Is The Cyber Security Industry In A Bubble?
Plus, expert investor analyzes cyber security investments on TF 7 Radio
The Founder and Managing Partner of Boldstart, Ed Sim joined Host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies, and Co-host Tom Pageler Chief Security Officer of BitGo, Inc. on episode #81 of Task Force 7 Radio this week.
Sim talked about how he applies a First Check for Enterprise Technology Entrepreneurs, how he identifies pain in a new startup, and what's hot in the cyber security VC market.
Sim also gave his opinion on whether or not emerging technologies are being built with security in mind, what are the basic cyber security threats and concepts that companies should be worried about, and if smaller companies are at a disadvantage relative to bigger companies in terms of rolling out mature cyber security products and services.
And the big question everyone in the VC market is talking about: Is the cyber security industry in a bubble?
Bringing Enterprise Startups To Scale
Boldstart Ventures is a New York City-based first check investor for founders reinventing the enterprise stack. The company works with the C-suite in order to accelerate their time to market strategies. More specifically, Sim aims to work with engineering-driven founders with a laser sharp focus on the product itself and the product development. And he has some enduring themes and investment focus that include cloud native infrastructure; cyber security; intelligent automation; and SaaS products.
Sim is also the co-founder of MState, which is an enterprise blockchain studio, in partnership with IBM and Comcast ventures. For the last 22 years, he has seeded and helped scale a number of enterprise startups to exit including big data pioneer Greenplum, LivePerson, GoToMeeting with Citrix, Divide with Google, GoInstant with Salesforce and Blaze.
“I think from a security perspective, we really have to start asking ourselves where do you think the market is going to be,” said Sim. “And, you know, we have our own focus on how we think about security … I made my first security investment believe it or not, I signed a term sheet on September 13th, 2001, in a company called netForensics. I'm not sure if you ever remember that company. But that was one of the first SIM vendors out there.”
Sim said that the approach to security from Boldstart’s perspective has been to focus on new attack vectors and new problems versus existing ones like endpoint security. “There's been some great investments, obviously, in the endpoint security space. But we've had much more luck and success doing first check investing looking at new attack vectors,” added Sim.
See Related: “The State Of Constant Change In Endpoint Security”
And part of it is that there may not be a line item on the C-suite budget, on the CISO budget. It's usually discretionary spending in the first couple years. But according to Sim, “the trick is if you can figure out how that can become a line item in a couple years, it could be a massive opportunity.”
Investing In Enterprise Cyber Security
According to Sim, Boldstart is focused 100% on the enterprise, which means it mainly invests in infrastructure. Cyber security is embedded in a lot of the investing the company does (they’ve made five investments in the cyber space over the last five years), but still broadly consider it enterprise.
Rettas asked, “So, how do you identify pain in an investment or a company? How do you analyze that in the beginning with first check?”
Sim said that the advantage to being in New York is being surrounded by Fortune 500 companies. “And if you look at the history of the Fortune 500, most people will say today that they're a technology company that happens to be a bet, or a technology company that happens to be a retail company.”
So fundamentally, every Fortune 500 — if they still want to be in the Fortune 500 or the S&P 500 in 10 years — has to have technology. They're spending more and more on engineering and the velocity of change has increased exponentially.
From Cyber Security Pain Points To Opportunity
One of the biggest areas Sim is excited about is the power and rise of the developer. If you think about the world today (as mentioned earlier) these Fortune 500s cannot be software or technology companies without hiring engineers. And everyone is moving to the cloud today to increase their agility and their ability to rapidly deploy new applications. And engineers now are more and more responsible for not only coding, but also pushing multiple updates per day into production.
And what happens in that assembly line process with that speed is that security gets lost. “It's one of the areas we're super excited about is: how do you help developers increase their security or better their security without kind of obstructing their ability to get things done quickly?” asked Sim.
He added, “And there's tons of opportunities around that space. So Snyk, founded by the former CTO of Akamai is one of those companies addressing that pain.”
