Security capital: Funding & Innovation
By Deb Radcliff
Ask 15 experts about where funding for innovation is headed and you'll get as many different answers.
The direst prediction is that we're headed for a perfect storm: An outbreak in digital crimes due to the economic recession, with no means to fund innovation required to advance protections. Optimists predict that this very rise in crime will lead to funding increases because it creates more demand for security. Other drivers include compliance and more layers of hardware and software security needed to support new types of applications, like virtualization, VoIP and mobility.
Nobody has a crystal ball. But David Cowan, managing partner at Bessemer Ventures in Menlo Park, Calif., reasons the answer is somewhere in-between.
“There will always be secular trends driving security investment, no matter what's going on with the economy. But there are also downward funding trends that will hurt security investment well into the future,” says Cowan, who co-founded VeriSign. The firm holds 25 information security start-ups in its portfolio, including eEye, Finjan, and Tripwire.
There's no denying that funding is down. Venture investment in information security shrunk nearly 50 percent – from $1.1 billion in 2004 to $566 million in 07, and $351.5 million as of Q3 2008, according to data processed by Dow Jones & Co.
On the other hand, spending for security is actually increasing, according to multiple sources. In a December report, Infonetics predicted slow but steady growth in the security appliance and software market – to $6.5 billion in 2011. In September, IDC predicted a 22 percent increase in the security and vulnerability management market — to $2.75 billion in 2008, and growth to $5.28 billion by 2012.
The state of VC
Although the pool of venture capital is smaller, VCs are still backing security start-ups, says Skip Glass, operating partner at Foundation Capital.
“Even before the economic downturn, I would have advised the same — tighten your belts, work hard and get as far along as you can on your own money,” he says. His firm manages $750 million in investment funds. “When you get to the point where you absolutely need outside expertise and funding, then by all means still go out and seek capital.”
Glass just completed a $28 million round of capital investment for Interact9-1-1, which services VoIP emergency calls. He invested in the company, he says, because the technology fills a new security need introduced by a widely spreading technology platform — in this case, VoIP.
Large, first-round capital investments like Interact9-1-1 are to be more expected in a tighter economy, says Patrick Morley, president and CEO of Bit9, an application whitelisting company in Waltham, Mass., named as a top innovator by Bank Technology News in 2008.
“Because they're managing such large funds, venture investors aren't as interested in funding $1 million to $2 million start-ups,” says Morley. “They're also looking for customers and trailing revenue of $50 million to $60 million.”Alternative sources
Glass confirms that large funders are looking for more mature start-ups with strong customer bases in which to invest larger funds, rather than breaking up large portfolios into lots of little funds. But smaller firms and angels are still investing in the smaller amounts, he adds. Another place to find funding is from the U.S. government.
Last year, Bit9 completed its third round of funding for a total of $26 million investment. However, its first round in 2005 of $5 million actually came from the National Institute of Standards (NIST) Technology Innovation Program (TIP), a program that the American Association for the Advancement of Science (AAAS) in September reported is on congressional hold for 2009 and awaiting the ax.
In the meantime, Department of Homeland Security (DHS) cybersecurity research and development, part of its Science and Technology Directorate, picked up $12 million more than it asked Congress for — with $30 million in funding for fiscal year 2009 ($25 million of that is to fund ongoing incubation to commercialization projects; $5 million is available for new projects), according to Douglas Maughan, program manager for the DHS Cybersecurity R&D program.
“A lot of agencies fund innovation in research. There aren't many that do what we do — fund the transition into operational commercialization, what is otherwise known as the valley of death for most startups without the right support,” Maughan says. “We take ideas to products, products through test, evaluation and certification, and then we transition that into the market.”
The first start-up to commercialize out of the DHS program is IronKey, a secure USB flash drive company based in Los Altos, Calif., that commercialized in 2007 and spun out.
Another area of importance to the program is infrastructure security, particularly around SCADA industrial processing and control systems used to generate power, treat wastewater and perform other essential infrastructure operations. Botnet detection and takedown, and insider threat protections are other areas of research and innovation being conducted.
