Not everything is about technology: 9 of the many sources of cybersecurity innovation
There are more ways to innovate cybersecurity than building “new cool tech”; this article highlights some of them.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Many years ago at some tech conference, I heard a phrase: “innovation is not about novelty, but all about value creation”. While I didn’t fully understand what it meant, it stuck with me, and years later, I think I can finally internalize its depth.
Cybersecurity innovation is a commonly discussed topic. Most everyone in the field understands that threat actors are working day and night to break into our networks, so to defend our data and critical infrastructure we have to put in as much effort in the development of defensive capabilities. However, when I read about innovation in security, I feel like the only way to innovate we know about is by building “new cool tech”. To broaden the horizon, expand the view of what innovation is, and help cybersecurity founders trying to brainstorm the next big thing, I wrote this article.
Sources of cybersecurity innovation
New customer needs
Innovation centered around new customer needs is what we think about when we hear the word “innovation”. In cybersecurity, two sources shape customer needs:
Invention of new technologies which, in turn, creates new attack vectors, and
Discovery of new types of vulnerabilities in existing and widely adopted technologies.
As I explained before, “Security has always been a reactive discipline responding to each new technique by attackers. Internet security became a thing after someone started to interfere with the network. IoT security became a thing after someone started to break into IoT devices. The list can go on and on, but fundamentally the cycle repeats itself with the introduction of new technologies: there is a tech revolution, then a new solution is widely adopted, then it turns into an attack vector, and cybersecurity comes into play to prevent cyber attacks. There is commonly a few-year gap between the growth of new technology and the rise of security solutions that protect it; most recently this has been the case for areas such as API security, cloud security, and container security. As cybersecurity follows new technologies, it means that to anticipate new tech, we need to look at what new technologies are emerging that will need to be secured.” - Source: Investing in cybersecurity: a deep look at the challenges, opportunities, and tools for cyber-focused VCs
New technological capabilities
The advances in technology are another source of innovation easily understandable by technical people. The lowering cost of data storage has led to the growth of the number of solutions offering security information and event management. The rise of the cloud made it possible for security startups to build infinitely scalable software and cut the amount of resources required to bring products to market dramatically.
As we move into the future, new technological capabilities will enable new use cases and innovations in cybersecurity while also creating a need to secure these capabilities themselves (back to the previous point).
New go-to-market strategies
Coming up with new ways to acquire customers allows startups to innovate based on their go-to-market strategy. There are multiple layers to this, including:
Targeting new personas. This strategy is possible when the startup has a solid value proposition to capture & hold the attention of the new buyer. For example, if a company offers a way to dramatically cut costs, it can try getting a foot in by reaching out to finance teams, communicating the importance of drastic cost savings, and providing them with enablement information they can pass to the security leadership.
Top-down vs bottom-up. With the rise of product-led growth, many companies in cybersecurity are looking for ways to capture the attention of end users and have them recommend the product as a solution to the company’s problems.
I have written extensively about product-led growth in cybersecurity, including why it is a viable strategy, and what companies are doing it.
To develop a solid go-to-market strategy, the startup needs to look for ways to learn, experiment, and develop a deep understanding of the market. Deep means going beyond the surface of “we are a product for MSSPs” as there are many different kinds of managed security service providers (MSSPs); the same applies to any other customer group.
Cybersecurity is interesting in that it’s a relatively new discipline and new technologies have been shaping areas of responsibility that do not yet have clear owners. For example, data/ML security seems to be at a crossroads between data science and cybersecurity. The same is true for code/API security which appears to blur the lines between engineering and security teams. The absence of clarity can lead to confusion but it can also present opportunities for startups to experiment with selling to different personas.
Another example of thinking differently is Cysurance - a startup that lets service providers sell cyber insurance without getting licensed. While historically, cyber insurance was sold via brokers, by tapping into an established distribution channel Cysurance was able to create a new way of accessing a well-known product.
Addressing niche needs
Going niche is a very common strategy in and outside of cybersecurity. Startups pursuing this strategy are looking for ways to provide solutions tailored to specific types of users and/or market segments that are either underserved or have unique requirements which cannot be fully satisfied by more general solutions.
Founders can look for niche use cases driven by unique customer needs. For example, while consumers as a whole don’t worry about cybersecurity and are not generally willing to spend on it, some groups like investigative journalists, sex workers, and porn actors very much do and are. Targeting niche use cases does not mean building a product for a very narrow audience like sex workers. If there is a strong belief that in the next 5 years all consumers will be worried about their security, then starting by working with people who care about it today can get the company ahead of the game with a product and an established brand ready for expansion.
A less esoteric example of going niche is products targeting managed service providers (MSPs), such as KeeperMSP, a cybersecurity and password management platform for preventing password-related data breaches and cyber threats designed for MSPs. Instead of building yet another generic password manager, they are clear that their offering is for managed service providers.
Addressing niche needs is especially common in the highly commoditized security services space. In an attempt to differentiate, we see security service providers that specialize in different industries (i.e., healthcare or fintech), geographies (i.e., LA or Canada), customer types (i.e., SMBs and startups), and similar.
