Evaluating Security Startups

Security is different from all other IT disciplines. It does not go through the same phases of maturation that CRM, ERP, NAS, BPM, or other TLA’s (three letter acronyms) go though. While CRM for instance addresses a fixed need—to maintain consistent contact with customers, for example—security cannot be defined so simply. Security is all about countering threats.

So, while CRM technologies quickly get to the point where they address the basic requirements for maintaining customer contact, and then evolve beyond that to add reporting stability, ease of use, and other enhancements, security technologies get deployed to counter a threat from, say, viruses or spam, and then a new threat develops that requires new technology.

This continual change in the threat environment explains why the security industry has 1,200 vendors; up from about 900 in 2002. Even though the large security consolidators—Symantec, Computer Associates, McAfee and, recently, Check Point Software—continue to acquire companies, this must not be mistaken for consolidation: acquisition is the way large companies stay on top of the innovation required to counter new threats.

So every IT department finds itself evaluating security startups (if they desire to be prepared for the rising tide of threats, that is). In my years of providing analysis of startups and my experience at many startups, I have derived this set of rules for evaluating security startups.

Does the company offer a product that addresses a security issue? This question seems simple at first glance. But many organizations mistake a need for data management, reporting, and records keeping as a security requirement.

Do not make the mistake venture capitalists made in backing almost a dozen security event management (SEM) companies. Instead, ask yourself why you have so many security events to manage? Shouldn’t you be talking to companies that reduce your exposure and block attacks rather than those that help you manage your exposure?

If you purchase and deploy the product offered by the startup does it make you more secure? Another seemingly simple question. Don’t forget you are looking at a startup because there is a new threat that needs new products.

Data management, storage, trouble tickets, and compliance are old technology and you should be thinking about using technology you have already invested in to address those needs.

Don’t be the first customer. Unless your organization makes investments in startups (Bank of America, Visa, Intel all do this) don’t be the first customer of a security product company.

The maturity of solutions you evaluate should depend on the position the solution will be deployed to. Gateway, email, and DNS products should be very mature before you invest in them, for example. It takes years for the vulnerabilities and faults in gateway products to be fully discovered. While something that blocks user access to the Web or a technology for monitoring USB devices could be deployed safely in the first year of a product’s life.

Look for security people in management. Be very leery of security startups that are headed up by non-security people. Someone from the cell phone industry, big name-brand consumer industry, call center business, or just the entrepreneur in residence from the venture capital backer is not going to be able to understand the fundamentals of the security industry. Most often they will be selling you infrastructure and not tools … which leads us to the next item.

Buy tools not infrastructure. It is too early to buy solutions that layer on top of everything else. If you buy the whiz-bang middleware being offered you will struggle forever getting it to actually work with your existing solutions.

Once deployed, you will forever be limiting the choices you can make to counter the next threat because you will require everything to plug into the investment you made in infrastructure. Buy software, appliances, whatever, to counter the threat.

Don’t worry about the long term. It is common for purchasing departments to have concerns about a company’s long-term viability. This is wasted effort in the security space.

If you have identified a real and present danger and the company has a solution that counters that threat, they will be successful. Yes, they will probably be acquired but that should not be a negative consideration. Just make sure to sign multi-year agreements. In that way you avoid the pricing structure and support structure changes that the acquiring company may try to impose.

All indications are that threats from cyber criminals and potentially state-sponsored cyber attacks are on the rise. Countering those threats with technology before they have a direct impact on operations is always a good investment.

Yes, it may mean spending more on security, and it will definitely mean purchasing security solutions from start-ups, but how appealing is the alternative: a false sense of security from an inadequate solution?

Richard Stiennon is vice president of Threat Research at Webroot Software. He is a holder of Gartner’s Thought Leadership award for 2003 and was named “One of the 50 Most Powerful People in Networking” by Network World Magazine.
You can read his blog at www.threatchaos.com.