Well-known tech schools — such as Purdue, MIT, Carnegie Mellon and the like — are also places to incubate ideas, says Eugene Spafford, Purdue professor and executive director of Purdue's CERIAS (Center for Education and Research in Information Assurance and Security).
And while they are useful for incubating ideas, most universities don't take ideas all they way to commercialization – beyond pointing them to VCs that their programs have contact with, says Spafford.
One school has chartered an incubator around this problem, says Ravi Ganesan, research professor and director for the Institute for Cyber Security (ICS) at University of Texas at San Antonio.
“We have research projects going on with the National Science Foundation and the Department of Defense on securing social networks, botnet detection and information-sharing at a very high level,” says Ganesan, a co-founder of TriCipher. “This incubator is to get these ideas to become companies that can walk on their own and get additional external VC funding or be acquired.”
This road to commercialization involves defining channels, strategy, positioning and all the things with which a VC team would assist their start-ups. In this case, when ICS-incubated companies are ready to launch, they do so with initial funding from the State of Texas Emerging Technology Fund, which in a sense acts as initial stage VC for these initiatives. The incubator has raised $5 million between the ETF and university for 2009, with an additional $1.5 million raised for research funding.
When it comes to industry sources, funding capital for innovation is a mixed bag.
Vertical industry sources of innovation are drying up, contends Cowan. In particular, he points out that the financial sector, the former “sugar daddy” for cutting-edge security, is out of money. Another innovative industry, telecom, is also cutting back — with AT&T announcing a four percent workforce layoff in December, following large workforce reductions by Verizon and Sprint Nextel earlier in the same quarter.
However, support for innovation still exists through large tech giants like Microsoft, IBM Watson Research Labs, and security-specific conglomerates like Symantec. In these cases, innovation, of course, centers around tie-in to products and services and possible acquisition down the road.
“Customers are spending on information security. What's driving spending is that companies need their dollars to go further,” says Vimal Solanki, VP of corporate strategy and business development at McAfee, which had 27 percent revenue growth in Q3 2008. “Sales of suites like ours are strong because they reduce operating costs and complexity. So I would advise innovators to use standards for integration with larger vendors.”
Bit9, for example, achieved McAfee Security Innovation Alliance certification in 2008, making it more valuable as a potential acquisition target — a common avenue that tech start-ups take to cash in on their ideas.
“With funding tight, you have to build a ‘must have,' rather than a ‘nice to have' technology. And that technology should have strong reach and ROI for buyers,” says Joseph Noonan, president and CEO of V.i. Labs.
In October, V.i. Labs announced round three funding of $4 million in support of its anti-piracy product, CodeArmor, which Noonan says brings ROI by recovering lost licensing revenues and even generating sales leads out of those once operating illegally.
BVP's Cowan agrees that innovation around cost-savings will be a primary driver behind funding for innovation going forward this year.
“The most compelling innovation in 2009 is cost-savings innovation,” he says. “This relates directly to the economy.”
Outlook for 2009
Protecting against online fraud will continue to be a major spending priority for CIOs in the coming months and well into next year as protection of a company's intellectual property remains a top priority.
2009 will bring online threats to a new level, in three specific ways:
Breadth of threats: Fraudsters have begun looking for new channels to exploit. We will see this come in the form of enterprise phishing in which attacks will be focused more on businesses rather than on the average consumer. Further, the rise of cloud and virtual ecosystems will introduce new “breeding grounds” for fraudsters if not protected properly.
Heightened motivation: As companies reduce their workforces, insider threats could become more probable than ever before. Similarly, competitors and other outsiders may be looking to steal product designs, formulae, and similar assets recognizing that they can steal innovation much faster than they can create it. Threat sophistication: We can expect a build-out of the fraudster supply chain, automated attacks and much more complex technologies.
As the fraud economy continues to be profitable it will become more attractive to a whole new generation of online criminals around the world. It will be up to the security community to continue to stay one step ahead of them.
Source: Art Coviello