Security Vendors Debate the ‘Arms Race’

And with no one-size-fits-all security solution, there’s plenty of opportunity for new entrants and established players to drive new revenue streams.

One example of the growth: Out of about 3,000 companies Opus Capital evaluates annually for investment, 500 are security-related. Of those, “We invest in about 10,” said Ken Elefant, founding partner of Opus.

He noted that security is one sector where enterprise customers are willing to buy from startups, particularly if they have differentiated technology. “If a startup can prove it has a better solution to address a security issue, the sales cycle can be quite short,” he said.

Elefant spoke on a “Security Arms Race” panel of security vendors and investors here at the Red Herring conference in Monterey, Calif. Another speaker, Oliver Friedrichs, director of emerging technologies at Symantec, said startups and relatively small security companies can provide useful solutions for specific problems, but that most enterprise customers prefer dealing with a larger established company.

“Companies have been burned by startups who over-promise,” Friedrichs told

He also conceded companies that have been victimized by an attack, particularly in the finance and government sectors, are anxious to get the problem resolved by whatever vendor can prove it has an answer. And there’s a lot of anxiety out there.

“If you’re an e-commerce site, it’s not ‘Do you have vulnerabilities?’ it’s ‘Where are they?'” said Jeremiah Grossman, founder and CTO of WhiteHat Security.

WhiteHat has one of the more daunting security challenges. Rather than plugging leaks where security holes arise, WhiteHat does Web site assessment, looking for potential threats in new Web sites and services that companies launch or are preparing to launch.

Grossman said you can’t find unique or previously unknown vulnerabilities in a lab effectively. “We learn one website at a time,” he said. “Our assessments are similar to what a hacker might try to do.” The company conducts about 600 assessments a week for various clients including what he said were well-known brands he’s not at liberty to disclose.

Before WhiteHat, Grossman was an information security officer at Yahoo where he saw the scope and depth of attacks first hand. “The No. 1 problem (at Yahoo) was dealing with the sheer size of attacks,” he said. “None of the security technology would ever scale to address it all.”

Amrit Williams, CTO at BigFix, added that even a combination of so-called best-of-breed solutions can be problematic for IT departments. “When you’re talking about antivirus, to data leakage, to compliance widgets, to identity theft—and trying to manage it all—most organizations just can’t because you have eight different solutions that aren’t all designed to scale.”