How the business of security can be at odds with the practice of security
Looking at incentives of the participants of the security market, how these incentives lead to conflicts of interest, and how the business of security can be at odds with the practice of security
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
The practice of security and the business of security: a brief definition
The practice of security
When security leaders and practitioners talk about cybersecurity, they think about it as a practice. Over the past several decades, we’ve established many great avenues for discussing the practice of security, sharing our learnings, and advancing the field forward. Not only there are now events that focus on security in a broad sense such as Defcon, Black Hat trainings, and BSides, but we also have a growing list of specialty conferences, including:
DEATHCon, a hands-on conference for detection engineers and threat hunters
Blue Team Con, a blue team-focused event for security practitioners
FIRST, a conference on computer security incident response
There is a full understanding that security is complex and that we as an industry need to continue evolving and maturing our practices and approaches. The discourse about what to do and how to do it well is happening in private conversations, industry groups, newsletters, at podcasts, events, and via other means. All this combined with the passion I see when I talk to security professionals gives me a lot of optimism that we will continue to get better.
The business of security
Looking at security as a practice is important, but not enough if one wants to understand the holistic picture and achieve greater impact. There is another side of the coin, one that is rarely discussed - namely security as an area of business.
When looking at it from the business angle, one will quickly realize just how many different parties and stakeholder groups are out there. This includes startups, mature product vendors, investors, resellers, integrators, service providers, insurance companies, lobbyists, analyst firms, and more. Each of these groups has its interests, motivations, and incentive systems, and it’s the intersection of these interests and how they overlap with the needs of security buyers create what we know as a security industry.
There are few places where industry participants can get familiar with the business of cybersecurity. Although this has been the topic I write about the most, the sheer complexity of the field makes it highly improbable that Venture in Security will be able to answer all questions. If a security practitioner today were to ask where they can go to learn the business of security, there are very few places I can point them to.
The overlap: a point of value exchange
The business of security and the practice of security aren’t entirely different dimensions - they coexist, and overlap in a myriad ways that are too complex to easily visualize. If I squint a lot, this is what I’d probably draw (although I am by no means happy with this image).
The intersection between each group is where the value is exchanged - services are rendered, products are sold, professional advice is shared, and so on. Needless to say, different components of the two categories interact with one another in many ways; these interactions, however important, are outside of the scope of this piece.
The business of security: understanding the motivations & incentives of participants
Motivations and incentives of the key players
I am a big believer that to build a holistic understanding of how any system works, one needs to first map out the players and their incentives. Incentives drive behavior, and exposing motivations makes it easy to assess the probability of a certain outcome. If a sales team is only evaluated based on their quota, and the only measure of product success is the speed of delivery, then there is no reason why either team would think about security. This is true at the individual, organizational, and industry levels.
To build a holistic picture of the business of security, we need to understand the motivations & incentives of the key participants. Here are some of the thoughts about how it looks in cybersecurity.
Investors
The more parties are part of a system, the more complex are the incentives; nowhere it is as easy to see as in the case of investors.
Angel investors are individuals who put in their own money. The reasons why people do it vary: some enjoy being involved with early-stage companies acting as advisors and connectors, others want to support their friends or ideas they believe need to exist in the industry, and some are interested in building an investment portfolio and generating financial returns alone. Most angels do not have a specific time horizon to exit their investment, and what some founders don’t realize - many angels can sell their investment to VCs at a later stage of the company. As such, depending on their original goals, angels are incentivized to see the company grow through the first several rounds of funding but they may or may not be affected by the final outcome for the startup. If an angel investor sold their shares at series B, but the company failed after series D, they would still see a good return on their shares despite the fact that the startup ultimately went under.
VCs, on the other hand, do not invest their own capital - they raise money from their own investors, institutions such as endowments and pension funds, as well as high net worth individuals, collectively called LPs, or Limited Partners. Fundamentally, VC firms act similarly to banks: they raise money from one group, use it to invest it into another group, and then take a percentage of the returns before returning the original capital (hopefully - with profits) back to their investors. Because VC funds have a timeline of 10 years, this means that they want to see all the companies in their portfolio exit (IPO or get acquired) within a maximum of a decade. In reality, the average age of many funds today can be as much as 15 years, but the exit within ten years is still the goal.
The whole venture capital model relies on the so-called “power law” that states that a small number of investments in a VC portfolio will generate the vast majority of returns. Because most individual startup investments fail, the ones that succeed have to succeed big to both cover the losses of failed companies and provide returns. This fact motivates VCs to push their companies to grow a lot and fast with the full understanding that some companies will fail, but those that succeed, are more likely to win big.
