How all data security companies fail
Is it a feature, product, or platform?
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve written in the past about how specific companies, such as Wiz, Vanta, Snyk, etc. fail. I’ve also talked about how categories of products, such as email security, are difficult. In this newsletter, I’m trying something different. I’m going to discuss how a category of security products might fail. I’ll bring up specific companies but won’t discuss them in too much detail. The format will be a bit different since it doesn’t involve a specific company, but I will provide my broader thoughts/frameworks on how I’m thinking about this space.
What is data security?
Honestly, I don’t know if anyone has a good answer here. Traditionally, independent data security products have been focused on data loss prevention (DLP). DLP security detects sensitive data loss through breaches and exfiltration. However, before the cloud, this was much easier. With on-premise data centers and self-hosted applications, an organization can easily monitor its data flows. Monitoring its network perimeter and endpoints was sufficient. In essence, this was possible because the data was “centralized.”
However, today’s reality is more complicated. Data is highly decentralized. We have SaaS applications, multiple clouds, different types of endpoints, etc. On top of that, there’s no static perimeter to monitor. As a result, traditional DLP won’t work.
Another issue is that the organization doesn’t have control over how data is managed or used in a SaaS application. In other words, there’s no way for an organization to manage DLP for a SaaS application. Of course, the application itself can offer this as a feature, but if it doesn’t and it’s a critical application, there’s not much the security team can do about it. Even if they offer DLP as a feature, the security team has no control over how it’s implemented.
The problem still remains that there is sensitive data in various parts of an organization’s stack. How do we secure it? Also, is data security a platform, product, or feature?
With the cloud, data security is no longer a platform.
With what we described above, it’s clear that SaaS applications and the cloud are here to stay in some form. If anything, we might gravitate toward a hybrid world, which only further complicates the matter. I think it’s unlikely we will return to a world where data is as centralized as we did in the past. Therefore, it’s fair for us to accept this new reality.
Without this data centralization, it’s hard for data to have/be the telemetry for a security platform. If anything, most of its value has moved over to the network as security teams want visibility into how data is moving between their endpoints and infrastructure. That’s the best they can do in this decentralized world. As a result, it’s natural to gravitate toward other platforms, such as monitoring access or the network, as a way to tackle the data security problem.
There is a nuance here. An argument can be made that secure web gateways are a platform, and I agree. However, their primary purpose is more focused on network security than on data security. They don’t solve broader data security problems, such as managing data at rest.
Data security has products at best.
Since data security is not a platform, companies are now creating products around redefining how data security works. (Of course, there are legacy products or products for companies that have legacy stacks, but that’s out of scope for our discussion here because those are likely shrinking businesses and have a more obvious path to failure.) For example, we are seeing the rise of data security posture management (DSPM). They are taking the approach of cloud security players, such as Redlock and Wiz, who focused initially on cloud security posture management (CSPM) and expanded into other adjacencies. However, the jury is still out on whether these companies will become sustainable large businesses that can have multiple products.
There are also products targeting different aspects of data security, such as access and classification. Companies like BigID initially provided data classification and visibility and have slowly pivoted to DSPM. There are companies like Abbey and features of Teleport that manage data access. Finally, there are companies, such as Privacera and Immuta, providing data governance and privacy for the modern data stack. In my mind, those companies are a different flavor of the data access problem.
For all these companies, it’s unclear if they can build a platform that supports multiple products. In fact, some of these products seem like they should be part of platforms. For example, the data governance and privacy products feel like they should be part of data transformation platforms as they have visibility into all the queries. Similarly, data classification and visibility companies should be part of data clouds. It’s possible they aren’t part of data clouds the same way CSPMs aren’t part of the cloud providers. However, I believe this category of products has a value ceiling, i.e. there’s not enough of a technical moat to deliver increasing value to customers without creating more products.
Most data security will likely be features of other products.
With the decentralization of data, I believe that every storage of data will have to offer DLP as a feature. For example, as email is now more of a SaaS product, we are seeing email security products like Material Security offer DLP as a feature. Similarly, we are seeing Cloudflare offer dedicated DLP as part of their zero-trust platform, which is anchored by their access and secure web gateway product. Similarly, we are going to see sensitive SaaS applications offer DLP as a way to upsell enterprise customers or be a differentiator. Finally, we will likely see DLP as a feature in various parts of the modern data stack.
It’s fair to say that the decentralization of data has led to the decentralization of data security. To conclude this topic, data is just complex. There’s a large range of data types and sensitivities that make it a huge threat surface that’s difficult to protect. To add to the complication, much of it is contextual. For example, most PHI data is hard to detect without context. The most context lies with the application, platform, or infrastructure that stores the data.
Data security startups will be irrelevant.
With that said, all current and future data security startups will slowly have their relevance and market share chipped away by platforms and products that are the storage of the actual data. Technically, it makes sense to have a product that actually stores the data to monitor it.
These data security companies will come and go. They will never become 1B+ cybersecurity companies. If they build a good product, they will likely be acquired by a larger cybersecurity or data platform. That’s why it was smart for Dig Security to sell to Palo Alto Networks. It ends up being a mutual win rather than Dig Security spending large amounts of capital looking for both product-market fit and a sustainable GTM motion. However, many won’t be as lucky as Dig Security, who found good timing. Many will struggle until they run out of money and investor support, and they end up being sold for talent and some of its technology.
Takeaway
Having data is power. It’s not a surprise that the largest tech companies, such as Google and Meta, rose to prominence because of their data. As a result, companies are incentivized to hoard data that might benefit them, leading to a decentralization of data for an organization. This inherently will make standalone data security products hard because they lack the context and access to provide meaningful value to their customers. Companies in this space will come and go, but I doubt we’ll see a data security platform or even a sustainable company. However, we might see an increased number of data security features as part of other products or platforms.