The difficulty with email security products
It's hard to innovate in an old, existing market
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m going to try something slightly different this week. Instead of talking about a specific company, I’m going to discuss a product category. It might seem rambly as I use this piece to organize my thoughts on the market and think about how this market can evolve/why it’s been hard to evolve.
What is email security?
That’s an interesting question. It’s obviously dealing with the security of emails. However, much has changed in recent years. For context, until recently, most organizations hosted and ran their own email services, but with the emergence of the cloud, organizations have decided to reduce their IT burden by shifting email hosting to the cloud. This is a key change as before emails were entering a company’s network, but now they exist in the cloud.
What does that mean? With the shift, the company no longer has to worry about malicious emails sitting on their own servers. That burden has shifted to the cloud provider, which in this case is Google and Microsoft primarily. As a result, those companies have more email security features in their SaaS offerings and are provided to the customer.
The customer now has to worry about other types of malicious emails. In my mind, there are two main ones: phishing and malware. Most email security is focused on phishing because that’s a low-effort way to steal credentials. Malware is a concern, but as stated earlier, with the increased use of hosted email, the main concern is around its download and execution. With the advancement in endpoint technology, the responsibility of malware has shifted also.
However, with more SaaS and cloud-based applications, emails contain information that might be helpful to address different types of threats. I’ll discuss this more below.
How does email security work?
In the past, emails were scanned before they entered the network, which led to delays in sending and poor experiences. Many email security products changed by proxying emails before they hit the cloud servers. However, API-based solutions have become more popular, especially given the rise in processing power. API-based solutions scan inboxes after the email arrives. That is, they don’t delay the email by scanning it first, but they let it reach the inbox and then scan it. This model makes more sense nowadays because most companies use Slack or Teams for internal communications. This means that employees don’t check emails that often, so even if a malicious email were to be in an employee’s inbox, the chances of an employee opening it before it’s scanned are reduced. Similarly, if an employee is expecting an urgent email, he/she will wait, but these types of emails are lower risk. This shift results in a better experience for not much more risk.
What is going on with the market?
Email security is an interesting market. It’s a category that has been around for a while. It’s a category that every company needs, so the market is 100% of companies. Even small businesses need it. The question is what kind of product these companies need. Like all security categories, the answer shifts with other trends, specifically ones around the cloud and productivity. Overall, email security has been an area of stable and large spending. Moreover, the risk also increases exponentially as an organization grows.
Proofpoint is one of the biggest players in the market, but it was recently acquired by Thoma Bravo. When it was public, it had great earnings, but it was hard to create and maintain growth. Microsoft has dabbled in the space with the Microsoft Defender product. There have been attempts at innovation, but it wasn’t until 2017-2018, we started to see a new generation of email security products gain traction, namely Material Security and Abnormal Security. I haven’t tried any of these products, but I have looked at their websites and talked to people in my network. I was skeptical at first, but I was ultimately impressed and became more curious. I have every intention of getting to know these products better through demos, etc. I do think they seem to have a modern take on email security, incorporating concepts around threats around data security and SaaS applications.
The organizational challenge for email security
Infrastructure and workflow changes inevitably create some organizational shifts. We’ve seen this with the rise of security engineering as more applications move into the cloud and more frequent deployments happen. With email security, the organizational change is likely more nuanced. IT and security have traditionally owned email security through a partnership because it’s classified under corporate security. Traditionally, IT and security were under the same organization, and many times, they rolled up to the same leader. In fact, most security folks had spent a good amount of their career in IT. As a result, it was easier to align.
With the creation of security engineering, the ownership of corporate security and thus email security has become less clear. Email is definitely an IT issue, and security needs to set policies for email and corporate security more broadly. The issue here is that security engineering likely demands more scalable products that might also be beyond IT’s ability to implement or manage. In many ways, these more advanced products that work better in modern IT environments might take ownership away from IT and push it into engineering. It’s unclear how to resolve this issue, but scalable products are beneficial to an organization and improve operations. My guess is that we’ll be seeing security engineering taking more ownership over scalable corporate security initiatives in the future.
What should a good email security product look like?
I discussed earlier that email security is addressing different threats than even a decade ago. In my opinion, dealing with phishing and malware are table stakes. As I said, malware has become less important given the advancements in endpoint security, so it’s important for an email security product to have strong phishing prevention and detection features.
For phishing, it should be easy to detect with minimal false positives. Even if there are false negatives, there should be an easy way for employees to report it, and for the security engineer to investigate it. If it turns out to be an actual phishing email, I would like to know who else has clicked on the link so that we can lock their accounts or add additional security mechanisms to give them a chance to rotate their credentials. Ideally, this could be automated and easily initiated.
There is also general email configuration and posture management. That exists already with most cloud-based email providers. It feels like there’s not much value to add here, but it might provide useful context to provide better overall risk analysis. It’s possible combined with emails, it can provide more nuanced risk evaluations/scores.
There has also been a push toward dealing with DLP, especially around sensitive information and credentials leaking into email. This is worth detecting and can be useful to better understand organizational risk and any unintentionally leaked information.
Finally, Abnormal Security seems to be focused on email add-ons and email-like add-ons that check on Zoom and Slack. This is interesting. It seems they are trying to expand into SaaS security using email security techniques, which is a good way to expand the platform. I’m not sure of the value here, but I can see it mattering for operations-focused security organizations that need to detect issues to show relevancy.
However, it seems that Material Security is trying to focus on additional risks that emails can detect. For example, there’s a focus on business risks, such as legacy authentication and shadow IT. This is an interesting approach that allows them to expand into SaaS posture management generally. Also, security engineering-heavy organizations might be interested in having this type of functionality as more engineering teams are involved in access controls for SaaS applications.
To disclaim, I have not tried either product, but it seems like Material Security is focused more on customers who have security engineering teams while Abnormal Security is focused on primarily security operations teams. The product features for both companies seem to trend that way. In order to grow in this market, it feels like a “feature grab.” The platform is clear: emails provide valuable information about an organization’s risk. The question is how to build features and applications on top that deliver value and find ways to constantly grow the feature set so that you can charge more per user.
Takeaway
Email security is an important consideration for every organization. There has been more innovation in the past 5 years, which makes sense given changes in the usage of email and the changes in workflows. The core product around phishing seems to have evolved, but it’s interesting to see how these products can grow into new markets given the changes in email content and workflows. I feel like the winner here will keep innovating and adding valuable features. The market is big enough to have multiple players.
Thanks Frank for the thoughtful post. You're assessment did a great job of covering one half of the email security market -- e.g. Business Email Compromise (BEC) represented by products like Proofpoint, Material, and Abnormal, all of which are laser focused on keeping risk out of your inbox.
Data Centric Security (DCS) is the other half of the email security market, which you failed to mention. It's represented by products like Virtru, which is laser focused on protecting your outbox -- so you can easily apply security policy and access controls to sensitive information that must be shared externally with third-parties.
Happy to chat live if you're ever interested in learning more? Also, feel free to peek at this: https://www.virtru.com/blog/inbox-vs-outbox-the-stark-difference-between-business-email-compromise-bec-vs.-data-centric-security-dcs