Just about an year ago, I started thinking about the last big thing in security. This industry has reached a stage where disruptive technologies have virtually hit the glass ceiling. The market has violently regurgitated from any attempts to shove myopic product solutions down their throat. While industry old-timers sulk at it, I believe it’s a justifiable act. However, there are still a few acid-tripped security startups aiming to sell pure-play product solutions which only solve a part of the problem. I think their belief lies in the fact that there are still a few paranoid clients and pseudo-geek CISOs, who will buy their FUD-mongering and save themselves from the impending security doomsday. I think they are badly mistaken.
On a more calmed down note, customers have realized their mistakes and are suffering from existential angst. They understand the current threat landscape, the actual security risks looming over their business – they see the bigger picture and they know what they want. What customers don’t want are solutions which fragment the security problem into minuscule, mind-numbing, schizoid entities like botnet mitigation, security incident and event management, change control, client-side security, intrusion prevention, virtualization security, spam protection, endpoint protection, network behavioral analysis, identity management, fraud prevention, threat intelligence, compliance management, yada yada yada. Customers have failed to quantify any tangible RoI on such expenditures, they have had a hard-time managing the gamut of deployments over their networks, and above all – they don’t have any god-damn clue on how to gleam actionable information out of these products. They have stopped being carried away by this cryptic industry. So consolidation was a very obvious Darwinian step.
Mind you, the consolidation is happening in two ways. One, the established bigger security vendors are acquiring smaller companies and creating wholesome, turnkey solution offerings which cover everything under the security umbrella (Symantec, McAfee, Cisco). Secondly, enterprise software and solution providers, which are generally exposed to maximum risk are integrating these security technologies right into their very frameworks (EMC, Google, HP, IBM, Microsoft, Oracle, SAP, VMware). Thirdly, the coming innovation will be in the solution offerings and not in the underlying technologies. Fourthly, the security outsourcing industry is lagging by around 5 years.
So now comes the million-dollar question. What about ground root entrepreneurs and Schumpeterian innovators? I think, there are some opportunities on the horizon. The opportunities lie in re-innovating product technologies which failed just due to their higher operational costs and lack of business clarity. A quote from my last post which will help in elucidating this point:
…enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management.
Opportunities also lie in security solutions which can leverage the cost-arbitrage. With the ongoing consolidation, security solutions have become more and more service-centric and productized-services is the way to go. When it comes to services, we can definitely exploit the well-proven Indian offshoring model. The case in point being, that although the bigger security players are merrily striving to provide wholesome solutions, integrations of such diverse acquired technologies leads to a lot of quality-loss thus raising the cost of the service offering.
Let me a take a few ideas very specifically. A few months ago when I read this seminal article by David Cowan, my immediate thought was, “Why not try outsourcing+SaaS!!?”. An excerpt from my brief commentary.
Absolutely credible and intuitive assessment of the consolidated and de-productized information security market by David Cowan of Bessemer Venture Partners. David has hit the bullseye here, beautifully explaining the current and underlying bottlenecks ailing the business of information security. Personally, I feel this is a brilliant take on the future of the IT security industry. People have already shunned the idea of another killer security product and information security outsourcing (infrastructure management/MSS – whatever) is going nowhere.
Now, imagine the proven Indian offshoring model combined with SaaS! Companies like Wipro, which has a well-established security consulting services arm, has this whole market for the taking if they can streamline their messy operations. However, this is a tough bet for ground root entrepreneurs as it requires an elaborate operational setup and infrastructure.
And just a few weeks ago, when I read the Challenge to Indian Entrepreneurs posted by Sramana Mitra (written in Feb’07), I became more and more certain.
In the recently concluded Philippe Courtot interview series, we discussed at length the various ways in which India and China could undercut US companies, and Philippe acknowledged that in his business (Qualys is an outsourced managed security service provider, a SaaS play), it is quite possible that an Indian company could come up with a vastly lower cost structure, and customers would switch immediately, if they are convinced about the reliability of the service.
Just to set the economics in perspective, Qualys has invested $65 Million to build an infrastructure that “is at the scale of the planet†to monitor, audit and report network security problems.
Let me throw a challenge in the direction of the Indian entrepreneurs: Go figure out how to build this same business for $30 Million, and I can tell you, you will have an absolute winner in your hands.
