The Hacking Economy

Cyberthreat growth causes chaos for tech buyers

Rawpixel Ltd | Getty Images

Michael Keithley has spent over two decades running IT and security for CAA, the Hollywood talent agency whose clients include Tom Hanks, Will Smith and Scarlett Johansson.

Of late, his job has been particularly intense. The change dates back to November 2014, when a massive hack at Sony Pictures shut down the studio's computer system and exposed highly confidential and embarrassing employee and celebrity information.

"We were Ground Zero for obvious reasons," said Keithley, who joined the agency in 1991, before many companies were even connected to the Internet.

Pedestrians walk past Sony Pictures Studios in Los Angeles, Dec. 4, 2014.
The Sony hack: One year later

CAA's board took up the issue, increasing the firm's cybersecurity budget. Keithley doubled the number of security vendors he uses from 15 to 30, hired more industry experts and developed tools to address today's advanced and persistent threats.

It's a story that's playing out across every corporation, nonprofit and government agency, big or small, domestic or foreign. The software and systems built to protect computers and servers over the past few decades simply don't work in a world where every device is networked and exabytes (billions of gigabytes) of data are stashed in the cloud.

That theme is on full display this week at the annual RSA Conference in San Francisco, the security industry's flagship event, attracting some 500 vendors and over 30,000 attendees.

Apple CEO Tim Cook (left) and FBI Director James Comey.
Apple vs FBI shines spotlight on RSA Conference

One word on everyone's lips is vulnerabilities. Whether Target and Home Depot in retail, eBay in e-commerce, Anthem in health insurance, JPMorgan in banking or even the Internal Revenue Service, no industry is safe from the hacking epidemic. Juniper Research predicts that with all data going digital, the cost of breaches to companies will more than quadruple by 2019 to $2.1 trillion.

For IT managers, and more specifically the growing class of chief information security officers (CISOs), the chaos has taken over their lives, and the software world isn't helping. Armed with double-digit annual budget increases, while the rest of IT grows at less than 2 percent, security chiefs are being pitched by scores of new vendors promising to protect some piece of critical infrastructure or defend against a specific type of threat.

The global cybersecurity market is expected to expand almost 10 percent a year to $170 billion by 2020, according to Markets and Markets.

Unprepared for the onslaught of high-profile breaches, many companies are throwing money at problems as they arise.

"There hasn't been a proactive security strategy in place for a long time," said Joel Fishbein, a software and security analyst at BTIG. "Most people have been very reactive in the buying and deploying of technology. It's always been to solve a significant problem or a hole they've found."

Top security investments of past year

CompanyAmountLead investors
Tenable Network Security$250 mlnInsight, Accel
Tanium$120 mlnTPG, IVP, T. Rowe
CloudFlare$110 mlnFidelity
Zscaler$110 mlnTPG
CrowdStrike$100 mlnGoogle Capital
Illumio$100 mlnBlackRock, Accel

In a 35-page RSA preview last week, Fishbein said that key themes for the conference and security industry broadly include threat intelligence, analytics and machine learning, anti-malware, next-generation endpoint protection and managed security services.

He referred to security as a "chaotic and confusing industry undergoing rapid change."

Venture capitalists have done their part to fuel the madness, plunging $3.8 billion into 332 security deals last year, up from $2.8 billion and 299 transactions in 2014, according to CB Insights. In the past 11 months, six companies have raised rounds of at least $100 million.

Among them is Illumio, which raised $100 million in April with the promise that businesses could gain visibility across all of their servers, whether in physical data centers or the cloud. The software is designed to spot any irregularities in how devices are communicating, so they can be immediately shut down and investigated.

Read MoreApple vs. FBI shines spotlight on RSA

CAA's Keithley calls Illumio a "game changer" for understanding the behavior of your network. "If all of the sudden a system or website is talking to a database that it didn't before or a database is being accessed in a weird way, you want to block that," he said.

