Cybersecurity startups, not weighed down by legacy platforms, can be more nimble and innovative than their more established competitors, and can often offer more personalized service at a more attractive price. Atiq Raza has seen this from both sides. Today, he's the CEO of Silicon Valley cybersecurity startup Virsec Systems, but he's also worked for large companies, including a stint as the president of AMD.
"I have managed major organizations with hundreds of key vendors," he says. "For some functions you want conservative, well established vendors with a long track record of doing one thing very well. But for many functions, including security, you also need the latest, most effective and most innovative solutions – typically from younger companies."
"There are inherent risks to working with smaller innovators, but for the right pieces, smart organizations recognize the benefits," he says.
That includes flexibility, speed, creativity and ability to innovate, he says. "By not being locked into a fixed mindset or methodology, and not being tied down by existing technology, they have the freedom to be disruptive, challenge assumptions, and create the first generation of game-changing technology. This is why startups routinely beat established companies in driving new markets.”
The risks of using startups is significant, however. The startup might go out of business or be bought and their technology shut down. Worse, due to inexperience and lack of adequate controls, a startup might make mistakes that could compromise their customers' security instead of improving it.
CSO spoke with a wide range of IT and security professionals as well as cybersecurity industry veterans to learn their best practices for working with security startups.
1. Perform a due diligence check
“How long will they stick around?” is the key question any organization should have about working with a startup. That’s why it’s important to perform due diligence from both a technology and business perspective. Can the company show that the technology works as claimed? Does the company have the right management and funding in place to grow and survive?
For Wendy Nather, working with startups can mean getting an edge, and not just against cyber attackers. She was the director for IT security at UBS and CISO of the Texas Education Agency, where she worked with cybersecurity startups. Today, she is the director for advisory CISOs at Duo Security, a cybersecurity startup that Cisco bought for US$2.35 billion in the summer of 2018.
"When you decide to go with a cybersecurity startup, it’s because they’re approaching a problem in a new way, or they’re offering functionality that is ahead of what you’ve seen with established vendors," Nather says. "When you are building an aspirational security program, you want to be better than your peers, and you want to find the most advanced offerings that you can."
Of course, the startup's viability is a major concern, she says. Just having good technology isn't enough. "If they’re not good at sales or at running a business in general, they may not last very long," she says. "So besides just looking at the products or services, you have to take a wider look at their operations and business model."
Industry analysts or peers can provide needed insight here. "Or you can start small and plan to engage more with them over time," she says. "But eventually, unless you have a very distributed security portfolio, you’re just going to have to take your chances with the startup that you really like."
She says she did that with Internet Security Systems (ISS), which was still a startup back when she was working for a major Swiss bank. "That turned out all right," she says. ISS has since been acquired by IBM.
2. Be prepared for a larger company to acquire the startup vendor
An acquisition by a larger company can be both a good and a bad thing for a startup and its customers. "Startups that are just features and aren’t acquired may not have a chair when the music stops playing — and may have to shut their doors," says Hitesh Sheth, CEO at Vectra Networks, Inc.
If they are acquired, customers may lose the personal relationship they used to have with a small company. The product or service might also be discontinued, or changed, once a startup is bought up. "You should be prepared for your best startup vendors to get acquired and have their product screwed up by big vendors," says John Pescatore, director of emerging trends at SANS Institute.
Before that, though, you can expect to get a few years of high value, he says. "It is kind of like the difference between booking a hotel room at an established hotel chain and booking something on AirBnB," Pescatore says. "You need to do more due diligence — if not, you are likely to have a rude surprise. But, if you do the due diligence and pay attention, you can find some real gems that you want to return to."
3. Look for real-world use cases
Just having a product that works well isn't enough. For instance, Pescatore says, the biggest pitfall when dealing with a startup is that they might not be able to scale their product to meet the needs of their customers. "A machine learning innovation that stops all bad things and has no false positives against good things that work on one PC may not work across 10,000 PCs that come in 250 different flavors," he says.
Ask the company to provide real-world use cases that are similar to your own. You don’t want to learn after implementation that the security technology you’ve invested in doesn’t scale to meet your needs or integrate well with your other systems.
4. Check the technical and business backgrounds of key personnel
Do the key developers and business management have experience in the cybersecurity market? What is the track record of the previous cybersecurity companies they worked at?
Startups with early promise might not be able to deal with the demands of enhancements and integrations needed to work with other products, Pescatore says. Check to see if, say, the startup's VP of engineering came from a cybersecurity background and find out how their previous company delivered.
5. Try both product and support before you buy
When getting a demo, get away from the prepared script and ask about capabilities that don't work yet. "If they can't complete a sentence without a buzzword, alarm bells should go off," Pescatore says.
Nathan Wenzler, chief security strategist at AsTech Consulting, a security consulting firm, recommends that companies get a trial version of software and put it through its paces. "Don't be afraid to ask for support while trying to make it work," he says. Not only does that help you decide whether the product is the right fit, but also demonstrates how responsive the vendor is.
In general, he says, startups and smaller companies can respond more quickly to customer issues. "It's more likely that you can get to key people, lead developers or others who are more directly involved with the product, and thus, can address issues themselves more immediately," Wenzler says.
The flip side to this is that the startup might not have enough resources to make large-scale changes or respond to major requests, Wenzler says. "It may become an exercise in patience while waiting for it to get done."
When assessing a startup's ability to deliver, Julie Cullivan, CIO at ForeScout Technologies Inc., says she turns to her peers. "I always use my network to find out who else is working with the vendor or considering to work with the startup, so I can hear the benefits from their perspective or experience," she says. "The biggest pitfall is if the technology is just not there yet."
It's important to get the real story about where the technology really is, Cullivan says. "IT and IT security are expected to be able to move quickly, meaning you are always having to prioritize how to creatively improve your risk posture and optimize resources with emerging solutions.”
At the same time, that has to be balanced with the need to minimize your organization’s risk, Cullivan says — and with the expectation that things might not work out. "If you're going to fail, fail fast."
6. Evaluate the startup’s own security practices
Kathie Miley, COO at Cybrary, has spent half her career at startups and half at large enterprises. For example, she was an executive director at Verizon, where she worked for 12 years. "I love the ability for startups to provide new, never seen before solutions," she says. "Many times, that innovation outweighs the need to go with an established larger firm."
For her, due diligence includes evaluating potential vendors on their cybersecurity practices. "I subject all of my partners to the same — if not stronger — security evaluations and demands that my customers place upon my company," she says.
When the startup fails to measure up, she sends them packing. "I have technologically chosen products that in the end could not purchase because they could not demonstrate acceptable security controls and policies," she says. "Innovation aside, I cannot risk my business on a start-up not willing to invest in security."
7. If you can’t vet properly, go with an established vendor
If you think vetting the startup and managing that relationship sounds like a lot of work and hassle, you're not alone. "It is a fact that many large enterprises will only maintain business relationships with larger organizations," says David Ginsburg, VP of marketing at Cavirin, a startup in the hybrid cloud security space. In those situations, an intermediary might help, he says, such as a reseller, a systems integrator, or a managed security services provider.
Not everyone can do the necessary due diligence on startups, Pescatore says. "If you aren’t, and your company doesn’t, then best to stick with established vendors."