Eric Benhamou BGV Founder and General Partner shares his impressions of the 2016 RSA conference and trade show
This year, I dedicated almost 3 full days to attending the RSA cyber security trade show and conference. I was in good company: over 40,000 attendees and 400 exhibitors. My head is still spinning and my feet aching from the experience. I was reminded of Interop in the hey days of the 90’s, except in those days, you didn’t bump into other attendees texting on their smartphones while walking the show floor …. As I strolled through the aisles and listened in on the various pitches of the vendors and expert speakers, I was struck by several impressions:
They all sound the same !!!
Every pitch starts with the obligatory statistics recounting the spectacular growth in sensational hacks (Target, Sony, and the office of the US Government Personnel are the favorite poster children, but there are many others), and the mounting costs of these attacks. Once you have been sufficiently scared by the sheer catastrophes brought about by the bad guys, you are then exposed to the vendor’s supposedly unique technology (patent pending) which is usually described by a combination of buzzwords picked randomly from the following list: advanced machine learning, virtually no false positives, virtually no false negatives, deep threat intelligence, real time alert correlation, automated incident response, adaptive policy enforcement, intelligent on-demand sandboxing, next generation advanced persistent threat prevention, cloud-based containerized security. If your eyes are not totally glazed over by then, you may partake in a canned demo showing a tiled dashboard comprising colored rings, bar charts, and exploded pie charts. This would all look pretty similar to your Fitbit daily health and exercise dashboard, except there usually is at least one tile showing 1980’s Unix style time-stamped alerts on a black background, which is there to suggest there is serious computer science wizardry under the hood.
It sure is tempting to read these clues as clear signs of commoditization of the cyber industry.
While this would be partly true, it would be equally wrong to lose interest for it. Taken as a whole, the cyber security market is estimated to grow at a CAGR of 9.8% from 2015 to 2020, according to a report from Markets and Markets. It is a far cry from the 20% CAGR of the network infrastructure industry I remember from the 90’s, but it is nothing to sneeze at: it remains about 4 times the growth rate of the world GDP. Furthermore, sectors such as threat intelligence, end point security and cloud security are growing several times faster than the cyber security industry as a whole. If you are, like me, an investor in the world of cyber security startups, how are you supposed to place your bets? A sobering fact to keep in mind is that while the cyber security end markets are growing at this good (but not great) clip, the VC industry is pumping capital into it on a CAGR of close to 50%. This impedance mismatch portends a fair amount of capital waste and blood on the floor (i.e. funded startups who never reach take off velocity).
Speaking of impedance mismatch, how can CISO’s possibly absorb the ever expanding plethora of new tools competing for their attention?
Ultimately, their limited capacity to evaluate, conduct POCs, triage, integrate and deploy new technologies is the gating factor that will prevent at least 50% of these new aspiring young cyber startups from ever reaching critical mass. Whether they address a top 3 or top 5 CISO priority in a compelling enough way, and whether or not they can easily integrate into a cyber environment that precedes them will determine their fate.
As I was debating these observations with my partners, we came to the following conclusions:
Punting is not an option
. Cyber security budgets are growing faster than most other budgets across all enterprises.
The quality of the team is an important mitigation factor
against the risks of commoditization due to intense competition and blurred differentiation. By quality, I do not mean IQ: I have rarely met a cyber entrepreneur whose IQ is below 150. In fact, when I visit Israel, a microcosm of the cyber industry, the cyber entrepreneurs I meet there seem to have all come out of the famous unit 8200, in many cases from its even more selective Talpyot program. By quality, I am refering to their intellectual and psychological ability to re-invent themselves and pivot multiple times before finding the product-market fit that really has traction.
There is no substitute for the hard work
required to gain a detailed understanding of the sector and for obtaining fine grain customer feedback. Market reports are misleadingly high level. Early customers can provide biased feedback (because they may be friendly with the entrepreneur or because they don’t pay full price). Demos are misleading, because by definition, they do not reproduce a realistic customer environment. In short, more work is needed than other sectors and the bar must be raised even higher
Finally, choose your co-investing partners carefully to cross the valley of death
— the period of time during which the company experiments, acquires customers one at a time, and consumes cash. Embarking on this journey with insufficient capital is tantamount to crossing a desert with just enough water to reach the mid point, and hoping to find an oasis along the way …