Where would you invest? The Reuters article about Silicon Valley VCs betting on new technologies to protect computer networks got me thinking about where I would invest in computer security. This is a very tough question, because where I would invest in security technologies as a CIO is different than where I would invest as a venture capitalist. I can see security bets to address most CIOs’ need to spend money, or and quite different technologies address noisy threats, which could make investors money. As Gunnar pointed out in Unfrozen Caveman Attacker (my favorite post this week) firewalls, anti-virus, and anti-malware are SSDD – but clearly people are buying plenty of it.

As long as we are playing with Monopoly money, as a CIO facing today’s threats I would invest in the following areas (regardless of business type):

  • Endpoint encryption – the easiest-to-use products I could find – to protect USB sticks, laptops, mobile and cloud data.
  • As little as possible in ‘content’ security for email and web to slow down spam, phishing, and malware.
  • Browser security to thwart drive-by attacks.
  • Application layer monitoring both for specific applications like web apps and databases, alongside generic application controls and monitoring for approved applications.
  • And (probably) file integrity monitoring tools.
  • A logging service.
  • Identity, Access, and Authorization management systems – the basis for determining what users are allowed access and what they can do.

From there it’s all about effective deployment of these technologies, with small shifts in focus to fit specific business requirements. Note that I am ignoring compliance considerations, just thinking about data and system security.

But as a VC, I would invest in what I think will sell. And I can sell lots of things:

  • “Next Generation Firewalls”
  • Cloud and virtual security products – whatever that may be.
  • WAF.
  • Anti-Virus, in response to the pervasive fear of system takeover – despite its lack of effectiveness for detection or removal.
  • Anti-malware – with the escalating number of attacks in the news, this another easy sell.
  • Anything under the label “Mobile Security”.
  • Finally, anything compliance related: technologies that help people quickly achieve compliance with some aspect of PCI, HITECH or some portion of a requirement.

Quick sales growth is about addressing visible customer pain points – real or perceived. It’s not about selling snake oil – it’s about quick wins and whatever customers demand.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to kurk wismer, in response to FireStarter: Trust and (Dis)Information.

you’re not nuts. telling your opponent how you intend to attack them, thereby giving them an opportunity to deploy countermeasures, would be a great way to cause your strategy to fail.

even in the unlikely event that the authorities believe they’ve already gotten all the information they need out of these informants, there are always new actors entering the arena that the informants could have been useful against if their existence hadn’t been given away.

the only way this makes sense for an intelligent actor is if the claim about informants is psyops, as you suggest.

unfortunately, i don’t think we can’t assume the authorities are that intelligent. it would certainly be nice if they were, but high-level stupidity is not unheard of.