The Hackers Are Winning

Blossom

The hackers are winning. There’s not much questions about it, unless you’re among the handful of companies with a huge security budget and top-tier defensive and offensive teams you’re almost certainly vulnerable to a targeted attack.

As we’ve seen even the likes of Facebook who can afford a top calibre security team are far from invulnerable.

Attacks are now common-place, from corporate espionage to ransomware it’s never been so profitable to compromise systems and attackers are better skilled and more experienced than ever.

Cybercrime is now estimated to cost $600bn/year (around 0.8% of global GDP) — that’s twice the size of the global drug trafficking market.

Traditional cybersecurity vendors haven’t been nimble enough to catch up. Many have focused on slick sales pitches over next generation defences. When you’re selling to a non-sophisticated buyer it’s often easier to sell a dream than to build the future.

This has to stop.

One founder recently told me a story about how military attackers go after law firms involved in defence industry M&A deals; they have access to critically sensitive files yet their security is often trivially bypassed compared to the fortified systems found within the defence industry.

Security is always about the weakest link. Whether you’re an individual or a company you’re dependant not only on your own defences but on hundreds of vendors and partners that you rely upon without even thinking.

We’ve been spending time with startups in the cybersecurity space not only because they represent a huge opportunity for us as investors, but because we need to strengthen everyone’s security for anyone to be safe.


Our thesis on cybersecurity

Security startups can be measured along two fundamental metrics: differentiation (novelty) and customer urgency to buy.

Some areas of cybersecurity have high urgency to buy (e.g. anti-virus, firewalls) but are highly competitive spaces with low differentiation between competing products. Unless you have a novel product it’s incredibly hard to win marketshare in an established market even if you can demonstrate incremental improvement over competitors.

On the other hand with an entirely novel product startups often struggle to sell — it becomes akin to selling insurance against a disaster the buyer thinks will never happen. Unless the buyer sees a real need for the product now it becomes a recipe for long sales-cycles and low conversion.

The startups we’ve been most excited about are the ones with genuinely new products but going after pain points that are very real for buyers. What we ask is how concerned are the buyers about the risks the startup is going after?

Is it an area where they’re particularly concerned about security weaknesses (e.g. phishing), an area where they’ve been compromised in the past (e.g. sql injections) or one which has been in the news a lot?

Solving the Issue

Security products need to either tackle the problem at hand directly (i.e automatic intervention) or give guidance that gets actioned in practice.

Moreover the value they add has to exceed the perceived downside. Any action which has the potential to disrupt legitimate usage will inevitably get push-back from other stakeholders within the business.

We’ve also seen many reporting tools which while in theory help identify vulnerabilities, in practice get ignored due to the level of false positives. For us products have to genuinely improve security in practice rather than being put in place for compliance reasons or as security theatre.

The Consumerization of Cybersecurity

We believe strongly in the consumerization of enterprise when it comes to usability of products and this it especially true in security. While for many enterprise products the consequence of poor usability can be frustrated staff, for security products poor usability results in users avoiding using them or even finding work-arounds.

Many large corporates would be surprised to discover the novel ways their engineers have found to disable anti-virus on their machines because they were fed up with the performance impact.

Good UX is a fundamental requirement for good security software.

Data and Network Effects

More so than most areas of enterprise software, cybersecurity lends itself to network effects. The more customers you defend the more exposure you gain to real-world attacks — invaluable information for strengthening the product for the entire customer base.

While not applicable to all security startups, where this virtuous loop can be incorporated into the product via machine learning or other approaches it can become a huge catalyst for growth in the long term enabling the product to automatically improve as usage increases.


If you’re building a security startup that fits well with our investment thesis we’d love to hear from you. I can be reached on twitter @imranghory or by email imran@blossomcap.com.