Building a successful security software company is notoriously hard to get right over the long haul. Computer security is a fast-moving target. You still need anti-virus software, for instance, but it won’t necessarily keep you safe. The same is true for firewalls, and malware detection, and spam blockers, and various other security measures. For better or worse, there is never-ending opportunity here, as the good guys race to keep up with the bad guys.
The tricky part is that over time the bad guys have gotten smarter and the threats more ominous. The stakes keep ratcheting higher. Thirty years ago, we were dealing with amateurs. Now the bad actors are international organized crime groups and nation-states. In the old days, the issues were tactical. Now they’re fundamental. This isn’t just an IT issue: Target recently fired its CEO after the retailer suffered a massive security breach. Careers, as well as data, are at risk.
I’ve been spending a lot of time (and money) funding new security companies in recent years, and I’ve worked in the industry myself. Along the way, I’ve reached some conclusions on how to improve your odds of success. Here is my list of five truths about the cybersecurity business:
1. There are two types of companies: those that know they’ve been breached, and those that haven’t figured it out yet.
The security software entrepreneur Kevin Mandia founded Mandiant* – recently sold to FireEye for $1 billion — on the thesis that no one can really stop the bad guys from entering your network. The game is no longer about prevention; it’s about detection. The average length of time it takes for an advanced persistent threat to be detected on a corporate network is now an alarming 229 days. We need to get that down to 24 hours — or one hour.
Companies need early-warning systems to know they’ve been breached, but they also need the context around that intruder, including what data has been compromised and by whom, and a system to contain and fix the issue as fast as possible. Simply manning the barricades is not enough. Evildoers are going to come over the walls, under the walls, around the walls and right through the front door. You need to discover them, find out what they’re doing and stop them, and you need to do it as quickly as possible. Software from Rapid 7 and IBM’S Qradar security platform focuses on identifying behavioral anomalies in real-time.
The scary truth is that network security does not work as well as we thought. That’s what leads to the fight for the endpoint — how people protect endpoints will be completely different than over the last two or three decades. Bromium attacks the problem by focusing on data protection, rather than intrusion detection. They create a secure, isolated container for each task a user performs on an untrusted network or document –- preventing malware from spreading. Invincea, likewise creates a “secure virtual container” to wall off the most vulnerable applications, like browsers, PDF readers and Office.
2. Corporate networks are like M&M’s: hard outside, soft inside.
Companies need to toughen up from the inside out. (Think peanut M&M’s.) Sure, you need to fight off malware and viruses, and you want complex passwords and stiff security regimes. But you still won’t keep everyone out. Rather than simply erecting thicker walls to fend off intruders, which becomes increasingly impractical in highly distributed cloud-based architectures, we need to encrypt the data that attackers want.
Evildoers are going to come over the walls, under the walls, around the walls and right through the front door.
You need to encrypt data all the way to the browser, and the browser itself has to be 100 percent authenticated. But you have to hide the complexity. The whole thing needs to be seamless. As an end user, you’re not going to tolerate having to mess around with encryption keys and other complications. Companies like Ionic Security* are working on solving this end-to-end encryption problem. If it works, hackers will face a new challenge: they can steal the data, but they won’t be able to read it.
3. Threats are getting more dangerous, with higher risk of catastrophe…
The ramifications of security breaches are getting worse. Two decades ago, a breach was mostly an operational problem that might cost you money and time. Today, a breach is a strategic issue that could ruin your business and put your customers’ finances at risk.
4. …so we need new weapons.
Global 2000 companies face an ominous issue: They can’t scale fast enough to meet growing threats. They can’t hire enough people or buy enough technology to be totally secure – they need to go outside to get help. The stage is set for companies taking new approaches to this issue.
Shape Security* has created an approach it calls “shape shifting” to beat hackers by turning the tables and going after the bad actors with the same kind of attacks they use on the good guys. Shape’s realization: while you can’t prevent a bot from landing on your network, you can prevent it from being effective. Splunk uses crowdsourcing techniques to keep track of threats and consider potential remedies. Rather than buy a threat feed, you get it from the universe. It’s the closest you’ll get to real-time threat detection.
Synack* takes a sort of ‘Super Friends’ approach, teaming the world’s greatest white hat hackers and applying them to your company’s security risk assessment with an automated platform. While few companies could ever afford to get that talent inside, the approach here is to let you rent them.
5. If you can’t beat ‘em (and you can’t), deter them.
The bottom line is that evildoers are going to get on to your network, and when they do, they’re going to cause troubles that will sometimes pose catastrophic risk. But there’s no need to panic; it’s a matter of preparation and staying vigilant when the invaders land inside the wall. Innovation in the security space is high. But there’s a lot of creativity being applied on the other side, as well. The good news for entrepreneurs is, this is going to be a never-ending battle.
*Mandiant, Ionic Security, Shape Security and Synack are KPCB portfolio companies.