There hasn’t been a better time to disrupt the current dystopian order. In fact, a few Indian companies like iViz an Aujas (both backed by IDG Ventures) are trying something similar to Qualys. But they have a long way to go. Their product technologies are in nascent stage, they are trying to re-invent the wheel in solving most of the problems, they lack in technological maturity needed to understand the services model, they don’t have solid sales and marketing channels, and above all, they don’t have the kind of Ãœbermensch team which is needed to pull this off. There are only a handful of people in India which have worked on such intrinsic areas like security product management, so talent is a big scarcity. I think, there is a timeline of about 1.5-3 years – until when the bigger consolidated players fix the rough edges of their offerings – where such startups can still think to leverage this big opportunity.
Okay, one more idea for the taking. I think, service-provider/tier-1/backbone security is one market which is still in the experimental phase. There are some great opportunities lying there. Indian companies like Guavus and others like PacketAnalytics are working on it.
Then, opportunities also lie in capturing the contemporary security services market by transforming them into the fashionable on-demand model combined with offshoring. Example being – Veracode for application security.
That day is not far-off when some Indian entrepreneur will make Sramana and SaaSu-Maa jump with joy. Whad’ya say? 🙂
- Imbuing the Public Service with Entrepreneurialism - September 10, 2008
- Indian SMBs to spend $1.26 billion for Internet services in ’08 - August 7, 2008
- Two new web security (SaaS) startups - August 7, 2008
The topic is too much debated and weather beaten. Hardly the case for a startup opportunity.
IT security industry is experiencing falling demand with the onset of monstrous, secure data centers of Google and Microsoft enabling powerful distributed computing. Data Center economics is advancing the trend towards co-location and virtualization models increasingly adopted by SMB segments. The data center integration and distribution software has its own built-in security stack that is constantly upgraded by competent in-house resources. It’s a keep-the-lights-on activity for them since hackers outthink and outnumber fixers by a wide margin, any day. So for a large data center to consider buying out a security vendor, the technology has to be niche and disruptive with a large user base. A very rare and difficult prospect at low bootstrapped budgets. The opportunity if at all is more at an enterprise grid level than at a startup innovation level, with huge Capex needs.
SMB is comfortable with leaving IT security to the SaaS vendor level so long as it meets their basic check box compliance standards. A few stray incidents of violation are acceptable to customers as its severity is dented by excellent data backup services offered by the vendors at no extra cost. They only have to worry about downtime or processing speeds, but so far have there been no major blackouts.
As I see more and more IT security spend shifting from many a SMB Capex to that of SaaS vendors, shrinkage in capital budgets go to boost SMB margins. The corresponding addition to SaaS price-per-drink revenue item in the SMB budget has been minimal and they are in no hurry to change that status. Lots of companies would like it with that reliability, scalability and predictable cost. They have no reason to, so long as IT security is available to them as an always-on dial tone.
I couldn’t resist my temptation to comment on author’s writing style than on the content itself.
What’s up with the fascination for those adjectives ??? ( Dostoyevskian, dystopian etc etc). I felt like I’m reading a novel.
Anyway, it was funny 🙂
Who said it needs $30M? In my opinion it can be built at the fraction of this cost. And of course you need a few evangelists in the US.
ooops there is a typo in the foll. sentence from the above post.
“Another company which was based in Atlanta
and which I had started about the same time as I had, was bought by Ncircle recently for an undisclosed sum.”
read the above as:
Another company which was based in Atlanta
and which had started about the same time as I had, was bought by Ncircle recently for an undisclosed sum.
regards,
Samir
Build the same thing as Qualys in 30 Mil dollars in India? Who is
going to fund this???? 30 Mil is no small money.
I worked on a security product in 2002. I had something above and over what Qualys had in a way. I was using nessus an open source tool, so I was not exactly doing what Qualys is doing, but I had
a real-time element to it; that was the real add-on I had. Thus, I had a real-time vulnerability assessment product; Qualys with
a real-time feature. I built the prototype, filed for a patent. I took off on a 3 month trip to the US trying
to get investors and potential customers. I got none. I tried for some more months and then
put it on the back burner. Another company which was based in Atlanta
and which I had started about the same time as I had, was bought by Ncircle recently for an undisclosed sum.
Now, I am fighting over the patent. Hopefully, I will get it or
at least get some of the claims. I have already got an office
action from the US patent office.
Now, I am working on a entirely unrelated consumer product which requires much less
money to market.
The big problem I found about the security product is that it takes
a lot of money to market a product to enterprises in the US sitting here in India. So, it just doesn’t cut unless one has funding or
a co-founder in the US.
regards,
Samir