Another huge pain point in the industry is privacy: Privacy, PII, GDPR, CCPA, Alphabet Soup. “It's absolutely everywhere,” said Sim. “Just look at what Jamie Dimon (CEO of JP Morgan Chase), just recently said in his annual report, ‘A threat of cyber security may very well be the biggest threat to the U.S. financial system.’ And that they spend over $600 million a year on these efforts with 3,000 employees; and that privacy is adjacent to that and just as big a threat.”
See Related: “Best Practices For Safeguarding Data And Managing Privacy”
Pageler added, “I think you [Sim] hit the nail on the head. I think you're absolutely right. We have this rush for developers to go fast, push product out, push it out in the cloud. And security is taking a backseat.”
Pageler also noted that there are so many different privacy rules out there such as GDPR, and it’s difficult to determine what to collect. That’s because every piece of data you hold in one area, opens you up to more liability in other areas.
Talent Shortage Continues For Developers
Rettas and Sim then discussed the massive talent shortage in the developer space. Especially today, given the rapid speed of change, the best engineers are not going to work at a bank. They’re going to work at Google or Facebook or some other kind of web-scale company, or they’re going to start their own company because it’s easier than ever to do so.
Sim explained, “And so, in order for these large Fortune 500s to actually bring innovation in, they need to work with earlier stage startups.” They have to bring in companies earlier versus the traditional way. And Sim said that “with the rise of open source with developers downloading tools and actually using it and kind of proliferating inside of an enterprise, they're willing to work with companies much earlier because they can test the product. And they can price the product and see what's there.”
Rettas agreed, “I think you're right too. And then what I've seen too with developers is ... and not only do you not want to work at the traditional banks, you want to do something that's innovative. But also if you get into a company that has too many rules, too many guardrails in place it slows you down, it makes it so that the builds are just too slow, you can't be innovative, you can lose a developer.”
Rettas said that you have to balance how to empower them and let them be innovative, but also mix in security from the get go – without making it something that pushes them out and makes it so they want to leave. It can be frustrating when there are too many controls in place, things are too slow, it takes too long to push something out, the release process is too long, the systems aren’t set up for me, etc.
Sims added, “I think it goes back to the whole idea of security shifting left. Kind of like the assembly line process. If you can pick a defect earlier in the assembly line then the solution comes across in the long run. And so the idea is if developers can actually have security without thinking about it, and it doesn’t slow them down, then it saves a ton of time, a ton of cost and a ton of problems.”
Are Cyber Security Solutions Keeping Up With Threats?
A lot of attacks (especially malware attacks), are getting more sophisticated on a daily basis. So Rettas asked, “Are you cyber security solutions keeping up with the evolving threats that we’re seeing? Or, are we just continually falling behind?”
“We're always behind period,” asserted Sim. “And I guess the way I think about it is that the most interesting trends these days are these script kiddies and also nation states. And if you look at the use of artificial intelligence, machine learning, deep learning and all that stuff, it's easier for them to be on the offensive than it is to be on the defensive because you don't know what you're protecting yourselves against. But if you're on the offensive, you can use all these new technologies, download scripts and wreak havoc. And it's always going to be a game of cat and mouse and a game of catch up.”
See Related: “Nation-State Security Trends Report 2019”
Sim added that every new technology opens up new holes even on the cloud side. Just basic hygiene is not even covered. And when you go to AWS, it's absolutely confusing to have an environment set up and have your developers kind of on board, especially when you have thousands of developers. “And, you know, you're leaving lots of data exposed without changing passwords or things like that.”
“So I think it's not only kind of that hackers are more sophisticated but also there's kind of more footprint for some of these larger companies and it's harder for them to keep up themselves,” Sim said.
Back To Basic Cyber Hygiene
The biggest risk to any organization is its people. According to Sim, “No amount of technology is going to prevent phishing, BEC wire fraud ... or individuals using the same password over and over again. And, you know, having kind of their consumer site hacked, and then having their Fortune 500 company hacked.”
