Frankly Speaking 12/1/20 - Smart VCs shouldn't invest in network security
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
Wow, I can’t believe it’s December already. What an eventful November! I’ve been trying to upgrade from WFH setup, and I recently bought a Portal TV and Portal Mini to do certain video calls. The AI camera is pretty cool! Feel free to email me any cool videoconferencing tools and tips because I spend 8+ hours on Zoom and am always looking to make the experience more “pleasant.”
LET’S BE FRANK
In the last post, I talked about why VCs shouldn’t invest in datacenter security. This has resulted in several people asking me this follow-up question: what other areas are security? The answer is network security. Of course, those are still investable areas that make money, but it will require a lot of capital at a high risk, which isn’t the type of risk profile smart VCs, in my opinion, should take. It’s similar to investing in a Facebook, Google, and Amazon competitor. Sure, it could be big, but it’s risky and capital intensive. At least for the likes of Amazon, etc., the market is growing whereas the datacenter security market is shrinking while security grows overall. Not a great combination, but I digress.
Before I go into the reasons why smart VCs shouldn’t invest in network security, I want to caveat what I mean by “network security.” It’s hard to qualify in a short subject byline meant to attract attention and readership. I am referring to security for a corporate network. I think smart VCs should still invest in the following:
Network security around customer traffic, e.g. anti-bot, WAF, API security, etc.
Cloud-native network security, such as traffic management between containers and microservices.
Zero-trust networking, e.g. SD-WAN, web proxies, etc. (They involve traffic from outside the corporate network.)
For those who have been following my newsletter recently, you can see where I’m going with this. Two related trends have made network security much less strategic: the cloud and SaaS. Honestly, there’s been a lot of security M&A in the past 3 years, can someone tell me one good network security exit?
Anyway, so why is network security dead? What does cloud and SaaS and have to do with it?
Elimination of the corporate perimeter. In some way, COVID has accelerated this. Organizations have realized that the new normal might include some amount of remote work, and VPNs won’t cut it. Similarly, remote work has accelerated the digital transformation and movement to the cloud. This means that the notion of a corporate perimeter has gone away.
Using SaaS applications further deteriorates the corporate perimeter. COVID has also accelerated this as SaaS applications are easier to manage and reduce the load on the IT team. However, data originally in a company’s datacenter now sits on the SaaS application’s cloud. Accessing it requires traffic to travel through the broader internet. How do you manage this traffic? Also, how do you manage off-band traffic from a SaaS application on a network that the company doesn’t control or own?
Cloud providers give limited visibility into the “network,” whatever that means in the cloud. You don’t have full control over the network or have complete visibility. That doesn’t fit well into the current network security paradigm.
As a result, existing solutions that leverage network traffic as telemetry data, such as data loss prevention, have substantially reduced value. Most of the important data isn’t in the perimeter, so monitoring the network to detect data exfiltration and enforce data policies are useless!
So, it makes sense to take the zero-trust networking approach, i.e. assume all network traffic is malicious. One major benefit is that you don’t have to worry about insider/employee threats specifically, which has been a big issue in the past. Of course, new issues arise, such as how to deal with DLP, how to manage data you don’t own, etc.
In this world, the focus has shifted to managing endpoints and how they access applications and the cloud. This means shrinking TAM and lower urgency to solve this issue, which is bad news for the crowded security market.
Network security might be dead, but new security issues created by the cloud are full of opportunity!
As always, happy to debate this, and I’m always happy to hear from smart VCs who have invested in network security and don’t think it’s a mistake. Send me friendly (or angry) messages on Twitter or email frank.y.wang@dell.com.
TWEET OF THE WEEK
We all miss the office for a different reason…
