5 Entrepreneurial Opportunities in Cyber Security Today
By Vincenzo Iozzo
GDPR entered into full force a couple of weeks ago and marked the beginning of a new era for cyber security where the threat of fines and regulation applies to all. While the cyber security market is expected to grow at a compounding rate of over 8% YoY, the industry is full of CISOs and practitioners who are deeply dissatisfied with the product offerings available today and are currently advocating for in-house solutions.
Prompted by a question on Twitter, Thomas Ptacek, founder of Latacora, compiled a list of essential tools to bootstrap the security program of a medium-size enterprise or startup business.
A notable omission in these lists is email security as email is a central pathway for both sensitive information and also data breaches which can’t be overlooked.
Starting a company that tackles one of the problems listed above is a potential path to success, although competition in those areas is extremely fierce (from both incumbents and software vendors/infrastructure providers) hence startups will have a hard time breaking through. As both an investor and operator in the field, I’ve been thinking a lot about how the industry is changing and what new opportunities lie ahead. I believe there are five trends worth exploring:
1. Quantifying Risk and Addressing The “Market for Lemons” Problem
2. The Analysis, Access and Curation of Data
3. Entrepreneurs Looking for Opportunity at the Intersection of Cybersecurity & Crypto
4. The Continuous Education Problem
5. Entrepreneurs Taming Complexity by Simplifying The Technology Stack
1. Quantifying Risk and Addressing The “Market for Lemons” Problem
Cyber security risk is very difficult to assess and quantify.
As a result, both insurance companies and IT executives tasked with budget allocation deploy overly simplistic models. Properly quantifying risk will allow better pricing of insurance products and better allocation of IT budgets to areas that require the most focus. This will change the security landscape dramatically.
While a number of companies are focusing on various versions of automated pen-tests and reputation systems, none of them seem to match the reality of cyber risk. For example, nearly all companies addressing these issues do not account for the topology of the company network and how the breach of a node will spread to the rest of the network.
The interconnectedness of IT infrastructures makes risk quantification extremely challenging due to the inability for companies to properly segment and isolate the risk. In actuarial terms, the tight interconnections of IT systems and the shared use of software makes risk accumulation and correlation hard to understand.
While assessing risk in a statistically rigorous manner is still a pipedream for the time being, an important first step for an entrepreneur would be to provide an inventory of all company assets down to the software stack coupled with a view of third party dependencies (both at a business, network and software layer) in a frictionless way.
2. The Analysis, Access and Curation of Data
In the past 10 years data has been perceived as a treasure trove, but GDPR shows how it can also become a liability. Further, Moore’s (and Kryder’s) law allowed a hoarding approach to data that will soon no longer be tenable as the pace of computing and storage growth slows down. Companies will thus need to limit the data they collect, protect the data they keep and analyze the data without leaking confidential information while using comparatively less resources.
The cyber security industry has not solved the problem of doing the above in a secure, practical and scalable fashion. Homomorphic encryption, multi party computation and a number of other technologies might offer a solution for performing outsourced computation on proprietary data but no company has successfully productized this tech yet.
An entrepreneur addressing this market should address two important issues: usability and scalability. The former to allow integration without disrupting current engineering or IT practices and the latter to prove that the solution can work on large datasets.
3. Entrepreneurs Looking for Opportunity at the Intersection of Cybersecurity & Crypto
In the book “Creativity”, author, Mihaly Csikszentmihalyi states that in order to change a field you cannot be a complete outsider. Instead, you need to be adjacent to the field. There are a number of lessons that cyber security professionals have learned over the years that are applicable to cryptocurrencies, including application security which serves as a primary example. At the same time, cryptocurrencies have developed a lot of knowledge on data consistency and integrity at scale that is not widely understood or adopted in cyber security and could be helpful in the field.
Companies that bring the lessons from one sector like cryptocurrencies to the other (cybersecurity) are likely to pave the way in two enormous markets. These are certainly the types of companies I want to fund.
4. Entrepreneurs Tackling The Continuous Education Problem
Google autocompletes “cyber security talent” with “gap” and “shortage” and arguably the whole tech sector has a chronic need to keep up with new technology and tools. Frameworks to create deep learning systems and containers are just two examples of the ferocious pace of both industry innovation and adoption.
Solving the “continuous education” and screening problem for cyber security, and later on for the rest of the tech sector, is an enormous opportunity. It could represent the next logical step for platforms like LinkedIn, where each employee could demonstrate their skills and achievements through hands-on trainings.
Ultimately how we measure and display knowledge, competency and ability moving forward will be increasingly important given the pace of change in the sector and the expansion of automation.
Entrepreneurs who can combine something measurable (similar to “Capture The Flag” or Kaggle-like competitions) with a scalable way to re-train the workforce are attacking an enormous opportunity.
5. Entrepreneurs Taming Complexity by Simplifying The Technology Stack
Empirically, security issues are often a result of untenable levels of complexity and the most effective security solutions tend to simplify or isolate that complexity. Examples of this range from sandbox technologies used in modern software to single purpose hardware solutions (eg: wallets for bitcoin).
Multiple security-sensitive areas of IT could be re-engineered and simplified. Identity management is ripe for simplification. PKI infrastructures are another example of an area worth addressing.
Some of these areas are hard to tackle for entrepreneurs because they require profound changes to the IT structure of a company but other areas are easier to venture in.
For example, a product that creates, harmonizes and simplifies access control policies across existing company assets. Zerkova is doing this for AWS policies.
Looking Forward
I believe the five areas above are ripe for innovation and relatively unencumbered by big companies, hence becoming perfect targets for startups.
Looking further out into the future, the recent Cambridge Analytica debacle as well as the rise of AI/ML pose new questions for cyber security writ large. The industry will soon face the issue of information integrity and accuracy as well as verification of probabilistic behavior. It is not clear how these areas will evolve and hence how the cyber security aspect can be monetized but they are certainly technologies and concerns on the horizon.
Finally, it is important to remember that cybersecurity lives in an almost perennial “two speed” state. The problems faced by the leaders/role models in the field are often very different from the ones that the bulk of companies experience. Most successful organizations in the industry have a clear strategy to cover both ends of the spectrum. As an investor, and Network Leader at Village Global, I am looking for startups who are exploring these white spaces.
If you’re an early-stage entrepreneur working on something new, you can inform Village by submitting this form:
This piece was written by Vincenzo Iozzo. Vincenzo is a Village Global Network Leader and Senior Director at CrowdStrike Inc. Prior to this, he was the CEO and Co-Founder of IperLane, Inc. Vincenzo is also an Associate Researcher at MIT Media and is a co-author of the “iOS Hacker’s Handbook” (Wiley, 2012). Vincenzo also co-authored the winning attacks against Firefox, iOS and BlackberryOS at Pwn2Own from 2010 to 2012.