There has to be better training and cultural change. “And we're seeing more and more tools come out to, you know, let's say train software developers on how to create secure code. We're seeing more tools come out like on mobile devices gamification for how to train employees to understand what phishing attacks may look like. But ultimately I think that's super hard thing to stop,” Sim said.
Pageler explained that security practitioners more and more are tasked with limiting the ability for the employees to get in trouble. Banks have already taken that approach for a long time through limiting the amount of cash in the bank, limiting access to the vault, etc. Criminals over time know that they can only do so much damage. “And we have to start doing that more on security.”
Rettas then asked if smaller companies in this business are at a disadvantage to some of the bigger companies out there. For example at RSA Conference last year, there were about 6,000 new security startups.
See Related: “TF 7 Radio Covers What's Going On At RSAC 2019”
“I’d say no, because they have a much smaller footprint to be attacked. And then I'd say yes, because they have no idea how to get started and they're probably better off with like an MSSP. I feel like MSSPs are coming back. You're looking at MSSPs using kind of AI and ML to kind of move remediation faster and make it much easier. But I think these smaller companies need kind of a catchall, one-stop-shop to solve their problem,” answered Sim.
Is The Cyber Security Industry In A Bubble?
Rettas brought up how Mark Cuban talks about the cyber security market all the time and thinks “we’re in a bubble.” He’s been very open about the space and the amount of money, new startups, and duplicative technologies out there.
“You know, if you look at just the amount of money invested and kind of the amount of exits, then the answer is absolutely yes. And I'm saying that because if you look at it the estimates are $4 to $5 billion dollars were investing in cyber security companies last year,” explained Sim. “And it was like up from three to four the year before. And there are still kind of only a handful of new public companies out there, right? You have Carbon Black, you have Zscaler, you have Tenable and some other ones that went public, which means they could be new acquirers.”
But at the end of the day, Sim said that there are way too many startups out there and many of them will die. The key as an investor, or even as a buyer, is to know if something is a feature or a product or a business. And you need to have founders that are smart enough to maybe start with a feature, but know that out of the box eventually they'll get to it to have a product, and then eventually they'll have a family of products.
If you’re a really good founder and able to navigate that path, there’s massive opportunity out there. If not, you’re going to go out of business or get “rolled up for peanuts by some of the other companies,” said Sim.
Pageler and Sim both agreed on the perspectives that:
-Investors and practitioners in security are looking more at open source. It makes them less dependent on the cloud and allows them to carry the stack anywhere.
-Selling into the enterprise has been reversed. Instead of going top-down, the most opportunity is coming from word-of-mouth and going bottom up.
-You have to move into the area that makes most sense either from a security or development perspective in the future.
Rettas asked, “So if we have a big discrepancy between the amount of money that's actually coming into the industry compared to the ratio of the amount of successful exits that are happening … do you think that we're going to continue to see this sharp increase in spend in the cyber security space over the next few years that we've had over the last few years?”
“Absolutely,” said Sim. “I mean when CEOs like Jamie Dimon say that the threat of cyber maybe the biggest threat to the US financial system, then the answer's yes. And then you have guys like Warren Buffett. Warren Buffett's annual report just said that he believes a major catastrophe will happen maybe tomorrow or many decades from now. But the big one may come from a cyber attack.”
Sim added, “The whole idea of security always being one step behind the hackers, and now you have a new category of nation states kind of coming in and doing what they're doing … the amount of money will continue to increase. And so, yes, there will be opportunity. But I think execution and management team and understanding how to build a business, not just a product, I think becomes absolutely crucial for engineers to navigate kind of this new world.”
Rettas ended the show by going through some of the companies that Boldstart has invested in and how those investments came about. Some of those include BigID, Snyk, Security Scorecard, HYPR, Smallstep and Dropout Labs.
See Related Event, “Cyber Security Digital Summit – Spring 2019”
The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub.
To listen to this and past episodes, click here.