Startups
There are many definitions of startups, and neither is the “right” one. I think that to be considered a startup, a company needs to pursue a risky idea that has less than a 50% chance to be right but if it turns out to be a correct bet, it can lead to outsized returns. There is little unknown about starting a reseller or a traditional managed service provider (MSSP) - it is risky, but there is a formula for doing it. On the other hand, there are many unknowns when one is interested in securing large language models (LLMs), hence why I would consider a founder of an LLM security company to be a startup founder.
Either way, what matters is that security startups are typically started by people looking to solve complex problems. Not all startups are backed by VCs but since all startups are commercial entities and their backers are expecting to eventually see returns, founders are highly motivated to grow their revenue and the customer base. There are several ways to grow revenue:
Selling new products and services to new customers
Selling new products and services to existing customers
Raising prices for existing customers
The latter isn’t the preferred way, but when security startups are struggling to expand their market and/or upsell their customer base with adjacent valuable offerings, they often resort to it to demonstrate at least some growth.
Since security today is predominantly an enterprise market, and enterprises allocate budgets by category, cybersecurity startup founders are highly motivated to be recognized under a specific market segment. And, because many see the advantage in being first to the market, security startups are incentivized to claim their own category.
Security vendors, big and small, are dealing with a permanent internal conflict. On one hand, cybersecurity is a field where no one company can guarantee to provide the best solutions for the different needs of different customers. This is why whether they like it or not, security vendors need to be ecosystem players - interoperable, open, and easy to plug into the customer’s tech stack. On the other hand, every company wants to retain customers and prevent churn, and one of the ways many do it is by keeping the customer in their closed ecosystem and making it nearly impossible to switch (often by keeping customer data hostage). The conflict here is inherent: a vendor will always be tempted to make the product as easy to integrate as possible while also keeping the switching costs as high as possible.
Established vendors
One would assume that large, established vendors such as Palo Alto and CrowdStrike, to name a few, are competing with security startups, therefore they are motivated to have fewer new companies started in the industry. The reality, however, is much more nuanced.
As I’ve explained before, “Cyber threats move incredibly quickly (vulnerabilities are being discovered and exploited, cyber warfare is being developed daily, and new attack surfaces emerge with the introduction of new technologies), and incumbents have a tough time keeping up. Innovating on multiple fronts simultaneously is very hard, especially because each area of security tends to require very deep, specialized expertise. When everything you do is related to Windows security, it’s hard to easily accumulate expertise in the area of Android or AI security and come up with innovations in new areas.”
To remain relevant and innovative, established vendors need startups. Mature companies know that they cannot anticipate all the directions the industry is going to go in and invest in pursuing hundreds of different probable futures. Instead, they rely on startups to do the work of identifying, placing bets, and pursuing new ideas. The large company can then focus on its core value proposition, and when it’s obvious what new opportunities are, just go ahead and buy one of the leaders in that segment.
As with any business venture, established vendors are motivated to constantly expand their market. Unlike startups that have to rely on low-cost ways to educate the public about their offerings, large corporations have a well-established marketing machine, as well as another tool in their pocket - lobbying. “Today, the government is the market maker: by legislating cybersecurity requirements, it produces the demand for new solutions. Security vendors are happy to lobby new regulations, frameworks, and compliance requirements because they help sell more products. The flow goes as follows: breaches lead to lobbying for new regulations, and this lobbying translates into legislative requirements, which in turn drive demand for cybersecurity.” - Source: The government's role in shaping the future of cybersecurity
Navigating the multitude of conflicts of interest in cybersecurity
There are a large number of parties and stakeholder groups in cybersecurity, each of whom has its own interests. This part isn’t surprising - anyone who works in security knows that the industry is complex. What isn’t often apparent is the fact that many parties play multiple roles, and therefore exist in the permanent state of conflict of interests. Here are some of the examples.
Firms that act as resellers
Security service providers, integrators, and resellers are expected to be on the side of the buyer who is paying them for their work. However, as a part of their compensation, they typically get a percentage of sales or other forms of incentives from security vendors they sell and implement. This means that while the buyer would prefer the most cost-effective option that solves their problem, the service provider, reseller, or integrator has reasons to suggest more expensive solutions.
For service providers and integrators, the reseller revenue is just one of the several income sources; for reseller firms, it is all they get. That is why this conflict of interest is especially acute for resellers. All else being equal, the reseller’s sales team looking for the shortest path to meeting the quota will always recommend a more expensive solution which results in a higher commission (this statement is highly oversimplified but not exactly untrue).
For a detailed breakdown of trends surrounding channel partners, check out: Explaining the complex world of channel partners in cybersecurity and looking at their past, present, and future.
