feature adds value to a product, but is likely for a specific context. 

In other words, a product is valuable on its own; a feature needs something else to provide its full value. It is far easier for a customer to describe the bit of supplemental value they’d like to extract from an existing product than to articulate how the way they do their work might need a fundamental overhaul. 

For example, when asked, you might wish your vacuum cleaner had a more comfortable grip or more power to reduce cleaning time. You would likely be unimpressed by a company that sold an add-on to your vacuum that provided just one of those improved features, but you might be delighted by the prospect of an autonomous robot vacuum cleaner, which saves both your grip and your time. 

In information security, we often only see the incremental progress upon existing solutions, slight tweaks that create only a sliver of value more than what is currently deployed – not innovative products that reflect a deep understanding of why customers are dissatisfied. This lack of any significant alleviation of customer pain points results from the willingness of investors to fund concepts and the pervasiveness of limited trials – both of which distract from investing in the less-glamorous and more exacting goal of long-term value creation. 

Zettlemoyer explained, “Why are we failing when there are so many ‘solutions’ out there? I think a very strong causation is that many of these tools are good ‘in concept.’ They might have a limited PoC [Proof of Concept] or PoV [Proof of Value], but are they [the vendor, the VC, and the customer] asking the question, ‘What does it take to make sure this tool is adding sustained value?’”

This trend towards incremental improvement is also what leads to the extreme fragmentation of solutions within information security, making it even harder for defenders to figure out what will actually solve their challenges. To those outside of the industry, you may view “information security” as a singular category of products. However, there are dozens of subsectors within security that each have their own cluster of vendors.

As Will Lin, a Founding Investor and Principal at Forgepoint Capital, noted, “It’s possible to invest in 40+ security companies that don’t compete against each other. There are multiple customer categories in security and customers on average have 75 security vendors in their environment.” One investment bank lists a stunning 46 sub-categories within information security in their market map. 

By way of analogy, imagine if you look around your house and notice it’s dirty. The logical approach would be to create a list of things to do to clean each room, identify the tools needed to do each of those things (vacuum, mop, duster, etc.), buy the tools if you don’t have them, and then go room by room, cleaning. 

Now imagine that the only stores from which you can buy vacuums, mops, and dusters tell you things like, “your old vacuum cleaner just won’t do, this one is nuclear-powered and also self-propelled.” They also start identifying rooms in your house that are dubiously rooms, like crawl spaces, and propose solutions to clean those rooms. 

If you spend all day at the department store being pitched on increasingly outlandish cleaning products – perhaps a trained army of rats with dusters, and a cat to catch and eat all the rats after they’re done – not only will you probably buy something very useless, but your house also won’t get cleaned.

You can imagine the frustration and helplessness you might feel at being pushed to buy all these unnecessary solutions. You might even be angry when realizing investors were pouring money into these startups to power marketing meant to overwhelm you, rather than to create tools that actually help you. Information security startups overcome the need to prove usefulness with aggressive marketing. 

Running the buzzword treadmill

The problem outlined here must seem real in order to sell the startup’s solution, so it is not uncommon to see content aimed at making security practitioners think they have blind spots or deficiencies that are, in fact, far less critical than the vendors would have them believe. This leads to the creation of the buzzword treadmill we observe in information security – from everything mentioning “cloud” five years ago to the unrestrained use of artificial intelligence (“AI”) today, peppered with inane phrases along the way like “unparalleled actionable insights.”

From Gutierrez’s defender vantage point, he observes, “The lack of transparency, specifically, [means] sometimes it’s almost impossible to tell what a startup is doing.” Buzzword-laden marketing language obfuscates what a company actually does – which shouldn’t be needed if the startup is confident in their ability to solve a worthwhile customer pain point. Key marketing phrases Gutierrez noted such as “blockchain, AI, ML (machine learning), resilience, threat intelligence, behavioral analytics, and ‘network superiority’” make it difficult to discern how, exactly, a startup is looking to make a defender’s job easier.

Zettlemoyer suggests that investors and security professionals spend more time asking the right questions of startups upfront in order to understand the value of the product and the problem it is trying to solve. “If you put ‘So what?’ and ‘How do you know?’ on end of every claim, that would be a good start.” 

