Last week Rich sent around Cockroaches Versus Unicorns: The Golden Age Of Cybersecurity Startups, by Mahendra Ramsinghani over at TechCrunch, for us to read. It isn’t an article every security professional needs to read, but it is certainly mandatory reading for anyone who makes buying decisions, tracks the security market, or is on the investment or startup side.
It also nearly perfectly describes what we are going through as a company.
His premise is that ‘unicorns’ are rare in the security industry. There are very few billion-dollar market cap companies, relative to the overall size of the market. But security companies are better suited to survive downturns and other challenging times. We are basically ‘cockroaches’, which persist through every tech Armageddon, often due to our ability to fall back on services.
Many security startups are not unicorns; rather, they are cockroaches – they rarely die, and in tough times, they can switch into a frugal/consulting mode. Like cockroaches, they can survive long nuclear winters. Security companies can be capital-efficient, and typically consume ~$40 million to reach break-even. This gives them a survival edge – but VCs are looking for a “growth edge.”
The security market also appears much smaller than it should be considering the market dynamics, although it is very possible that is changing thanks to the hostile world out there. The article also postulates that the entire environment is shifting, with carriers and managed services providers jumping into acquisitions while large established players struggle.
Yet most of the startups VCs see are just more of the same, fail to differentiate, and rely far too much on really poor FUD-based sales dynamics.
With increasing hacks, the CISO’s life has just become a lot messier. One CISO told me, “Between my HVAC vendor and my board of directors, I am stretched. And everyday I get a hundred LinkedIn requests from vendors. Their FUD approach to security sales is exhausting.”
“I have seen at least 40 FireEye killers in the past 12 months,” one Palo Alto-based VC told me. Clearly he was exhausted. Some sub-sectors are overheated and investors are treading cautiously.
We certainly see the same thing. How many threat intel and security analytics startups does the industry need? We get a few briefing requests a week, from another new company doing exactly the same things. And all our CISO friends hate vendor sales techniques. These senior security folks get upwards of 500 emails and 100 phone calls a week from sales people trying to get meetings. All this security crap looks the same.
This combination inevitably leads to a contraction of seed capital, and that is where our story starts.
Most of you have noticed that over the past few years our research has skewed strongly toward cloud security, automation, and DevOps. This started with our initial partnership with the Cloud Security Alliance to build out the CCSK training class around 6 years ago. Rich had to create all the hands-on labs, which augered him down the rabbit hole of Amazon Web Services, OpenStack, Azure, and all the supporting tools.
As analysts we like to think it’s our job to have a good sense of what’s coming down the road. We made a bet on the cloud and it paid off, transitioning from a hobby to generate beer money to a major source of ongoing revenue. It also opened us up to a wider client base, especially among end-user organizations.
Three years ago Rich realized that in all his cloud security engagements, and all the classes we taught, we heard the same problems over and over. The biggest unsolved problem seemed to be cloud security automation. The next year was spent writing some proof-of-concept code merely to support conference presentations because there were no vendor examples, but at every talk attendees kept asking for “more… faster”.
This demand became too great to ignore, and nearly 2 years ago we decided to start building our own platform. And we did … we built our own cloud security platform. Don’t worry, we don’t have anything to sell you – this is where Ramsinghani’s article comes in.
Our initial plan was to self fund development (Securosis is an awesome business) until we had a solid demo/prototype. Then we assumed it would be easy to get seed cash from some of our successful friends and build a new company in parallel with Securosis to focus on the product. We didn’t just want to start up a software company and jettison Securosis because our research is an essential driver to maintain differentiation, and we wanted to build the company without going the traditional VC route.
We also have some practical limitations on how we can do things. We are older, have families to support, and have deep roots where we live that preclude relocation. The analogy we use is that we can’t go back to eating ramen for dinner every night in a coding flophouse. The demo killed when we showed it to people, we are really smart, and people like us. Our future was bright.
Then we got hit with the reality clue bat. Everything was looking awesome last year at RSA when we started showing people and talking to investors. By summer all our options fell apart. We didn’t fit the usual model. We weren’t going to move to the Bay Area. We couldn’t take pay cuts to ‘normal’ founder levels and still support our families. And to be honest, we still didn’t want to go the normal VC route. We just weren’t going to play that game, given the road rash both Mike and Adrian have from earlier in their careers.
Just like the article said, we couldn’t find seed funding. At least not the way we wanted to build the company. We even had a near-miss on an acquisition, but we couldn’t line everything up to hit everyone’s goals and expectations.
Yet while this all went on, the Securosis business you see every day continued to boom. We increased revenue despite all the distractions and opportunity cost of running a second company. Our services and research continued to drive toward the cloud and automation, exactly as Ramsinghani described. Even the product platform continued to come together well, despite our super limited resources.
We weren’t going to talk about any of this yet, but that article struck too close to home. It described exactly what we have been seeing on the analyst side, and also experiencing as we tried to build a separate company.
First of all we aren’t discarding our core business or customers, but we are most definitely changing direction. Our biggest area of growth has been our cloud security workshops, training, and project/architecture assessments. We barely even talk about them, but they sell like crazy. We’ve spent 6+ years working hands-on in the cloud, and it’s paying off. We spent 3 years focusing on automation and DevOps, and that is also now part of almost all our engagements.
So that’s going to be our new focus. Cloud security and supporting automation, and DevOps tools and techniques. But there are only 24 hours in a day, so we are backing off some of our other research to focus.
We don’t know exactly what this will look like or how quickly we will be able to shift our focus, but we should have our first pass of the new workshops ready to reveal pretty soon, plus another major partnership. We are also looking at options for local events and a new membership program, and have already started new kinds of research. We aren’t changing our spots. A lot of our research will remain free; some will probably be tied into one of our other projects. Nothing changes for existing customers. We will also rebrand to reflect the new focus. But we will keep the Securosis name in some form – we’re attached to it.
We’ll use our automation and orchestration platform, Trinity, as a research tool to test our hare-brained ideas about how cloud security and automation should happen. As we continue to build out its capabilities (we need them for some of our projects), we hope Trinity will interest our research clients in some capacity. It’s not the first time a security services shop has built a product to help them deliver better services cheaper and faster. We call that operation “Securosis Labs” for now.
We have been the security research shop which has been most vociferous and aggressive about how the cloud is going to change everything we know about the technology business and securing it. We’re putting our money where our mouth is because this is so clearly where the world is headed, we would be idiots not to jump on it.
Now is the time. It’s time to grow the company beyond what 3 guys in coffee shops can deliver. It’s time to put into practice everything we have learned about the new world order. It’s time to lead organizations through what will be a turbulent ride into the clouds. It’s time for Securosis 2.0. We’re very fired up, and we ask you to stay tuned as we figure out and announce what this will look like over the next few months.