A report by market research firm Access Markets International Partners estimates that Indian SMBs will spend $1.26 billion on Internet-related products and services in 2008, an amazing 35% increase from the last year. Considering the fact that data security and compliance is generally the third or fourth factor in the priority-list of SMBs (after things like infrastructure and accessibility), I am just wondering how much of it can be tapped by non-intrusive and hassle-free models like security-as-a-service? SMBs are still sticking to contemporary offerings due to the lack of awareness. Even a small chunk of the pie will be plentiful. Security companies need special action plan for India now.
Tag Archive for 'security'
Indian SMBs to spend $1.26 billion for Internet services in ‘08
Published by on August 7, 2008
in General, Ideas & Companies and News/ Events.
(1 votes, average: 3 out of 5)
Loading ...
4 Comments
(1 votes, average: 3 out of 5) Loading ...Security startups to watch
Published by on June 25, 2008
in Ideas & Companies.
(9 votes, average: 3.56 out of 5)
Loading ...
2 Comments
(9 votes, average: 3.56 out of 5) Loading ...Here’s a list of some bright and upcoming security companies which, in my opinion, have a promising potential:
Endeavor Security (www.endeavorsecurity.com, Rating 4/5) - My bets are on this startup. Endeavor is an early-stage company working on a truly disruptive security framework which could be the next big thing in Internet-wide threat analysis and actionable intelligence. The problem with existing intelligence players is that their offerings are not truly actionable, i.e. they don’t cover the complete cycle (detection-reporting-remediation). Secondly, none of them has the capability to provide vendor-agnostic remedial input. Third, none of them has been able to keep pace with the changing threat landscape. Fourth, most of the industry analysts wrongly believe that the need for such a service is failing. Security intelligence is still scattered and raw. There is a big response gap which separates intelligence from the effectiveness of deployed products and services. If someone is able to bridge this gap in a product/service/vendor-agnostic way, then there is a great opportunity for setting up a truly early-warning and preemptive service offering. Backed by Department of Homeland Security, this company has taken its first steps to test the waters. It has launched solutions like FirstLight Signatures (signature service for various IPS, UTM and firewall vendors) and FirstLight Active Malware Protection (gathering latest malware data from deployed sensors and relaying it across to the AV vendors before the outbreak occurs while protecting their customer’s perimeter on-the-fly). I had a brief interaction with one of the founders and they say that a SaaS offering is in the works. All this makes it a company to watch out for. Their only challenge would be to get some gung-hos in the management team and build a very strong research back-end.
Rohati Systems (www.rohati.com, Rating 3.5/5) - Well, nothing groundbreaking really but a credible enhancement over existing offerings. They are working on a layer 4-to-7, policy-based firewall controlling access to various applications and resources, with awareness about their business context and compliance regulations. Alan Shimel has termed it as “a logical extension of identity based access control” and I agree wholeheartedly with him. They are not alone in the game, with Palo Alto Networks giving them some heat. However, they are garnering most of the media attention due some highly-accomplished Indian techies from Cisco in their management line-up.
Mocana Corp. (www.mocana.com, Rating 3.5/5) - This relatively-older company is gradually coming into the limelight. They are building security infrastructure for all kinds of networked devices, from mobile phones to coffee makers. They have acquired a small Indian company to setup their offshore R&D base in Pune.
Akamai has published the first in a series of quarterly looks at the state of the internet (warning, requires registration), which they would be in a unique position to report on. From the summary:
Starting with the January to March (1st quarter) 2008 time period, Akamai will be publishing a quarterly “State of the Internet” report. This report will include data gathered across Akamai’s global server network about attack traffic and broadband adoption, as well as trends seen in this data over time. It will also aggregate publicly available news and information about notable events seen throughout the quarter, including Denial of Service attacks, Web site hacks, and network events.
Here is a local copy of the report, for those who don’t want to provide an email address.
Sramana’s Challenge: Kyunki ‘SaaS’ Bhi Kabhi…
Published by on March 7, 2008
in Ecosystem, General, Ideas & Companies and Musings.
