The next wave of cybersecurity

We’ve entered a new era where criminals, corporations and even state-sponsored actors pose serious cyber threats to US companies and individuals. LinkedIn, Sony and Yahoo have all been very publically hacked in recent years. (The hack of Yahoo’s website alone compromised over 3 billion accounts.) And even the US presidential election wasn’t immune to cyber security holes. The implications of security threats in the enterprise are large and serious. This post seeks to discuss where cybersecurity is now and where it’s headed.

Cybersecurity in an age of Big Data and IoT

As IoT becomes more established and Big Data proliferates into more of the enterprise, concerns over cybersecurity aren’t going to diminish anytime soon. We haven’t even solved the comparatively simple problem of server and laptop security — and IoT is about to change the playing field completely.

An unprecedented number of connected devices will do two things:

• Increase the attack surface where malicious people can get into your network to an unprecedented size.
• Allow all connected devices to be appropriated as digital arms that can be used in attacks like DDOS.

“A key area that needs to be addressed with the proliferation of IOT is the security side…which essentially is a very large and distributed attack surface on an unprecedented scale. We’ve seen this recently with some attacks where very mundane household electronic items were used in distributed denial-of-service (DDoS). This type of attack awakens us to the fact that all of these digital devices need to be secured, need to be hardened.” — Craig Hanson, 1to100 Conference, 2017

But security challenges don’t end there. I was talking with the CISO of a large auto manufacturer during one of our Global Enterprise Platform events and he pointed out that you can’t use the same type of detection and remediation measures that you use for your PC in an application like a car. Security for a car in a mission-critical use case has to be able to respond in nearly instantaneous real time. When you’ve got the ability for cars themselves to be digitally connected with other cars and (potentially) autonomous vehicles, security has to be hardened and localized to an entirely different level.

The state of cybersecurity

Currently there are a lot of point products which don’t work well for large enterprises. Most of these products still operate on the legacy way of doing security: white/black listing of potential threats. The past couple years have seen an explosion in the number of security companies founded to solve this problem. But too many of them are using incremental approaches.

We believe that the market is too noisy now, and we’re going to see another surge in companies and software built to mitigate the new evolutions of security threats. But the field will narrow quickly in coming years. It wouldn’t be hard to imagine that 80 percent of early-stage security companies will die as the market eventually concentrates on a handful of the best approaches with the widest coverage, rather than employing twenty different security solutions in their enterprise. Those that will survive will be fully integrated into the breadth of the IT architecture, be truly enterprise-ready, and offer more air-tight security paradigms.

The future of cybersecurity

A revolutionary approach to security is going to be required in order to compete in this new age.

1. Security solutions will need to be able to cover a greatly expanding attack surface. The proliferation of connected but unsecured devices in the enterprise creates a new landscape of vulnerability, and the rise of various cloud platforms means that security solutions need to gain visibility and actionability beyond the enterprise’s perimeter.
2. SaaS companies will need to harden their cloud security structure to guard against the increased sophistication of malicious attacks and hacking attempts. The expectation of standard security among CIOs, CTOs, CISOs and others purchasing enterprise cloud products has elevated as the stakes of losing customer data or sensitive information have risen. Enterprise technology buyers among the 100+ global corporate customers we work with at NextWorld Capital are already asking much tougher, deeper questions on security posture during the vendor selection process.
3. Traditional security approaches such as white/black list determinations and alert storms sent to an overloaded SOC team are already breaking under the strain of more concerted attacks and sophisticated criminal theft. Entirely new approaches and capabilities will be required, in some cases beginning with a presumption of malicious intent and structurally capping the ability for software to attack. Fortunately, the last couple years has seen a tremendous number of new cybersecurity startups exploring new approaches: for instance, to encapsulate threats, better enable users to avoid giving attacks an entrance, or to use artificial intelligence capabilities to keep pace with complex programmatically-dynamic attack and hacking software. This openness by Fortune 500 enterprises to try entirely new approaches that innovative startups offer, driven by a necessity to go beyond the capabilities of legacy vendors, is creating a lot of noise in the market now, but will ultimately winnow the field and select the next generation of leading security companies.

*DISCLAIMER: The portfolio companies identified and described herein do not represent all of the portfolio companies purchased, sold or recommended for funds advised by NextWorld Capital. Certain portfolio companies may be kept confidential for various reasons, including contractual or subject to a non-disclosure agreement. The reader should not assume that an investment in the portfolio companies identified was or will be profitable.

Not all acquisitions or IPOs are profitable; the positions can be acquired at a price that is greater or less than the price at which NextWorld Capital purchased its interest for client accounts. The information is being shown to reflect the firm’s ability to select investments and not to reflect any positive investment experience.