Analyst firms
Industry analyst firms have two main sources of revenue:
Security teams looking for advice on how to implement their security program and what tools to buy, and
Security vendors paying subscriptions so that they can get access to industry analysts and pitch their solutions
Although I have full confidence that the overwhelming majority of industry analysts are people with high levels of integrity, and I know that analyst firms have a lot of rigor when it comes to producing their research, this doesn’t solve the core problem. When the same side receives money from both the vendors looking to get in front of the buyers, and the buyers in search of vendors, a conflict of interests is inevitable.
It is not a secret that few vendors who pay for Gartner, Forrester, and IDC subscriptions do so to read their research; instead, they are looking to get access to people - industry analysts - and by doing that educate them about their products. Armed with this knowledge, analysts would hopefully recommend the paying vendors over those that aren’t subscribers; not because they are being dishonest but because by then they will naturally know much more about the solutions of their paying customers with whom they spend more time.
For a detailed breakdown of trends surrounding industry analysts, check out: Gartner, Forrester and cybersecurity: a deep dive into the trends, challenges & the future of the notorious industry analyst firms.
Why the business of security is sometimes at odds with the practice of security
When we look at cybersecurity through business lenses, we see it as an asset class. For example, when investors or investment bankers evaluate a security company, they are concerned with metrics including risk, return, liquidity, time horizon, and regulations. The other way to view security is by approaching it as a professional discipline, or a field of practice. From this angle, we are immediately looking at areas such as proficiency, level of maturity, and outcomes.
I have been thinking about this topic a lot and I concluded that oftentimes, the business of security is at odds with the practice of security. Or, to put it differently, what yields good returns isn’t what makes us secure and vice versa.
Building service companies vs. product companies
Investors prefer funding product companies for a reason: they are highly scalable, they offer high margins, and subsequently - good valuations and exit multiples that can go as high as 100x or above. These characteristics make security products a great type of business and a fantastic fit for the VC model.
The same cannot be said about services. “Service providers do not fit this model: they typically see linear growth, lower valuation multiples on exits, and rarely become unicorns. The “risk-return” equation holds: services generate a steady cash flow, which makes them relatively low risk, but on the other hand - they do not scale as quickly and have low chances of becoming billion-dollar companies, making them also low-return (from the perspective of VCs that need outsized return multiples, not founders of MSSPs who can build fantastic businesses). Lastly, the VC model requires that the firm exits (liquidates its stake) the companies it invested in within five to eight years. The services model typically does not meet this expectation as IPOs are rare, and acquisitions have not been as common in recent years. The most prevalent successful outcome of building security service providers is a sustainable, steadily growing business - a result great for the founders but not VCs.” - Source: A deep look at investing in cybersecurity services for VCs: why, why not, and how to
Although the business of security demands highly scalable product companies, the practice of security often needs something else. The majority of businesses lack the talent to properly assess the company's needs, establish a custom-tailored security strategy, select and implement the most suitable tooling, and continuously improve the organization’s security coverage. Every customer’s environment is unique, and no one can tailor their offerings to account for this uniqueness as well as security service providers. Although both products and services are very much needed, one may argue that the practice of security is better served by custom-tailored and hard-to-scale service providers, not one-size-fits-all, growth-oriented products.
Maturing the existing security stack vs. replacing vendors
The business of security emphasizes the need to constantly chase the latest and greatest innovations and replace existing tools with their more innovative, “next-gen” alternatives every one to two years.
“Products aren’t magic - they need to be fine-tuned to the unique customer’s infrastructure, trained to distinguish between what is normal in this specific environment and what isn’t, connected to other components of the security stack, and adjusted to take into account exceptions and special requirements. Deploying a security solution in the organization isn’t the end of work, it is the beginning. The challenge is that too many companies lack the resources to fully implement security solutions after rolling them out.
Security vendors know well what buying cycles in the enterprise look like, so every one-and-a-half or two years (or right when a new CISO joins the company) they show up at the doorstep pitching amazing opportunities if only the company agrees to rip and replace “that old tool”. Security teams understand that every solution has its gaps, but because after one or two years they would already be rightfully fed up with the limitations of the current vendor, they often end up buying products that aren’t that much better.
The never-ending buying cycle doesn’t give security teams enough time to mature their existing tooling and get it to the point when organizations can truly start benefiting from their investment.” - Source: Tools alone won't save us but if we have tools - why don't we at least use them?
