Making Legitimate Business From Data Theft
Modernizing Authentication — What It Takes to Transform Secure Access
I recently attended a friend's 50th birthday party, in Berkeley, Calif., and during dinner the table talk turned to identity theft. It was the most engaging conversation of the evening. Nearly everyone had a personal story to tell about how they or a friend had been the victim of a cyber scam, hack or theft.
One man in particular knew an awful lot about the subject: how personal information is pirated; where stolen credit cards and identities can be purchased; how massive the problem is; and what can be done to curtail it.
He knew so much that I was convinced he was either a crook or a cop. It turns out he was neither. He was a security software entrepreneur. Dan Clements started his Malibu, Calif.-based firm, CardCops, in 2000, which actually makes him an old-timer in the identity theft racket.
Clements isn't the only legitimate entrepreneur trying to make a buck off identity theft. Dozens of companies have jumped into this booming market to peddle security software, hardware and consulting services. And more are joining the ranks every week.
At least 98 security software and services companies in the United States received venture funding in 2004, according to information collected by the National Venture Capital Association, PricewaterhouseCoopers and Thomson Financial Venture Economics. That's up from 83 in 2003. The pace has continued to increase this year, with 31 companies getting funding in just the first three months of 2005. And those numbers don't include venture-funded start-ups outside the U.S., or the hundreds of start-ups that get money from family, friends and angel investors.
The reason so many companies are being formed is that the demand for security solutions continues to mushroom. Every week brings news of hackers breaking into another corporate server and stealing credit card data, or a company losing backup tapes containing personal information on hundreds of thousands of people. Then there is the phishing, spyware and other malware that millions of individuals have to navigate around every single day. If greed and optimism fueled the first tech bubble, fear and pessimism are the drivers for this one.
As a result, executives in all types of businesses are asking tougher questions about the security of their company's and customer's information, wherever it resides. And that has CIOs scrambling for solutions, particularly in industries such as banking. A recent study by Info-Tech Research Group found that 72 percent of small and midsize banks plan to increase security software spending this year.
The growing demand for security software and services, coupled with the proliferation of security companies, has all the makings of a good old-fashioned bubble, with all the usual risks and benefits that bubbles in the technology business bring. If you are an investor in security technology and services companies, this may be a good time to hold on to your wallet, unless you really know what you are doing. If you are a CIO, it is no doubt comforting to know that so much brainpower and money is being thrown at the problem, but it may also be a bit disconcerting because the proliferation of companies makes it even more difficult to ferret out the best, and more likely that some of the companies you buy products from will fail.
But despite the similarities to other bubbles, the security bubble is different in an important way. Bessemer Venture Partners' David Cowan put it succinctly in his July 13 blog titled "Too Many Security Start-ups?" (whohastimeforthis.blogspot.com). "Creative and motivated thieves respond to every new security system with a workaround, and so the best we can ever hope to do with the safety of computer networks is tread water. That's why we will always need more start-upshungry, brilliant teams that innovate new defenses against phish, pharm, spim . . ."
Needless to say, Cowan, a venture capitalist, has a vested interest in promoting this pessimistic view of the world. But it's hard to argue with his logic that the security market, at least for the foreseeable future, needs start-ups.
What makes the security market unique is that it's a never-ending battle between the good guys and the bad guys. As quickly as one security breach is patched, cyber criminals find another way into the corporate database, or another way to fool the individual user into giving out his or her information. In an ideal world the fixes to these new problems would be created by existing security companies that would get better and better at what they do. That would make life much easier for CIOs, who could rely on a large company such as Symantec, Microsoft, Cisco or McAfee to solve their problems.
But the reality is that old firms don't respond as quickly to new opportunities, or to threats, as start-ups do. Take the example of intrusion detection and prevention systems: A few years back, traditional firewalls and antivirus software were proving no match for the sophisticated worms that were being launched by hackers. By the time a worm was detected, and a patch was designed to stop it, the damage had already been done. Start-ups such as Okena, Entercept Security Technologies and Sana Security tackled the problem by developing software that monitors the server for unusual behavior that might indicate a worm or virus, and when such behavior is discovered, it either alerts administrators or blocks the attack. The software worked so well that the big companies scooped up the start-ups. Cisco bought Okena in April 2003, and McAfee purchased Entercept that same month. Sana is still a private company.
"When you have a rapidly evolving threat it takes longer for a larger vendor to bring to bear their innovation, and give you an integrated solution," says Rajiv Dholakia, vice president of strategy and solutions at PGP Corp., a Palo Alto, Calif.-based security firm. That's because engineers working in a start-up environment can focus all their energy on developing a single product that solves a particular problem. At established firms, engineers spend a great deal of time making sure that new products work well with the company's existing product line.
Established companies also have a tougher time holding on to the most creative and technical minds. It is potentially more lucrative, and fun, for hotshots to form a start-up to tackle a new security problem than it is for them to stay at an older firm. (Dholakia, for example, has worked for four different security software companies in the last 10 years.) Established firms such as Cisco and McAfee have learned to use start-ups as outsourced R&D factories, buying up those that develop the best products. That's why loads of security start-ups are going to be with us for quite a while.
And that's why Cowan continues to pour money into the security market. Bessemer has invested in 11 security companies that are still in business: Counterpane, Cyota, Determina, eEye, Elemental Security, Finjan, Postini, Qualys, Tripwire, Tumbleweed and VeriSign. All but VeriSign and Tumbleweed are still privately held. (Cowan was the founding chairman of VeriSign; and ValiCert, where Dholakia once worked, was acquired by Tumbleweed.)
If the popularity of cyber crime continues to generate new security start-ups at a fast clip, what's a CIO to do? The short answer is get used to it. Most organizations already have procedures for evaluating start-ups and their products. The difference now is that organizations will have to learn to do this faster and more regularly.
Eric Nee, a longtime observer of Silicon valley, has served in a variety of editorial positions at Forbes, Fortune and Upside magazines. His next column will appear in November.