Going up and down market
The nature of innovation is such that companies commonly start by targeting and building for smaller, more flexible, and more forgiving customers such as startups and SMBs. Then, when the opportunity in this space is exhausted and the company would have improved its product offerings, it starts to push toward the enterprises (up-market). If successful, then almost inevitably it starts optimizing the product for more advanced use cases, prioritizing the needs of large customers willing to pay a lot of money. SMBs will start to feel like the product is getting more expensive and hard to use, and support is worsening. This creates an opportunity for a new player to come in, and offer a better, simpler, and cheaper product - kicking off a new cycle.
Historically, startups and SMBs did not worry about security thinking that they are “small guys with nothing that can attract attackers”. That has started to change in recent years with the rise in ransomware, data breaches, and subsequently - ever-increasing insurance premiums. These changes are leading to the growth of the SMB market, and we see more and more cybersecurity companies trying to tap into that market - startups like 1Fort, Blumira, and Cyvatar, as well as service providers such as Nano Cyber Solutions.
A strong argument about innovation not being about novelty is the fact that what 1Fort is doing for SMBs, has already been done for large firms by Coalition; it’s the different market 1Fort targets that make them new in that particular segment.
Catering to different sophistication levels
In many ways, catering to different sophistication levels is a part of the previous two points about niche markets and moving up/down markets. The reason I want to call this out separately is that it’s important to further emphasize that market segments are not homogeneous.
Different types of users and different types of companies commonly have different levels of sophistication. Some security products in the same market segment could be tailored to the needs of mature security teams looking for high degrees of flexibility and control, while others can be tailored to less sophisticated users looking for turnkey products.
Designing new business models
Tines and Torq are both great security orchestration, automation, and response platforms that help security teams eliminate the number of manual tasks. At their core, these platforms add value by making it easy for security teams to connect different products, send data between them, and automate manual tasks. While their go-to-market strategies are slightly different, at their core both Tines & Torq function in a similar way: they hired engineering teams and raised venture capital to build integrations with a broad variety of security tools in-house.
Shuffle is an open source platform that solves a very similar problem but it does it differently. Instead of building all integrations in-house, Shuffle founder “wanted to enable others to make money, but not through the traditional reseller model. In the end, he came up with a creative revenue share model: instead of raising money, hiring the team, and building all the “connectors” and “workflows” for different security tools, he built an incentive structure where users can develop their own workflows and get paid when others use them. Shuffle revenue-share model is similar to that of YouTube - you can see what people are interested in, build for that, and get paid when somebody uses it.” - Source: Open source in cybersecurity: a deep dive
Shuffle is a great example of the business model innovation where the product solves a known problem and does it in an entirely different way. Another company worth looking at is Coalition.
Historically, cyber insurance and cybersecurity protection have always been two distinct products sold by different parties and priced separately. Coalition combined them both into one offering. “With the online platform offered by Coalition, licensed insurance brokers can generate an insurance quote in minutes. Access to the proprietary cybersecurity tools and services that are designed to detect, mitigate, and contain threats is provided to the customers for free. In this model, a customer gets both protection & remediation from one vendor at the cost of cyber insurance.” - Source: Cyber insurance: state of the space, trends & the emergence of fully-integrated cyber solutions
In my opinion, the best tool for brainstorming and designing innovative business models is the Business Model Generation by Alexander Osterwalder. It provides entrepreneurs with a framework to think from the first principles - to break down the value chain into its building blocks, to see how they all fit together, and to ideate ways to do things differently.
Creating new pricing models
The new pricing model is similar to the new business model in that it changes the way people pay for the product. While new business models almost always require a new pricing structure, a new pricing model does not need to lead to a complete change of the business model.
An example in cybersecurity would be usage-based billing for endpoint detection & response (LimaCharlie), or how open source tools charge for scale (Shuffle) or cloud-hosted version (Wazuh).
Continuous bundling and unbundling
Jim Barksdale, ex-CEO of Netscape famously said that “There are only two ways to make money in business: bundling and unbundling”. It’s important to understand the significance of this insight. I highly recommend this HBR article for a deeper discussion on the topic; a brief overview of what bundling and unbundling look like is provided below.
Bundling, as it may already be obvious, is about taking several small parts and selling them together as a bundle. Think Netflix: you are paying $X per month which gives you access to thousands of movies. In security, bundling is similarly a way to offer a set of capabilities (commonly something like extended detection and response and security orchestration and automation) as a set, sold and priced together. Unbundling, on the other hand, is the opposite, when instead of selling something as a set, it is presented separately (think renting movies at a dollar or two per movie instead of paying for a monthly subscription).
Closing Thoughts
The most important message of this brief piece is that cybersecurity innovation extends far beyond the technology itself. There is a broad range of questions, and the answers to each can produce new business ideas: who the company is selling to, how they reach these people, how their business works, how their pricing works, whether they solve one use case fully or bring many capabilities as primitives into one place, what problems their products are solving, and many others. The advantage achieved by innovating one separate component can be short-lived, but combining a few of them can lead to a long-lasting competitive advantage.
The list of what is possible can be almost limitless; what is important is that a startup has a wedge - a unique angle it is approaching the problem, the solution, and/or the market. Without this wedge, it can get lost in the sea of “me too” vendors trying to solve the same problem in the same way and pitching it as yet another “next-gen solution”.