High Risk, High Reward: The Ups And Downs Of Security Startups

A new wave of disruptive security startups are redrawing the battle lines in the growing conflict between cybercriminals and corporate America. For solution providers, the risks of partnering with these upstarts is high. But so are the rewards.

Stephen Harrison, head of sales at New York-based solution provider EverSec Group, knows the risks associated with being a disrupter in the high-stakes security market. But Harrison has seen first-hand the rewards of being first to market with technology that makes the products from legacy security vendors look like stale bread.

/**/ /**/

/**/ brightcove.createExperiences(); /**/

Video: How Startups Are Disrupting the Security Market

Sponsored post

EverSec Group has pulled away from the pack of me-too security solution providers by partnering with LightCyber, a Los Altos, Calif.-based behavioral analysis network security startup that has captured the attention of high-profile investors including Check Point Software Technologies founder Marius Nacht.

The average margin with a security startup such as LightCyber is as high 30 percent to 40 percent, up to as much as four times the average 10 percent to 15 percent margin associated with a security solution from an established security vendor, according to Harrison.

"I'm a very trusted partner of LightCyber," Harrison said.

"Not only do I get their full support, but it maximizes my margin because they bring me into engagements that I wouldn't normally see. I'm getting the benefit of more business because of our trusted relationship."

EverSec Group is one of a growing number of solution providers willing to wager on security startups that are turning network security and endpoint security into outdated concepts. Among the security upstarts rewriting the standard security playbook in addition to LightCyber are Adallom, Bit9-Carbon Black, Elastica, Vectra Networks, and Zscaler.

Of course, making a bet on one of these security disrupters requires solution providers to have the technology and business acumen of a top-flight venture capitalist conducting due diligence on a potential big investment.

Harrison, a former strategic account manager at Check Point, concedes there are risks involved in these partnerships. Solution providers can lose credibility if the startup goes belly-up. And the time and training in the technology may end up being for naught if it is not widely adopted, he said.

At EverSec Group, Harrison evaluates how a startup came to market and how many clients it had before it sought Round A funding. LightCyber had at least two dozen customers at that point, he said. Once a startup is established and gets that next influx of cash, its go-to-market strategy, sales and marketing operations are significantly increased and partners could gain additional support and rewards.

What attracted Harrison to LightCyber is the company's breakthrough technology, which uses behavioral analysis and big data analytics to detect advanced threats and "active" breaches. "You almost have to get clients to make a paradigm shift from how they view the security technology they already invested in when you are proposing an emerging technology," said Harrison.

Venture capital firms poured $2.2 billion into the cybersecurity market in 2014, an increase of 22 percent over 2013, according to CB Insights, which tracks venture capital money. Corporate cybersecurity deals have increased five times since 2009, the company said.

Of the 248 deals made in 2014, some notable investments included SaaS security vendor CipherCloud, which received a $50 million investment; Skyhigh Networks, which received $40 million; anti-fraud and security analytics vendor ThreatMetrix, which received $20 million; SaaS identity management vendor Ping Identity, which received $30 million; and mobile security specialist Good Technology, which received $80 million.

Next: The Rise In Security Spending

But some emerging detection platform makers fail to adequately address how mature organizations triage threats and won't likely be widely adopted at organizations with minimal IT resources, Phelan said.

"Organizations don't want to have to rely on 17 guys in black ninja suits parachuting in every time a threat is detected," he said. "The challenge is to identify the emerging technology that can identify an incident, provide the scope of a threat and what other systems within the organization that might be exploited, and do it all within an organization's security operation structure."

Gotham Technology Group could earn 20 points on initial deals as opposed to existing vendors, which offer roughly half that amount of margin, Phelan said. Gotham Technology Group also has a greater voice in shaping product and go-to-market strategy, he said.

"If you are making an introduction of one of these hot new technologies into an existing client, the startup will pay you back by walking you into another deal," Phelan said. "At Gotham, we are naturally evangelical when it comes to new technologies. We are able to open net new logos because of that."

The Rise In Security Spending

Fueling the sharp increase in venture funding in the security market is the rise in customer spending on IT security. Global spending on information security is expected to grow more than 8 percent in 2015, reaching nearly $77 billion, according to research firm Gartner. The increase is being driven by data loss prevention technology, which is estimated to have grown 18 percent or more in 2014.

Gartner cited increased awareness about security at the boardroom level as the reason for the increased spending as well as more regulations governing data security and privacy in Western Europe and Asia. Gartner predicts increased spending on security suites to protect infrastructure, a rise in security services firms that specialize in data protection, security risk management and security infrastructure, and the growing adoption of security enterprise product capabilities delivered from the cloud.