For example, with a hot phrase like “cyber AI,” these sorts of questions are essential in determining whether buying a risky new technology will actually pay off by helping more efficiently and effectively detect, respond to, and recover from attacks. As Karin Klein, Founding Partner at Bloomberg Beta, advised, “From a technical standpoint, everyone is saying they ‘have AI.’ That’s not true. Security is an area where there are potentially great applications for AI, but we’re not there yet.” 

Experience starts at the top

Security startup founders have even been receiving funding without possessing any real expertise in information security itself. One founder of a startup that claims it will help companies collect, protect, and share sensitive data – meaning our data, as users – is a self-proclaimed “amateur cryptographer” without any experience in information security at all. 

This should be a far cry from the practiced background needed to be the custodian of organizations’ user data. Yet the amateur cryptographer’s startup raised $8.3 million in its Series A (the first major round of financing), led by one of the most active investors in information security, by making meaningless pronouncements such as, “you can’t hack what isn’t there.”

It’s not all buzzword doom and gloom

Vendors actually can and do aid defenders, but often they come outside of the information security sector. Why? Because they are focusing less on “sexy” problems within information security, and more on how to make people’s work in IT easier to accomplish. Applications have been developed which improve IT operations, the byproduct of which is streamlining workflows for security operations and reducing the number of manual tasks needed to be completed. 

One positive trend from 2018 is that we saw increasing investment in some of the categories where defenders need the most help. The top three funding categories were identity and access management (“IAM”), application security, and data protection. IAM is crucial as more work moves into SaaS applications and cloud environments, where credentials are more important to protect than machines on a specific local network. Additionally, as more companies build software as a new delivery method for their services, application security becomes paramount. 

Finally, legislation like the EU’s General Data Protection Regulation (“GDPR”), and anticipated similar regulation in the United States, makes data protection a key focus area for investment in security programs. As a senior investor at one of the most active VC firms in information security, who requested anonymity to speak openly, observed, “I’ve seen more companies focused on solving compliance, regulation, and risk issues. That’s not surprising given new regulations like GDPR.”

Information security involves people, processes, and technology. When the focus is purely on technological solutions, other problems needed for a strong security strategy will find themselves lower in priority. The dominant strategy today is to blame the people, ignore the processes, and hope the technology takes care of everything. 

This amounts to putting a bandage over an arm that keeps getting sawed off on a daily basis. This focus on only technological solutions is a salve to temporarily soothe the issue of how to be more resilient against attacks, eroding the industry’s ability to protect itself in the long-term. 

Bigger funds, bigger fees

With so many failures in the market, how can valuations for these startups consistently be so high? An important, but often overlooked, contributor is that venture capital firms benefit from higher valuations in part because those valuations lead to bigger fees. Plus, the other investors in these startups generally lack the industry expertise to discern whether the startup has any merit. 

As a result, startups can endure multiple rounds of inflated valuations before reality sets in. By my analysis, the median valuation for a Series B round was a surprising $75 million in 2018, up from $55 million just a year prior in 2017. What makes it all the more curious is that Series C valuations have not risen accordingly. In fact, they’ve fallen slightly, from a median of $140 million in 2017 to $122 million in 2018. 

One explanation for this post-B cliff likely lies in the dynamics of the venture capital firms themselves. As Lin explained, “Valuations and round sizes have gone up, VC funds are getting larger and as a result, the business metrics required to raise a Series C round are higher.” This upward spiral merits closer examination. 

In hushed tones over coffee, when they are certain no other caffeinated patrons are listening, investors will spill one of the most salacious pieces of gossip in venture capital right now: that in the past few years, a select group of venture capital firms have, on occasion, been covering each other’s backs, propping up high valuations in one another’s companies to support the picture of a healthily growing fund.

Venture capital firms have their own investors — their limited partners (“LPs”), those who provide the pool of dollars into VC funds — and who are the people paying the VC’s management fees. These LPs look to data points on portfolio growth when deciding how much to invest into a VC’s new fund.

Therefore, if a few of the VCs of information security startups sometimes work together to inflate and affirm the investment values of each other’s funds, the lofty valuations we are seeing do not actually need to be tied to customer value or company performance. It can serve as an indirect method of increasing the fees received on assets managed, and non-expert VCs will unwittingly support this dynamic, thinking valuations are always based on a startup’s potential.