(1 votes, average: 5 out of 5)
Loading ...
6 Comments
(1 votes, average: 5 out of 5) Loading ...Just about an year ago, I started thinking about the last big thing in security. This industry has reached a stage where disruptive technologies have virtually hit the glass ceiling. The market has violently regurgitated from any attempts to shove myopic product solutions down their throat. While industry old-timers sulk at it, I believe it’s a justifiable act. However, there are still a few acid-tripped security startups aiming to sell pure-play product solutions which only solve a part of the problem. I think their belief lies in the fact that there are still a few paranoid clients and pseudo-geek CISOs, who will buy their FUD-mongering and save themselves from the impending security doomsday. I think they are badly mistaken.
On a more calmed down note, customers have realized their mistakes and are suffering from existential angst. They understand the current threat landscape, the actual security risks looming over their business - they see the bigger picture and they know what they want. What customers don’t want are solutions which fragment the security problem into minuscule, mind-numbing, schizoid entities like botnet mitigation, security incident and event management, change control, client-side security, intrusion prevention, virtualization security, spam protection, endpoint protection, network behavioral analysis, identity management, fraud prevention, threat intelligence, compliance management, yada yada yada. Customers have failed to quantify any tangible RoI on such expenditures, they have had a hard-time managing the gamut of deployments over their networks, and above all - they don’t have any god-damn clue on how to gleam actionable information out of these products. They have stopped being carried away by this cryptic industry. So consolidation was a very obvious Darwinian step.
Mind you, the consolidation is happening in two ways. One, the established bigger security vendors are acquiring smaller companies and creating wholesome, turnkey solution offerings which cover everything under the security umbrella (Symantec, McAfee, Cisco). Secondly, enterprise software and solution providers, which are generally exposed to maximum risk are integrating these security technologies right into their very frameworks (EMC, Google, HP, IBM, Microsoft, Oracle, SAP, VMware). Thirdly, the coming innovation will be in the solution offerings and not in the underlying technologies. Fourthly, the security outsourcing industry is lagging by around 5 years.
So now comes the million-dollar question. What about ground root entrepreneurs and Schumpeterian innovators? I think, there are some opportunities on the horizon. The opportunities lie in re-innovating product technologies which failed just due to their higher operational costs and lack of business clarity. A quote from my last post which will help in elucidating this point:
…enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management.
Opportunities also lie in security solutions which can leverage the cost-arbitrage. With the ongoing consolidation, security solutions have become more and more service-centric and productized-services is the way to go. When it comes to services, we can definitely exploit the well-proven Indian offshoring model. The case in point being, that although the bigger security players are merrily striving to provide wholesome solutions, integrations of such diverse acquired technologies leads to a lot of quality-loss thus raising the cost of the service offering.
Let me a take a few ideas very specifically. A few months ago when I read this seminal article by David Cowan, my immediate thought was, “Why not try outsourcing+SaaS!!?”. An excerpt from my brief commentary.
Absolutely credible and intuitive assessment of the consolidated and de-productized information security market by David Cowan of Bessemer Venture Partners. David has hit the bullseye here, beautifully explaining the current and underlying bottlenecks ailing the business of information security. Personally, I feel this is a brilliant take on the future of the IT security industry. People have already shunned the idea of another killer security product and information security outsourcing (infrastructure management/MSS - whatever) is going nowhere.
Now, imagine the proven Indian offshoring model combined with SaaS! Companies like Wipro, which has a well-established security consulting services arm, has this whole market for the taking if they can streamline their messy operations. However, this is a tough bet for ground root entrepreneurs as it requires an elaborate operational setup and infrastructure.
And just a few weeks ago, when I read the Challenge to Indian Entrepreneurs posted by Sramana Mitra (written in Feb’07), I became more and more certain.
In the recently concluded Philippe Courtot interview series, we discussed at length the various ways in which India and China could undercut US companies, and Philippe acknowledged that in his business (Qualys is an outsourced managed security service provider, a SaaS play), it is quite possible that an Indian company could come up with a vastly lower cost structure, and customers would switch immediately, if they are convinced about the reliability of the service.
