Just about an year ago, I started thinking about the last big thing in security. This industry has reached a stage where disruptive technologies have virtually hit the glass ceiling. The market has violently regurgitated from any attempts to shove myopic product solutions down their throat. While industry old-timers sulk at it, I believe it’s a justifiable act. However, there are still a few acid-tripped security startups aiming to sell pure-play product solutions which only solve a part of the problem. I think their belief lies in the fact that there are still a few paranoid clients and pseudo-geek CISOs, who will buy their FUD-mongering and save themselves from the impending security doomsday. I think they are badly mistaken.
On a more calmed down note, customers have realized their mistakes and are suffering from existential angst. They understand the current threat landscape, the actual security risks looming over their business – they see the bigger picture and they know what they want. What customers don’t want are solutions which fragment the security problem into minuscule, mind-numbing, schizoid entities like botnet mitigation, security incident and event management, change control, client-side security, intrusion prevention, virtualization security, spam protection, endpoint protection, network behavioral analysis, identity management, fraud prevention, threat intelligence, compliance management, yada yada yada. Customers have failed to quantify any tangible RoI on such expenditures, they have had a hard-time managing the gamut of deployments over their networks, and above all – they don’t have any god-damn clue on how to gleam actionable information out of these products. They have stopped being carried away by this cryptic industry. So consolidation was a very obvious Darwinian step.
Mind you, the consolidation is happening in two ways. One, the established bigger security vendors are acquiring smaller companies and creating wholesome, turnkey solution offerings which cover everything under the security umbrella (Symantec, McAfee, Cisco). Secondly, enterprise software and solution providers, which are generally exposed to maximum risk are integrating these security technologies right into their very frameworks (EMC, Google, HP, IBM, Microsoft, Oracle, SAP, VMware). Thirdly, the coming innovation will be in the solution offerings and not in the underlying technologies. Fourthly, the security outsourcing industry is lagging by around 5 years.
So now comes the million-dollar question. What about ground root entrepreneurs and Schumpeterian innovators? I think, there are some opportunities on the horizon. The opportunities lie in re-innovating product technologies which failed just due to their higher operational costs and lack of business clarity. A quote from my last post which will help in elucidating this point:
…enterprise security expenditures became more and more justifiable in business terms due to regulatory compliance, cyber-crimes becoming a grim reality and the changing threat landscape. So now, security was not some obscure handy-work limited to network administrators; its need had trickled down towards the pin-striped pants of the management.
Opportunities also lie in security solutions which can leverage the cost-arbitrage. With the ongoing consolidation, security solutions have become more and more service-centric and productized-services is the way to go. When it comes to services, we can definitely exploit the well-proven Indian offshoring model. The case in point being, that although the bigger security players are merrily striving to provide wholesome solutions, integrations of such diverse acquired technologies leads to a lot of quality-loss thus raising the cost of the service offering.
Let me a take a few ideas very specifically. A few months ago when I read this seminal article by David Cowan, my immediate thought was, “Why not try outsourcing+SaaS!!?”. An excerpt from my brief commentary.
Absolutely credible and intuitive assessment of the consolidated and de-productized information security market by David Cowan of Bessemer Venture Partners. David has hit the bullseye here, beautifully explaining the current and underlying bottlenecks ailing the business of information security. Personally, I feel this is a brilliant take on the future of the IT security industry. People have already shunned the idea of another killer security product and information security outsourcing (infrastructure management/MSS – whatever) is going nowhere.
Now, imagine the proven Indian offshoring model combined with SaaS! Companies like Wipro, which has a well-established security consulting services arm, has this whole market for the taking if they can streamline their messy operations. However, this is a tough bet for ground root entrepreneurs as it requires an elaborate operational setup and infrastructure.
And just a few weeks ago, when I read the Challenge to Indian Entrepreneurs posted by Sramana Mitra (written in Feb’07), I became more and more certain.