Another new tool that CAA has added is Vera, which allows security teams to powerfully encrypt specific types of data in the cloud and on mobile applications without interrupting how employees work. Keithley's team also uses Skyhigh Networks for monitoring activity in the cloud, Crowdstrike for protecting networked devices from breaches, and Cylance, which provides threat detection software powered by machine intelligence.

Of course, none of this makes companies immune from the global network of hackers and cyber criminals. Thus, more tools are emerging to at least help IT managers spot weaknesses and quickly patch them up.

Tanium CTO and co-founder Orion Hindawi
What volatility? This start-up is worth $3.5 bln

For example, Tanium has grown rapidly of late with software that shows security managers where hackers have entered so they can immediately shut off suspicious activity. The idea is to accept that the company's perimeter is compromised and focus on limiting the damage and protecting the most valuable assets.

Tanium was valued last year at $3.5 billion, about one-quarter Symantec's stock market value.

While Symantec remains the biggest security vendor, its outdated antivirus products are no longer in demand and largely seen as irrelevant in today's hyper-connected world. The company recently spun out its storage management division, Veritas.

There are 12 or 15 endpoint vendors going after new dollars, and the new dollars aren't necessarily there.
Joel Fishbein, BTIG analyst

Businesses are instead turning to tools such as Malwarebytes, whose website says "we protect you from dangerous threats that antivirus doesn't."

Earlier this year, at a time when late-stage tech investors were retrenching, Malwarebytes raised $50 million from Fidelity to support the company's growth into the corporate IT shops.

Malwarebytes started as an antivirus tool for consumers and now gets about half its revenue, which totals $100 million annually, from businesses looking to protect their devices from the persistent threat of infections and malicious websites.

Read MoreWhat can anonymous really do to ISIS?

But for venture-backed security companies that have yet to differentiate themselves and show a working business model, 2016 could be the end of the line.

Fishbein says that while corporations have been underinvesting in their security infrastructure in recent years, venture capitalists have been overinvesting in start-ups.

The industry is littered with so-called endpoint solutions, designed to protect the network and every device that touches it, because when it comes to securing a company's perimeter, the old firewalls are insufficient.

Still, "there are 12 or 15 endpoint vendors going after new dollars, and the new dollars aren't necessarily there," said Fishbein.

Top trades for the 2nd half: FireEye, Palo Alto & more

Israeli entrepreneur Shlomo Kramer knows a little something about firewalls. Kramer co-founded Check Point Software in 1993, and was an investor in Palo Alto Networks, which has become Check Point's biggest challenger. He also founded cybersecurity company Imperva.

In 2015, Kramer started his latest venture, Cato Networks, because he says the new wave of mobile and cloud computing is "dissolving the perimeter."

Cato raised $20 million late last year and is preparing to open up its product to the public. To protect data, Kramer says, security has to be delivered in the same ways and same places as other software. It's a firewall in the cloud and for the cloud.

Kramer's thesis is that companies can use Cato to replace their existing firewall as well as networking technology that directs traffic to branch offices.

"The key is how do you bring simplicity back," said Kramer. "We'll reduce the number of point solutions they need to buy."

Silicon Valley's cash party is coming to an end

Anyone with the title CISO is being presented with more solutions to buy, not fewer.

Window Snyder was named security chief at San Francisco-based Fastly in June and was immediately inundated with unsolicited requests for meetings. Furthermore, Snyder is at the heart of technology; Fastly is itself a venture-backed start-up, providing software that speeds mobile content delivery.

The only solutions Snyder considers purchasing are those that address specific gaps her team has identified. One example is Duo Security, which provides two-factor authentication that Snyder says doesn't interrupt usage.

Snyder has to put a lot of work into choosing every provider, researching how it responded to previous attacks and how responsive is its customer support.

On top of all that, Fastly — or any other buyer — has to have confidence that the vendor is going to survive a potential downturn in the capital markets and a wave of consolidation.

"Longevity and viability are key factors," said Snyder, who previously spent five years working on Apple's security and privacy team. "For a lot of new the players, it's hard to make an investment on our side if we don't have some way of evaluating whether they'll be there to support us long term."