The practice of security would greatly benefit from long-term investment in the existing tools and relationships. Security teams would do well if they were to spend one to two months a year implementing new tools and the remaining ten to eleven months were allocated to areas such as inventory management and patching, writing their own detection logic, proactive threat hunting, understanding the workflows and security needs of other departments, building programs to turn everyone into security champions, and the like. Instead, many get stuck in the never-ending cycle of evaluating, trying, implementing, and replacing security tools without realizing that security is a process, not a tool or a feature.
Growing organically vs. as quickly as possible
The business of security motivates companies to grow quickly so that they can capture a large percentage of the market share and push out the competition. There are side effects of fast growth: increased marketing spending and aggressive sales practices, big promises, a lot of hiring, and at times - unplanned layoffs. Some may argue that security companies should instead grow organically and at a slow pace, something that as I have previously discussed may be very hard to do in the competitive market where buying decisions are heavily based on trust. Nonetheless, organic growth can be more aligned with the practice of security because it makes companies much less likely to overpromise, sell to customers who cannot fully benefit from the solution, and employ similar behaviors designed to get the numbers to go up at any cost.
I often hear people in the industry say that “VCs need to change because we need to fund security companies looking to grow organically”. In my view, those who make these statements don’t understand that venture capital isn’t simply what investors choose to do; it’s a model that only works as long as we rely on the “power law”. VCs need to make money for their own investors (LPs), and because most startups fail, those that don’t need to be able to bring outsized returns which means grow a lot and quickly. The VC model is what it is, and while we can’t simply change it, what we can do is recognize that it isn’t the only way to build a company. Not everyone is looking to grow as quickly as possible and exit their startup in four years; founders looking to build long-term and grow organically may find that they simply don’t need the VC capital, or can raise it from investors that employ different strategies.
There are many great examples of companies that have built great reputations in the industry for solving important problems well without taking in venture funding; Thinkst Canary, Wazuh, and Recon Infosec are some of them. Bootstrapping and growing organically can work well for service companies and those product startups that don’t need a lot of research and development (R&D). For others, this may not be the best way to compete in the global markets.
Allocating capital to create pressure to grow vs. allowing the practice to evolve organically
Within less than an hour, I was able to put together a decent summary showing that over the past decade, investors have announced $7.5 billion of venture capital dedicated to cybersecurity with ~80% of that committed since 2019. Not only this number is likely missing many data points, but it only considers cyber-focused funds and ignores generalist VCs who have been actively investing in security, especially since the start of the pandemic. Given the complexity of the security industry and the fact that “tourist” investors often struggle to make sense of the field, it is not surprising that in the recent year and a half, many VCs who do not specialize in security have started to leave the space.
Generalist VCs may or may not invest in security, after all - the choice is theirs. When it comes to funds raised to specifically fund cybersecurity companies, investors have no choice: the capital is committed, so it needs to be deployed. And, since the majority of the funds were raised between 2019 and 2022, the time to deploy capital (typically the first 3-5 years of the fund) is now. Coincidentally, given the economic conditions now is a tough time to separate could-be winners from those with fewer chances to succeed.
The presence of “dry powder” (capital that is ready to be invested) encourages the push for innovation and the creation of new startups. Although many problems remain unsolved, it’s becoming harder and harder to spot an opportunity for a billion-dollar company. Meanwhile, we see that as I’ve mentioned before, “every feature wants to be a product, every product dreams to be a platform, and every platform hopes to become a company”. A large percentage of products are solutions looking for problems.
There lies a dilemma: a good chunk of startups that got funded aren’t solving real problems and struggling to justify their existence, let alone raise the next round of funding. VCs are waiting for big bets and entrepreneurs looking to tackle real issues customers are willing to pay to solve, and there may not be enough of these. At some point, these realities will have to come together, and it remains to be seen how the market will respond. Will there be a push for more innovation? Will we funnel money into founders who have little idea how to apply their amazing technologies to the real world? Or, will we get a new wave of promising companies tackling big problem areas? That is to be determined.
Closing thoughts
The fact that security offerings provide good returns as a business means that more investors are willing to bet their capital, and subsequently more startup founders are able to assemble teams to tackle complex problems and advance the state of practice. This creates a self-reinforcing loop between the business and the practice of cybersecurity.
Although most of the time the two approaches successfully coexist and benefit one another, there are indeed cases where the business of security is at odds with the practice of security. Some conflicts are inherent: for example, we have a large number of security startups today, but it is hard to tell how many of them are actually helping to advance cybersecurity as a practice, and how many are looking for quick exits.
For us to mitigate the magnitude and impact of these conflicts, we need to make sure that relevant parties understand the business side of cybersecurity - who the different players are, what trends are affecting them, and how they are all connected into one web called the cybersecurity industry. I am proud that Venture in Security is making a small contribution to this titanic task.