In the recently concluded Philippe Courtot interview series, we discussed at length the various ways in which India and China could undercut US companies, and Philippe acknowledged that in his business (Qualys is an outsourced managed security service provider, a SaaS play), it is quite possible that an Indian company could come up with a vastly lower cost structure, and customers would switch immediately, if they are convinced about the reliability of the service.
Just to set the economics in perspective, Qualys has invested $65 Million to build an infrastructure that “is at the scale of the planet†to monitor, audit and report network security problems.
Let me throw a challenge in the direction of the Indian entrepreneurs: Go figure out how to build this same business for $30 Million, and I can tell you, you will have an absolute winner in your hands.
There hasn’t been a better time to disrupt the current dystopian order. In fact, a few Indian companies like iViz an Aujas (both backed by IDG Ventures) are trying something similar to Qualys. But they have a long way to go. Their product technologies are in nascent stage, they are trying to re-invent the wheel in solving most of the problems, they lack in technological maturity needed to understand the services model, they don’t have solid sales and marketing channels, and above all, they don’t have the kind of Übermensch team which is needed to pull this off. There are only a handful of people in India which have worked on such intrinsic areas like security product management, so talent is a big scarcity. I think, there is a timeline of about 1.5-3 years – until when the bigger consolidated players fix the rough edges of their offerings – where such startups can still think to leverage this big opportunity.
Okay, one more idea for the taking. I think, service-provider/tier-1/backbone security is one market which is still in the experimental phase. There are some great opportunities lying there. Indian companies like Guavus and others like PacketAnalytics are working on it.
Then, opportunities also lie in capturing the contemporary security services market by transforming them into the fashionable on-demand model combined with offshoring. Example being – Veracode for application security.
That day is not far-off when some Indian entrepreneur will make Sramana and SaaSu-Maa jump with joy. Whad’ya say? 🙂

- Imbuing the Public Service with Entrepreneurialism - September 10, 2008
- Indian SMBs to spend $1.26 billion for Internet services in ’08 - August 7, 2008
- Two new web security (SaaS) startups - August 7, 2008

Pukhraj is right when he says there is a 2-3 year time window until the big ones get their act together.
There are several opportunities for startups in the area of security products, even those which address single pain points. At the moment, addressing end-to-end security is beyond the scope of the typical compact operations of a startup. You would not have had products like Nod32 if the founders balked because of the “oops, someone already did it” syndrome. Companies like Brix, Solera, Sourcefire are all hitting hard at different points.
The newest areas in security such as Network Security Monitoring promise to aid incident response as well as forensic analysis. This might well be the first step to pulling various point solutions together as low level IPS functionality is pushed more and more into the network infrastructure like routers.
Go forth and innovate technically, Indians. Without a unique technical offering – a SaaS model will not be any different from any of the services offered by Wipro etc today (not that there is anything wrong with it). Design a flow processor that can process 10G speeds. Design new and more efficient pattern matching. Other opportunities are in forensics, LI, and compliance. Create bigger and better threat signatures. There is also scope to leverage our cost advantage when it comes to analyzing and maintaining malware signatures.
A general observation from an early stage startup.
I believe tech startups have to ground their companies on a technical core first (of course while not losing sight of the business opportunity). This is just like social startups which need to focus on issues arising out of humans interacting. This might be against the “exhaustive business case first” grain of this blog. While we startups can easily ping potential customers, we (1) lack the capability to conduct an indepth business analysis of line item trends in the CTOs yearly capital budgets. (2) we also are unable to trust the VCs when they say things like ‘ you are crazy, this market is screwed’. We assume the VC is talking from his viewpoint which is “Do things which give me a 100x return or just die as quickly as possible”. This is the case even when the VC is actually right 🙂
So, most founders will end up taking the path of “quick-check with customers – and roll if your gut feeling is good”.
I am bootstrapping a company in this area and I have had the opportunity to interact with the CEOs of a few companies in India. They are very keen on products in this very area to help their harassed security outfits. This demand is especially high in offshore development shops and BPO operations. You may already notice the completely unscientific and un-financial analysis. We can check roughly what they would pay, but we dont have a chart showing capital allocations. None of these guarantee that we or someone like us will succeed, of course !