The computer security industry is far from an easy place to build a successful startup. Security has traditionally been controlled by a small group of established firms that maintain a vice-like grip on the major IT sales channels. And understandably, big ticket customers like the military and large enterprise can be hard to sell into for startups. The technology in fields such as encryption and intrusion detection is complex and arcane, and often requires expensive certifications.
But even in the face of such challenges security remains a hot field and offers opportunities for startups. So-called endpoint security for consumers was a $4.9 billion market in 2012, according to IDC, and enterprise security software and hardware is roughly $31.4 billion worldwide. In the past two years there have been over $12 billion in security acquisitions, with many of the notable exits in 2011 and 2012 having hit north of $800 million.
It’s also a disruptive field. Security is constantly evolving to confront the mercurial world of hackers and cybercriminals. With the proliferation of professional financial cybercrime and high-profile state-sponsored hacking, modern adversaries for information security are incredibly sophisticated. The rise of this generation of hackers creates a demand for new and better security technologies, and two fields in particular are currently big areas of interest for Sand Hill VCs.
Cloud and next-gen infrastructure security
Cloud and infrastructure security refers to the hardware and software associated with protecting modern IT infrastructures. As more businesses move workloads to the cloud, critical financial and personal data becomes exposed to the public internet. Securing data in flight to the cloud and at rest off-site is mission critical.
VCs will be heavily investing in hardware and software in this field because it shares complementary demand with the success for cloud computing; as companies demand the flexibility and cost-savings of the cloud, they will also require next-generation security built to secure the infrastructure of public and hybrid-cloud environments.
This is a hard area for startups to play. Proving compliance with draconian and mercurial regulations like PCI-DSS or the Common Criteria is a difficult and frequently expensive endeavor. As a result of high barriers to entry, systems incumbents such as NetApp and Oracle have an advantage.
But several new startups in this space have navigated these issues through the engagement of established veterans and a focused but superior feature set. These include encryption-focused Ciphercloud and the back-end infrastructure-focused CloudPassage. (Note: I have no financial or professional relationship with these or any of the other companies mentioned in this article.) Both Ciphercloud and Cloudpassage augment the security of an existing IT infrastructure and uniquely target bringing compliance-grade security to hybrid cloud environments. Compliance is a serious and expensive issue for the enterprise, and these industry veteran-led startups are attractive to VCs because they provide an economic but well-monetized alternative to purely consulting-based solutions.
Intrusion detection and prevention systems
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) refer to software and hardware solutions that detect and halt attacks or attackers as they attempt to compromise a system in real time. The rocket science-esque fields of IDS and IPS aren’t new, but with the advent of this generation of sophisticated attackers and widespread interest in big data analysis, IDS and IPS are quickly becoming a hot topic for VCs.
A great example of IDS/IPS success can be seen in Silvertail Systems. Acquired late last year by EMC, Silvertail used complex algorithms to detect attacks from the outside and even internal attacks launched by compromised accounts. VCs liked that Silvertail’s tech was managed by a team of industry veterans and that from the beginning they closed deals with large enterprises.
Late-stage starlet FireEye seems poised for success by employing the same formula. Their late 2012 hire of ex-McAfee CEO Dave DeWalt and success in traditional security verticals like US DoD, US federal, and large financial have well prepared the company for their imminent IPO.
SF-based CloudFlare can also be considered an IDS/IPS company. CloudFlare intercepts and sifts traffic to a site through an analysis engine to improve performance and protect websites from modern attacks like Distributed Denial of Service (DDoS) and Cross-Site Request Forgery (CSRF). CloudFlare protects a significant measure of the internet and remains on the watch list for nearly every VC on Sand Hill.
CloudFlare’s frictionless sales model is also an interesting point for VCs. Bucking the traditional IT model of inside/outside sales teams, infrastructure companies like CloudFlare and New Relic allow customers to directly purchase through their sites. This decreases sales cycle time and increases margins – both key diligence metrics for VCs. In a busy space like IPS/IDS (or IT in general), employing positive differences like a unique sales architecture help startups to distinguish themselves in the eyes of investors.
Finding an edge
As a security startup you can do a few things to improve your chances of closing your round. Make sure your team is led by veterans who know how to build and sell into your verticals (or actively recruit them). Also, align your company with sectors that have complementary demand with big tech trends.
And, as in any industry, attack big problems that people are willing to pay lots of money to solve.
Andrew “Andy” Manoske is an Associate at GGV Capital, a Sand Hill and Shanghai-based venture capital firm. Prior to GGV, he was a product manager at NetApp and managed the design of security features across the company’s entire product line. Follow him on Twitter @a2d2.
Have an idea for a post you’d like to contribute to GigaOm? Click here for our guidelines and contact info.
Photo courtesy alexmillos/Shutterstock.com.