Just to set the economics in perspective, Qualys has invested $65 Million to build an infrastructure that “is at the scale of the planet” to monitor, audit and report network security problems.
Let me throw a challenge in the direction of the Indian entrepreneurs: Go figure out how to build this same business for $30 Million, and I can tell you, you will have an absolute winner in your hands.
There hasn’t been a better time to disrupt the current dystopian order. In fact, a few Indian companies like iViz an Aujas (both backed by IDG Ventures) are trying something similar to Qualys. But they have a long way to go. Their product technologies are in nascent stage, they are trying to re-invent the wheel in solving most of the problems, they lack in technological maturity needed to understand the services model, they don’t have solid sales and marketing channels, and above all, they don’t have the kind of Übermensch team which is needed to pull this off. There are only a handful of people in India which have worked on such intrinsic areas like security product management, so talent is a big scarcity. I think, there is a timeline of about 1.5-3 years - until when the bigger consolidated players fix the rough edges of their offerings - where such startups can still think to leverage this big opportunity.
Okay, one more idea for the taking. I think, service-provider/tier-1/backbone security is one market which is still in the experimental phase. There are some great opportunities lying there. Indian companies like Guavus and others like PacketAnalytics are working on it.
Then, opportunities also lie in capturing the contemporary security services market by transforming them into the fashionable on-demand model combined with offshoring. Example being - Veracode for application security.
That day is not far-off when some Indian entrepreneur will make Sramana and SaaSu-Maa jump with joy. Whad’ya say? 
ArcSight IPO: A positive vibe
Published by on March 6, 2008
in Ecosystem, General, Musings and News/ Events.
(5 votes, average: 4 out of 5)
Loading ...
1 Comment
(5 votes, average: 4 out of 5) Loading ...So ArcSight, the enterprise security and compliance management company, went public a couple of weeks ago. Market watchers and industry analysts had always held mixed views about the company, and the same story goes with its IPO too. The hints of a listing came to be known publicly in September 2006, when the Valley kahuna Ray Lane chaired a meeting on ArcSight’s future and how it could be a worthy competitor in the to-be-consolidated information security space. The talk of the town was that the company’s decently solid sales record and struggling competitors is a positive sign of a stable future; thus broader solution offerings can be built by leveraging the IPO moolah which can be used to target some of the bigger players. This puts them in a better spot than other myopic security startups which only target a small part of the ’security problem’. However, the festive mood was dampened a bit as the listing raised around $54M, slightly below expectations.
ArcSight was started during the hay days of security when companies with angel-eyed security administrators were really keen to visualize and monitor their security posture on an enterprise-wide scale. Termed as Security Incident and Event Management (SIEM) solutions, these systems were aimed at picking out useful and actionable information from all network and security devices, rejecting unwanted notifications and false positives which had become a pain in the neck, metaphorically speaking. These were the times when intrusion detection systems had just gained wide-scale acceptability and deployment but they were prone to generating a lot of alerts, and on an individual basis it was hard to make sense on what was going on in the network, thus defeating their whole purpose. But when it came to the actual implementation and tweaking, SIEM could make the client’s espresso-machines run out of coffee powder. Moreover, their visualization and anomaly detection systems didn’t really prove that effective and had a high learning-curve. I remember working for a SIEM vendor on a contract when I came to know about the dreadful effort of installing this gargantuan solution, which could easily take a couple of weeks or even months. So ArcSight being a smarter kid on the block, took a slip road like so many others. During the same time, enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management. SIEM vendors like ArcSight, with some magic and lot of rework, were able to provide respectable offerings in compliance monitoring, fraud prevention and identity management. Fast-forward a few years and we got a company sending out positive vibes in a niche market which has drowned itself in pessimism. It would be interesting to see how ArcSight will fare in this industry witnessing some epic shifts and large-scale consolidation.
Some thoughts of this article are derived from: ArcSight Security IPO, Not So Hot
