Security Titan Art Coviello On How To Place Bets On Emerging Security Startups

The Opportunities In Cybersecurity

Former RSA Executive Chairman Art Coviello joined Rally Ventures this month to help grow the early-stage investment firm's enterprise security investment portfolio. In an interview with CRN, Coviello shared his opinions on the security startup space, and where solution providers should place their bets.

Take a look at what he had to say.

It's a very crowded market for security. When you're going to be at Rally or in the market in general, what do you look for in a security startup?

One of the benefits to be with an early-stage venture capital firm is we will see deals before many others do. One of the big issues you've got is that valuations have gotten crazy. ... I don't think capital is being efficiently used in the security space right now. This is an opportunity to see things, really innovative companies, which we're looking for. I'd rather not get into the details of the particular areas of what we're looking for, because that's part of our strategy, but clearly, being able to see them first and help them get going and break through the absolute cacophony of companies that are out there creating so much noise.

Do you have any advice for solution providers who are dealing with that problem?

I think you need to do the same kind of things that we do in venture capital, which is look at the team. Look at the quality of the people, don't just look at the technology. Look at who's backing these companies and who can really help them be successful in the marketplace. ... We're in a really good position [at Rally], much more than a generalist firm to cover the space and help companies. If you're a VAR or in distribution, I would suggest you bet on the companies that have this kind of help.

Is Rally looking to expand its security investments?

One of the reasons why I'm here is to help sort through that. Just because there are a lot of companies coming into the space doesn't mean that there isn't a big problem to solve -- there is. I was just at one of our investments yesterday, Bugcrowd. I'm really excited about them. They use many partners ... the kind of people that can spot bugs and spot problems and help companies faster. If you think of the number of people attacking us, they have an equal number, over 17,000, in this crowd sourcing model that they have looking at their customers' problems and helping them to solve them as close to real-time as possible. Working with innovative companies like that really gets me excited and gets my juices flowing.

There are a lot of emerging areas in security. Are you looking at all them?

Clearly the Internet of Things and things related to mobility -- all of those are hot areas that we'll clearly be looking at. There's no question. Believe me, there's no shortage of ideas, it's just how effective they can be and how much we can help them.

Are there any areas of security that there aren't enough startups in right now?

Unfortunately, there are too many companies chasing the same things. One of those things is endpoint. We're looking for innovative ideas that really change the landscape.

Are the big vendors also addressing these emerging technologies in the right way?

Clearly none of these big companies either has the resources or wherewithal or sometimes quite frankly the time to look at all of the things that need to be solved. I know as CEO of RSA, we were very acquisitive. Being able to acquire innovative companies is a significant part of the strategy of a lot of these bigger companies. Many of these [startups] end up being portions of a product line or features. The more they look like features, the less likely they will be successful. The more they become something distinct, the more they can go the distance. If they become elements of a larger product line, there's nothing wrong with that, but they'll probably end up being acquired.

Who's doing it best in the security market right now?

Clearly one in your readership space is Accuvant-FishNet. I was really impressed with their coming together, not just in terms of size and scale but in terms of the managed services offering that they are starting to bring to market so they can increasingly be an extension of their customers. This becomes a great conduit for vendors to supply technology, not necessarily directly to the end user but through the likes of Accuvant-FishNet. I like their model and I like RSA's. I think increasingly security does need to be delivered as a service. I'll come back to Bugcrowd. They have as much as 17,000 researchers that they can bring to bear on a problem that you have.

What should a solution provider's portfolio look like? Should it be geared towards emerging technologies or a balance of the big vendors in addition to emerging?

I would have focus. I would have focus on particular areas -- I would have focus on networks, I would have focus on application security, I would have focus on endpoint security. I don't think there are too many VARs today that have the scale to do all of it, so I think focus could be an important element. To the extent that they can provide managed services and scale up to deliver managed services, I think that is a very appropriate way to go. I do believe ... if all you're doing is providing new technology and not providing a significant amount of additional consultative or value-added services, it's going to be hard for you to remain competitive.

I know there's a lot of new technologies coming out now into the security space. Are there any technologies that have hit the wall?

I just gave you the high level of what we're looking at in terms of capabilities and being able to spot flaws in technologies, being able to spot anomalies in either user behavior or in flows and uses of data. Anything that's an extension of these capabilities and that brings a new and innovative and different way of addressing those kinds of issues would be things that we're interested in.

When you look at the threat landscape, what is the biggest threat facing companies?

The biggest threat quite frankly continues to be the expansion of our attack surface. Again, the more Internet applications, Web-based applications we have, the more mobility applications we have, the more we start to see the introduction of Internet of Things, I worry about the threats that are to come based on that expansion of attack surface and our ability to see them and anticipate them. That's why security technology has to move in an entirely different direction where we're seeing things fast enough. It's inevitable we're going to get breached, we just have to be able to see it fast enough to respond and prevent loss or isolate compromised elements of infrastructure.

How do you get that level of visibility?

First and foremost, too many of these new technologies are built with vulnerabilities in them. The first line of defense is making sure that, as we add to the attack surface, that we're not giving the attackers a leg up by exposing vulnerabilities in the very products that we need to deploy to do more of what our organization's missions are trying to accomplish. ... The second element is being able to spot anomalies in user behavior. ... The third is being able to spot anomalies in the flow and use of data. At the highest level, that's where security needs to be. ... Visibility is one thing, but being able to do something with that visibility and do something timely enough, that's really what's increasingly important.

Is there some responsibility there on the big vendors? Companies like Intel and Cisco have talked about bringing in technology on the chip and network level.

Absolutely -- that's exactly what I'm getting at. These people that are building fundamental technologies that are either part of the network or server infrastructure or the applications themselves, these products have to be built more securely. Building security into them is extremely important. Inevitably though, there will be vulnerabilities. It's just a fact of life. That's why, I think the first line of defense is having the kind of capability to be able to spot these flaws as quickly as possible and make sure they are remediated.