The mirage of frothy on-paper-only returns means that investors could justify needing a larger fund size and raising more money from LPs – and these larger funds beget an increase in management fees. The usual picture painted of venture capitalists is that they get paid when their chosen startups meet outstanding success – this is termed “carried interest.” 

However, VCs also receive management fees, which are based on a percentage of total assets under management (generally around 2%). These management fees guarantee a consistently high level of compensation – even if the actual investment bets fall flat. This practice is not necessarily pernicious, as it can simply serve as a hedge to ensure a salary even in tough times. 

To put actual numbers to this concept, as Chamath Palihapitiya pointed out in Social Capital’s notorious letter to shareholders, management fees for a $200 million fund would be $4 million each year. But if you raise a larger fund, for example a $500 million fund, the VCs would receive a much more generous $10 million in management fees, more than enough for a comfortable lifestyle, and it removes the risk of only receiving a payday if your portfolio companies succeed. 

There is, of course, also a component of founder vanity. Receiving a generous valuation for the company you founded is beguiling; who doesn’t want to believe their idea has the potential to beget such a plush valuation? Indeed, founders can even be willing to sacrifice control and grant special terms to investors – such as investors receiving a specific amount of money back before founders receive any money if the company is sold – in order to receive a more munificent valuation.

Rising valuations at earlier stages, up to Series B rounds, also gives the illusion of success while potentially hurting the startup’s long-term chances – both of which negatively impact defenders as they attempt to choose the proper solution to improve their organization’s safety. Specifically, because investors are usually less concerned at earlier stages with proof of customer traction, this relaxed initial pressure to find a sustainable customer acquisition model means that unhealthy businesses will have false signals of health via bubbly valuations. 

Companies can tap into their existing networks and the networks of their hired sales professionals initially, which may get them to $5 million in annual recurring revenue (“ARR”), or perhaps even $10 million ARR. However, if the product’s value proposition is lacking, it will be difficult to expand the set of customers beyond those within the startup’s initial professional networks. 

Series C investors expect to see that sort of scalability and tangible value proposition, and few Series B companies are getting there. As Klein observed, “Startups missed the mark on building creative customer acquisition strategies [in 2018]. Acquiring enterprise customers is hard and expensive, and as a startup, the typical routes such as attending a trade show are too costly. It’s easy to get drowned out by the more established companies as well as the noise of other newcomers.” 

Lin agreed that companies who fizzled in 2018 did so in part due to “difficulty separating [themselves] from the noise,” but also that startups who struggled faced “difficulty growing the business enough to match the promise priced into a high valuation, [resulting in] high cash burn, and [their] timing being too early or too late in the market.” 

A senior investor who requested anonymity due to company policy concurred with Klein and Lin. “Many startups that have trouble raising money lack customer traction, good leadership, good go-to-market plan, or presence in a large enough market. Usually, if you have just one of those, you can raise a good round. The problem is that most startups don’t have a good go-to-market plan forward to capture revenue.” 

For investors unfamiliar with the information security space, they may not be able to spot this red-flag regarding future viability – and non-specialist investors shockingly dominate investment into information security.

Information security is rife with first-time investors

Most investors in information security startups do not specialize in investing in the information security sector. Over 75% of all investors in information security startups in 2018 only invested in one deal, according to CrunchBase data. If you’re a user concerned about how companies are protecting your data, you should be even more concerned that non-expert investors are choosing which innovative security startups are being funded. 

Can you be sure that the best solutions are being financed and developed when the startups are chosen based on the pitches these non-expert investors like the most? While perhaps not as complicated a sector as biotechnology, information security is unfortunately complex and generally requires some level of technical expertise. Hearing a startup pitch about the ability to stop all potential advanced attacks might seem seductive when frequently reading about massive breaches. 

But when you’ve lived in the industry for a few years, you quickly realize that it is impossible to “stop” all attacks, particularly those by more sophisticated attackers like nation states. The realistic goal is always to be able to quickly detect, respond to, and recover from attacks. Such bombastic claims about being a fix-all solution are the sort of statements that will ring alarm bells in those with real industry experience.

This is the danger of headlines like those concerning Equifax’s notable breach – investors who do not have expertise in information security will gladly make bets in the field given its importance. Every one of us, regardless of industry, knows someone who’s been hacked, who’s been infected with malware, who’s had to change their passwords because their hotel or airline or shopping provider was compromised. 

