Amid the 12,000-plus attendees at the Black Hat and Defcon security conferences in Las Vegas last week, it almost seemed like we were in the midst of a boom in demand for security technology. But venture capitalists who attended the security conferences were not optimistic about the ability to make a killing on security startups.
In spite of the rising threats, there aren’t that many security startups raising money. One of the reasons security tanked in the recession is that some of the biggest security customers are in the financial services business. Banks and trading firms need ironclad security and are willing to pay for it. But they pretty much shut down on expansions in the past year. That has created a fairly big leak in the security ecosystem that includes the government, big corporations, investors, venture capitalists and entrepreneurs.
Meanwhile, the bad guys are still in business. Spam is rising this year and now accounts for 92 percent of all email sent. The fundamental flaws of the Internet are hard to patch. Users are putting too much trust in the safety of social networks. Symantec now blocks more than 245 million malicious code attacks each month. It’s easier to fool users by redirecting them from good sites to bad sites. Government infrastructure such as the air traffic control system is pathetically vulnerable. The power of organized cybercrime in places such as Russia is truly frightening, McAfee executive Dmitri Alperovitch reported at Black Hat.
The theory used to be that even in hard times, companies can’t afford to cut corners on security. But that theory hasn’t really panned out. The disappointment with the first round of post 9/11 funding has probably made VCs reluctant to pour a lot more money into the category. There are still startups being formed. Becky Base, a partner at Trident Capital, talks with dozens of them a year, resulting in one or two investments. In-Q-Tel, the CIA’s investment arm, has about 10 security startups in its portfolio.
But VC investment into security software firms has steadily fallen from $893 million into 122 deals in 2004 to $564 million in 86 deals in 2008. In the first six months of 2009, VCs have put $94 million into 19 deals, according to the National Venture Capital Association. The last major security software IPO was ArcSight, which raised $50 million in February, 2008.
“Companies like Intel and Symantec went public on a fairly small amount of money,” said Pascal Levensohn, managing director at Levensohn Venture Partners. “We are at risk of losing a whole generation of these companies. There is continuing demand for security, but a declining appetite for risk.”
In security circles, compliance rules tend to drive sales. If better security technology is recommended, it often falls on deaf ears in the CEO suite. But if it’s required by law, then that’s another story, said Mark McGovern, head of the digital identity and security practice at In-Q-Tel.
With big security vendors like McAfee and Symantec dominating the landscape, the space available for startups is smaller. McGovern said that startups are often creating new features or widgets that will eventually be acquired and integrated into a larger software suite. On the hardware side, a lot of startups create an appliance to filter the network for a particular kind of problem. That kind of appliance becomes part of a larger firewall against attacks.
But Levensohn seems to think there’s still room for innovators. As the Internet infiltrates all sorts of gadgets that were once off the grid, those devices need better security. Levensohn said that providing security for energy-related infrastructure will become a good opportunity. At Black Hat, security experts warned that it was easy to compromise the security of smart meters and smart thermostats that send data to the utility company.
Levensohn also says his firm is looking into areas such as securing the supply chain for manufacturers and is on the prowl for companies that could be combined to create a stronger company.
Robert Lentz, the deputy secretary of defense for cyber matters, who spoke at the security conferences, agrees that the security ecosystem is at risk and that the country needs to marshal the same kind of enthusiasm for cybersecurity as it has for cleantech. He rattled off a long list of areas where the government needs better technology. On the high level, he believes that the entire Internet infrastructure should move to the more secure DNSSEC and IPv6 technologies — both of which are better and more secure ways to anchor the Internet. He also believes that we’ll get a big payoff from investments in automating security, reducing anonymity, better biometrics, instant damage assessments, and better consumer awareness of the risks of unsafe computing.
If startups come up with solutions for these problems, big or small, they may become acquisition targets. IBM just bought security software firm Ounce Labs. So that means there are other kinds of players out there besides just Symantec and McAfee. We heard last night that Symantec and others are investing $20 million in Lifelock.com, the company that protects consumers against identity theft.
That brings us back to the cybercrime crisis before us. Cybercrime is racing ahead of the government’s ability to catch criminals, said Peter Guerra, an analyst at Booz Allen Hamilton who gave a presentation on the cybercrime economy at Black Hat. In a three-year-long investigation of the Russian mafia, the FBI was able to arrest 56 individuals and recover 100,000 stolen credit cards. But that was just the tip of the iceberg, said McAfee’s Alperovitch. It’s only getting worse as the recession creates more incentives for the bad guys and funding for the good guys dries up.
During the recession, the price for hacking tools and the cost of renting botnets, or pools of compromised computers, has gone way down. The average price to buy a stolen credit card number or bank account password has plummeted, partly because so many are available, said Vincent Weafer, vice president of Symantec Security Response. It’s far easier to commit cybercrimes, and computer-oriented talent is having a hard time finding jobs, so the allure of cybercrime is higher, Guerra said.
To counter the bad guys, there’s plenty of need for talent at all of the companies and government bodies that need to do security research. That’s why some federal agencies are contemplating giving away a big monetary prize to those who compete best in a cybersecurity competition. Turning would-be criminal hackers into agents for the government would help blunt the cybercrime problem.
But forget about the idea of getting rich quick in the current state of the industry, Base said.
“If you aren’t in it for the passion, forget about it,” she said. “If you you’re in it for the bucks, don’t bother.