The different technology approaches are making it increasingly difficult for solution providers to evaluate whether a security startup deserves a spot in the portfolio, said Kevin Willette, owner of Fridley, Minn.-based solution provider Verus, which assists firms in meeting health-care and payment industry compliance mandates. There are rewards, but if the training requirements overextend the staff, the solution provider risks not being able to speak knowledgeably about the product, Willette said.

"You end up not being that great at it and if you don't know the ins and outs to install and configure it properly, it doesn't do the best job it should and then you end up with issues and angry customers," Willette said. "There's been so many of them that I've tried in the past that are too early and they don't end up making it, and then you've got a big issue on your hands."

Next: Startups Need To Understand The Channel

Startups Need To Understand The Channel

Solution providers that have chosen to partner with an emerging security vendor said they chose the company because its technology fits nicely with client problems and ongoing projects, such as Exchange migrations and adoption of SaaS services. They also told CRN that the management behind the startup played a big role in solidifying a partnership.

The technology must solve a problem and do it in a more efficient way, said Nate Couture, chief technology officer at Huntington, Vt.-based security consultancy NuHarbor. Couture, who recently left his position as an information security architect at a Fortune 500 company to work at NuHarbor, said he met with senior executives at SaaS security startup Adallom and was convinced that the product and their long-term vision made the vendor a good fit.

"It's not just about what a startup's current product offering is but what the vision is and if you get in with the organizations that are going to grow in the right direction and you can go along for that ride, you can help guide capabilities requested by the install base," Couture said. "Security teams are scrambling to figure out how to get the same visibility, governance and protection that they used to have with all the on-premise technology."

The number of customers a startup has also is a consideration, Couture said, adding that NuHarbor has several Adallom deals the sales teams are working since it struck a partnership with the vendor in January. Established vendors are easier to evaluate by looking at the channel program, sales numbers and market penetration, he said. "The market has already judged the established vendors and you know what mileage you'll likely get out of a partnership," Couture said.

"The market has already judged the established vendors and you know what mileage you'll likely get out of a partnership," Couture said.

Security has become such a priority that the executive team wants to know that controls are in place and the latest security technology is in use, said Jim Matteo, a channel industry veteran and CEO of San Diego-based solution provider Bird Rock Systems. The solution provider partners with Vectra Networks, a security startup that came out of stealth last year with a platform that taps into an organization's traffic flow.

Vectra Networks monitors the metadata within the traffic for behaviors that signal a threat, such as reconnaissance activity, a cybercriminal's lateral movement within an organization to get to servers containing sensitive data or outgoing communication to a command-and-control server. Vectra Networks' approach ditches the perimeter-based defense posture from the past in place of monitoring behaviors already taking place on the network, Matteo said.

"These guys get the channel and that is an important part of our evaluation process," Matteo said. "If my team sees an opportunity with the technology and we have customers that would take a look at it, we'll partner with an early stage manufacturer."

Next: Cloud Security Success

Matthew Lawson and his team at Dallas-based Tech10 Networks were looking for emerging security technology that addressed SaaS security problems without being too cumbersome to deploy or top-heavy and decided to partner with security startup Elastica.

San Jose-based Elastica had launched a SaaS platform that monitors and detects threats to Salesforce.com and other popular SaaS services. Lawson, professional services director and head of the security practice at Tech10, said his company has been successful with the startup because there is so little awareness about how much total cloud use is happening within the enterprise.

Cloud security is a focus of many of the startups coming to market. When Zscaler arrived in 2008, it aimed to take on secure Web gateway vendors with its cloud security platform. Today the company does SaaS-based Web filtering, cloud-based antimalware, data loss prevention and secure Wi-Fi services. The cloud-based security approach appeals to midmarket organizations and, according to Mark Robinson, president of Findlay, Ohio-based CentraComm, an early Zscaler partner, the company is taking market share from Cisco Systems, Symantec, Intel Security (formerly McAfee) and Websense.

Zscaler's early success forced all the established security vendors to add on hybrid and SaaS-based deployment options for customers. Robinson said he met with Zscaler CEO Jay Chaudhry and was convinced that the business was a long-term investment. Chaudhry had a clear vision and the foresight that additional security capabilities could be delivered by the platform, Robinson said.

"From a channel perspective, the technology is about half of the formula for how a vendor can be successful with a given partner," Robinson said. "The rest is relationships and business elements, field resources and channel program, distribution and all the other things not directly related to the technology. We've seen some great technologies in the past but the vendors didn't have enough field resources for us to be effective with it."

Two essential elements that emerging security vendors must establish are having effective channel managers in place to work directly with a partner and the field sales people assigned to a territory to help partners engage sales opportunities and sell the product, Robinson said.

"For newer technologies, there should be someone who helps evangelize what you are doing," Robinson said. "If it is a new and emerging approach to a security problem, it may not be possible for a partner to immediately become an expert and successfully communicate the value of the tech to a potential buyer."