[Editor’s note: This is an Op-Ed piece by David Cowan, a managing partner of Bessemer Venture Partners. He blogs at WhoHasTimeForThis.blogspot.com.]

In 2006, investment in U.S. security startups plummeted more than 50 percent (Venture Source), even as overall venture investing expanded 12 percent.

It’s no secret that too many startups are chasing the ever more elusive enterprise IT security budget, and so investors are pulling back. And while hackers have shifted their sights to the juicier consumer segment — selling personal information to ID thieves and renting bots to spammers — IT departments have resolved that their checklist of must-have security products is long enough. They no longer crave super-duper startup technology, turning instead to the large vendors (Symantec, McAfee, Cisco…) for integration, vendor viability, and security that’s, well, good enough. A few pioneers like Arcsight and Tripwire have reached critical mass in the large enterprise market, but the majority of security startups today struggle to sustain field sales reps with less than a million dollars a month in sales. Now that the VCs have turned off the fuel tap, these babies just won’t make it off the runway.

So why did my partners at Bessemer just last month let me cut the biggest check of my career ($24 million) in another business IT security company called Perimeter?

According to surveys conducted by the Computer Security Instiutute (CSI), employees of large corporations naturally enjoy far more extensive levels of information security than in businesses with fewer than 1,000 employees. Not only are the corporate PCs more rigorously updated with anti-spyware signatures, but IT locks them down inside a fortress of intrusion prevention systems, application firewalls, policy compliance agents, encrypted SANs, vulnerability scanners, VPNs, etc. Obviously, it takes a large IT shop to assess, integrate, deploy and manage that kind of infrastructure–the kind you don’t find in a 200-person medical clinic.

And yet small and medium sized businesses (SMB’s) own the majority of business PCs, inviting computer parasites that thrive in vulnerable hosts, armed with admin privileges! Doesn’t it bother the SMB owners that they spoil internet hygiene for everyone?

Perhaps not, but contrary to what many believe, SMBs understand full well that they face the same risks and regulations as large corporations. In fact, the CSI survey included a surprising result: even though small businesses lack the IT resources to deploy most security technologies, they spend as much as 8 times what the Fortune 5000 spend for security per capita! I suppose it’s because their product choices are limited by their VARs, and each invoice they pay represents a tiny fraction of the vendor’s revenue, so SMBs enjoy no pricing leverage at all. Furthermore, the “scalable” appliances they buy (designed for 10,000 Citibank employees) don’t amortize well over a law firm’s 300 PCs.


This unmet market need represents an enormous opportunity for the new generation of security companies developing on-demand solutions, or Software-as-a-Service (SaaS). Instead of having to deploy their own servers and infrastructure, SMBs can now subscribe to security solutions priced by the drink (so we can buy a quart of milk instead of the cow).

The SaaS vendors, meanwhile, can replace their field reps with web and telephone sales, so now they can afford to sell to smaller accounts.

Indeed, the first generation of security SaaS has fared remarkably well, and I’ve been fortunate to participate as an investor: Verisign’s SSL business trounced Entrust, and Postini (now Google, as of yesterday) thrived in the densely crowded spam filter market. Qualys leads the market for vulnerability assessment, and Cyota quickly dominated the banking security sector (before RSA bought it). Counterpane pioneered security monitoring, but performed only moderately well because we focused on high end security instead of easy and affordable deployment. Meanwhile, several security SaaS winners I didn’t fund, like Websense and Riptech, now populate my anti-portfolio of lost opportunities.
Unfortunately, I don’t think we’ll see too many more winners, because consolidation will come and go faster this time around. Even more than large corporations, SMBs will gravitate toward suites, rather than hire IT resources to buy subscriptions and manage portals from multiple vendors (Who Has Time For This?). They won’t be easily sold on whiz-bang novelty.

That’s why the vendor(s) who can integrate security services from soup to nuts will ultimately dominate the SMB security market. The winner(s) will pay once to acquire a customer but sell multiple services, pushing down sales costs as well as prices. Meanwhile, the incumbents (Symantec, Cisco…) are stuck in the licensed software world, and they can’t patiently invest in building recurring revenue streams when Wall Street values them at normal software multiples. So the field is open for new entrants to integrate on-demand services for SMBs who want a single portal to manage their security.

Of course, no single company can develop a winning product in every category, and so the winner(s) will have to grow through acquisition, following in Symantec’s footsteps. That’s what my most recent bet, Perimeter, is trying to do.

Whether or not my investment pays off, SaaS promises a major disruption for the industry and its investors. Starting new companies to develop more and more advanced technology will never solve the security problems of our local accountants, banks and realtors. The internet remains woefully insecure–not because our technology is insufficiently advanced, but because it’s insufficiently deployed.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.