The RSA conference has been a highlight of my technology year since the early 2000s.  As with any conference it is easy to become jaded; each year we see a new generation of freshly-funded hopefuls, their booth armies fueled by marketing dollars, their branded mint tins, glow balls and pens propagating throughout the hall.  But what keeps RSA interesting is the rapid evolution of the threat landscape, the trailing response of corporate CSOs, and the many smart people working earnestly to even the odds.

As the CTO of HP Security put it several years ago, “bad guys collaborate, good guys don’t”. Companies don’t like to publicize their security woes.  But RSA provides a forum for customers and vendors to compare notes, share best practices, and figure out how to work together.

Not everything that is new, is actually new.  The pendulum swings between comprehensive suites and point solutions, between host,and perimeter security, between situational awareness and incident response.

My focus at RSA is always on the core trends that are shaping the market opportunity for security solutions, and the innovative emerging companies that are successfully tapping into those trends. Over these past many years, the trends have included the move to software from appliance, the move to cloud and virtualization, the rising influence of compliance and governmental penalties and regulations, and the diminishing effectiveness of the “snake oil pitch.”

By “snake oil pitch” I mean the patent medicine that somehow cures all ills, even though we can’t explain why. The software equivalent is the better mousetrap that will protect your company. It is now widely understood that the big platforms are big targets which makes them vulnerable, but which also gives them a steady daily regimen of exercise, fending off threats from around the world. Repeating patterns and fast identification of exploits gives the bigger platforms an edge. The black box that will somehow protect your network is harder to sell these days because customers are more savvy and understand that there is always a way to end- run a single technology solution.

If there is one overarching trend over the last 15 years that appears to continue moving in the same direction, and to change the landscape, it is the shift from specialty technology solutions to a more holistic defensive posture that incorporates situational awareness, training, awareness and compliance with the regulatory environment, insurance for cyber risk, and a suite of technology solutions that provide protection and audit trails without crippling IT infrastructure.

It is no surprise that there is a lot of activity around companies that fulfill these missions. High-growth firms in the training and situational awareness fields are receiving a lot of attention. Companies that have figured out a go-to-market strategy that aligns them with the cyber risk policy writers: namely the large insurance companies: our achieving success and interest from a broad range of players.

It is also important to track and understand the influence of security built-in as opposed to security as a standalone solution. Customers licensing software and software platforms today expect secure software, and conversely would find it unusual to be presented with a list of necessary security technologies to add on top of a new software platform. This would be the equivalent of agreeing to a price on a new car and then sitting down with the finance director to hear about a new undercoat, which is necessary because the car has insufficient undercoating, the paint sealant, which is required because the paint is improperly sealed, and the extended warranty, which is required because the car is unreliable over the long term. This is not how you sell software today. You sell software that is reasonably secure, and customers have been conditioned to think separately about a standard set of tools to secure their infrastructure.

It comes as no surprise that recent Innovation Sandbox finalists have included many companies that focus less on point security technology and more on situational awareness, training and incident response.  I wrote about this back in 2013 and it is even more pronounced today:

Also notable in recent years is the changing definition of a “startup.” Some applicants have raised $50 million or more.  As the innovation sandbox companies have gotten bigger, the expectations for growth and the barriers to entry for innovative, undercapitalized companies have clearly gone up. The pressure to generate recurring revenue as opposed to one-time licenses has also raised the bar for emerging companies. Building a SaaS business simply requires more capital and deeper technology expertise than building a traditional perpetual license business. Revenue comes later, infrastructure has to be highly distributed and bulletproof, and the switching cost to customers who want to leave your system are potentially lower.

This translates into a really challenging environment for early-stage companies to grow into. How can this be reconciled with the industry reports of the growing market opportunity?  Is the market opportunity really defined by a growing number of hacks, increasingly sophisticated hackers, and more liability for successful exploits?

The problem for small companies is that along with the market size, the cost and risk associated with building a presence in the market have also gone up.

Earlier generations of technology provided a great growth platform for companies that knew how to sell. Email filtering and spam filtering are classic examples of a market where everyone needed a better mousetrap. The downside risks were actually smaller than anyone really wanted to admit because the filtering companies were actually selling productivity enhancement rather than risk mitigation- cleaning up inboxes, rather than protecting companies from hacks.  The solutions could be packaged and sold relatively easily.  Things have definitely changed.

To become a successful M&A target today, emerging companies have to integrate with hybrid cloud/premise environments, convince customers to accept SaaS or other recurring revenue models, and invest in R&D ahead of revenue.  However, recent exits show that M&A in security is only increasing, so there is still a business case to be made for growing companies in this market.