MOUNTAIN VIEW, Calif. — After this year’s many cyberattacks on both companies and governments, there’s a huge need for new thinking to fight cyberterror. So lots of venture capital money is flowing into the security space, and has been for some time now.
Perhaps the main shift in thinking is that cyberattacks are going to occur, full stop.
“People are realizing that they can’t stop security breaches, where they used to think they could,” said KPCB’s Ted Schlein, speaking during a venture capitalists panel at the IT Security Entrepreneurs Forum (ITSEF).
The security industry and its enterprise customers are still thinking about prevention, but they’re also thinking a lot more about things like containment and risk management.
“People are trying to figure out ways of protecting the end points, and that ranges from just not putting things there, to making it so that what gets taken from there is irrelevant,” Schlein said.
Several panelist believe the right security solution is a combination of people power and machine power.
“I think the new breed of security and intelligent response is going to be machine learning,” Menlo Ventures managing director Mark Siegel said. Siegel said humans alone can’t possible handle the complexity of constant threat management.
“We’ll use machines for doing things like detecting attacks, sorting out false positives, fixing problems,” Siegel says.
Another change is that security concerns have risen far higher up on the enterprise’s priority list.
“Corporations no longer look at this as the CSO’s (chief security officer’s) problem, it’s the board’s problem now,” Alsop Louie partner Gilman Louie said.
“Everything changed with the Target CEO, where all of a sudden the CEO’s job is on the line,” he added. Target CEO Greg Steinhafel famously was fired for allowing a major security breach to happen on his watch.
One of the biggest themes heard during the panel was the idea that security systems can’t be just bolted on to the systems they’re supposed to protect.
“We used to just develop stuff and throw it over the wall for the operations guys to secure,” KPCB’s Schlein said. “And in a sense we still do that.”
The alternative is building products from the ground up with security in mind. “The thought is that every line of code should go through some sort of automated security audit, and that’s required, and if you don’t do that, you’re fired,” Schlien said.
Louie suggests that developers be required to have their code examined for security compliance — something like a UL certification for software products.
As threats grow and security approaches evolve more money keeps flowing into the space.
Menlo Ventures’ Siegel said the security space remains very fragmented, with lots of small companies doing very specific things in security.
“But there’s so much money flowing into the space that niche companies can afford to stay independent,” Siegel says.
One of the venture capital firms represented here, Ten Eleven Ventures, invests in security companies exclusively.
“Security is a very narrow domain expertise field and everybody in the industry knows it,” says Ten Eleven’s founder Alex Doll.
Doll points out that the space has produced some very big exits already. Palo Alto Networks and FireEye have both gone public. Both companies, Doll points out, were valued at nearly $10 billion at one time, and are climbing toward that mark once again.
Meanwhile the balance of brain and technology power between the good guys and the bad guys continues to ratchet up. It’s an arms race.
“The good guys and the bad guys have an equal number of people, equal amount of money,” Louie said. “The bad news is we are going to live in a much more insecure world,” he said, “and venture capitalists are going to make a lot more money.”