Frankly Speaking 2/16/21 - Most security products are useless!
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
Hope everyone had a great Super Bowl weekend and happy Chinese New Year! I decided to delay this newsletter a week because I couldn’t compete with the attention around the Super Bowl. Plus, I didn’t have time to write a newsletter since most of my Sunday was spent preparing and watching the Super Bowl. I thought I would deliver quality over quantity.
Anyway, what’s most interesting to me this past week was Datadog’s move into security with the acquisition of Sqreen and Timber. Those companies match Datadog’s GTM closely, but it’s not clear how it will make Datadog a bigger force in the security world. Maybe they don’t care and just want to capture some of the market from the security vendors and get the market multiples for that revenue.
This is a segue into my thoughts this week.
LET’S BE FRANK
Ok, it might be a bit dramatic to say most security products are useless. There are some nuances around it, of course. What I mean is that most security products don’t have large addressable markets. In other words, most security products are niche.
So, why are there so many security vendors and so much funding in cybersecurity companies? Well, there are a lot of problems in cybersecurity, and many of them are “new,” meaning it’s difficult for existing vendors to solve them, e.g. cloud security. There are also uninformed VCs who are willing to fund these companies, which leads to the question of funding, which is a deep question. Why is Crowdstrike valued so highly? Why are public security companies doing so well? VCs need to make bets in security, and deals are competitive. As a result, we have typical market dynamics. Supply is relatively low, and demand is high. So, fundings and valuations are driven up. However, it’s important to remember. VC fundings rarely match market sizes. Just look at the endpoint security market 5 years ago where there was more funding arguably than revenue in the sector. Many of them have been left in the dust…
Anyway, back to the topic of why I believe most security products are niche. Most security companies/products have a flawed assumption: The problem of the few must also be the problem of everyone. I see this problem, especially with Silicon Valley/SF startups. It’s easy to be stuck in the bubble and listen to the security problems of only other Silicon Valley/SF companies and startups. If you don’t believe me, just look at the data. For every major security category, there are at least 1-2 public non-Silicon Valley companies for every public Silicon Valley company.
For example, let’s look at endpoint security. Crowdstrike (HQ in Sunnyvale but mostly distributed) and Cylance (Irvine) were not started in Silicon Valley. How about vulnerability management? Rapid7 (Boston) and Tenable (Baltimore). Identity? CyberArk (Israel and Boston) and Sailpoint (Austin). Email security? Mimecast (London). The list goes on.
The point is that more cybersecurity startups outside of Silicon Valley succeed than one might initially think. Upon deeper thought, this makes sense. Most of the companies that buy these products are in the Fortune 500 and are not set up like Silicon Valley tech companies. These other companies are closer to their customers!
So, what’s different about security at traditional Fortune 500 vs. tech companies? No, this isn’t a trick question! There are a bunch of differences, but here are some highlights:
They have legacy technology that needs to be secured.
They didn’t start in the cloud and have to transition there somehow.
They have centralized security teams, who tend to have limited to no visibility into developer environments.
It’s also important to note that security companies/products can’t change the culture and operation of these organizations overnight. It’s no surprise that my regular conversations with CISOs and security leaders at these organizations that they still have the same priorities: email security, vulnerability management, data security, identity, and cloud security.
The problem is that a lot of security products are “nice to haves” that will only be useful if an organization has solved the basic problems I listed above. For example, deception products are not going to be useful if a company doesn’t have a good grasp on how to manage its vulnerabilities.
Similarly, with cloud security products, many of them pre-suppose a company that has a sophisticated DevOps team. Not surprisingly, most don’t even though they are using the cloud!
That’s why we see a lot of security companies stagnate because the product is not useful outside of a few specific companies. With that said, there are still a lot of problems to be solved in security, but just make sure you are building a product to solve those rather than niche problems if you want to build a successful startup.
So, to go back to the beginning. Why do I think most security products are useless? Well, they solve problems only for a very limited group of companies. That’s part of the reason why security problems aren’t getting better despite the increase in security vendors.
Finally, there are a lot of products where the market might be big in the future, and those are harder to identify, especially around cloud security. In my recent posts, I’ve been talking a lot about that, but as always, my email is open to those who want to chat more.
TWEET OF THE WEEK
People ask me why a company doesn’t just use AWS’s security features. This is why…