Worse, we keep seeing these headlines, and if anything, it feels like the problem is becoming worse – why isn’t more happening to stop it? From an investor’s point of view, the question becomes, “Which startup can stop it?” and startups will happily spin their tale of why their technological Band-Aid will fix the deeply rooted problems within our industry that lead to these breaches. 

To counter these less knowledgeable investors, there are some dedicated venture capital firms who are very active in and informed about information security investing. Some of the most active are actually corporate venture arms, including Dell Technologies Capital, Goldman Sachs, Google’s GV, and Singtel Innov8. 

There are also traditional investors who have long invested in the space such as Accel Partners, Bessemer Venture Partners, Paladin Capital Group, and Sequoia Capital. Then, there are new and re-branded funds who are now laser-focused on information security, including AllegisCyber, ClearSky, and Forgepoint Capital.  

But the same fear of missing out on the Next Big Thing can plague these VCs as well, and they are often the culprits behind the bloating of valuations. We think of venture capitalists as the elder sages of technology, funding the next revolution in our lives – starting with semiconductors, then e-commerce, and more recently, cloud computing. Venture capital still has this potential, and there are venture capitalists who strive to follow this model of fueling beneficial disruption. 

Making a blockbuster return and funding meaningfully and positively impactful technologies are not mutually exclusive choices – but they are the more difficult ones. Likewise, startup founders can build companies in which they truly believe they are helping customers improve their security posture and making their lives easier in doing so. Yet again, this takes calculated effort to understand the customer perspective, to get into the nits of improving workflows, rather than quicker gains in mindshare that come from splashier marketing. 

The reckoning

The information security industry is headed for the same sort of rightful public outrage as was seen with the false promises of the health tech company Theranos. For those unfamiliar, Theranos raised $700 million with a peak valuation of $9 billion in 2014, for allegedly revolutionary blood-testing technology that was exposed a year later for utterly failing to meet its claims. Ultimately, Theranos shut down in September 2018 after being embroiled in lawsuits over fraud and breach of contract. 

The justified confusion over how diligence on something so important as blood testing could have been so overlooked is where I believe information security is headed. When our digital lives are irreversibly intertwined with our participation in society, does it not border on negligence to fund solutions that offer little more value than vaporware to protect the data on which our lives depend? 

When our personal information is exposed, where is the accountability that the summation of exaggerated promises, distraction from real problems, and tactical confusion pushed onto defenders contributed to the problem? More money into more solutions with fewer results felt by defenders is only sustainable for so long. We can only put the blame solely on organizations’ security teams for so long. Would we blame a patient for becoming sick after ingesting snake oil, if snake oil was the main option lining the pharmacy’s shelf? 

In a so-called market for lemons, it is difficult to discern product quality due to information asymmetry, and defects are only discovered after purchase. The information security startup ecosystem would not be seeing these positive funding trends without this information asymmetry existing. The value creation simply isn’t there. 

For investors looking to change the industry for the better, Gutierrez’s suggestion to reduce defenders’ exasperation at startups is “for investors to ask the company to explain in very simple language what actual problem are they trying to solve.” 

Hiding behind technical jargon and glossy meaninglessness instead of putting in the work to help information security professionals make smart choices is cowardice. Funding startups sowing fear, uncertainty, and doubt perpetuates the cycle that has kept us from progressing for literal decades, and attackers will continue to rejoice at the stagnation.

The information security industry often feels that it is preaching into the void, a Zarathustra ignored. To receive such attention and funding can feel like appreciation, when it is actually exploitation – but of a different kind of vulnerability than ones in software. 

We have the chance to take a step back and examine why there is such little progress to be found despite this greater spotlight on information security and increased financing fueling defensive technologies. Informed bets can be made on technologies that help information security teams make better decisions, to automate the more painful parts of their days, to help create tools that other parts of the business will not hate using. 

We have a lot of work to do. It’s time to seize the spotlight and turn it to what will really make a difference in keeping all of our data safe. We must return to first principles – our fundamental assumptions – as to why defensive security is so difficult, why our solutions are failing us, and what is actually keeping us from achieving true security innovation. 

Where is $5 billion in funding getting us? How is the intricate mosaic of startups securing us? How we can avoid perpetuating this cycle before this needless, pernicious complexity is a permanent scar embedded in the systems on which we depend? Asking the right questions and demanding more from information security startups than a siren song would be an auspicious start.