Cybersecurity remains a huge pain point for many organizations: Last year, a study by incumbent security provider Palo Alto Networks found security teams at large enterprises use more than 130 separate security solutions, on average. At this year’s just-concluded RSA security conference in San Francisco, more than 700 security vendors and exhibitors jostled for mindshare. Some of these companies supply new technology to automatically, instead of manually, address the growing number of security problems generated by the new cloud-native environments inside many enterprises, in which teams leverage new DevOps practices and deploy microservices in public- and hybrid-cloud startups.
We believe the current enterprise-security model is unsustainable given this move to cloud-native practices. With more than 40 million developers on GitHub alone, and billions being spent on developer-led, digital transformation efforts in companies across industries, it’s clear that more and more security concerns will need to be addressed by developers earlier in the software-development cycle. Indeed, many new startups are now emerging to help developers and their organizations, and not just high-level, company-security executives, focus on security in a more pro-active way.
We discussed in our 2019 OpenCloud report that the shift to the cloud is increasing the “attack surface” for bad actors—creating new security vulnerabilities for organizations but also new opportunities for startups seeking to help them fight back. More broadly, the cloud is changing the philosophy of how enterprises approach security by getting developers to think about security earlier, integrating security solutions deeper into their workflows and codifying security as code to keep development moving quickly.
How did we get here?
Historically, chief information security officers (CISOs) were in charge of the security-software purchasing decisions inside enterprises. They oversaw centralized Security Operations Centers (SOCs), which used security software to manually detect and remediate threats and vulnerabilities throughout the organization (think detecting malware on a network, firewall breaches, modification of access permissions, etc.) In a world where infrastructure environments were static and the software-development process took months, this structure was manageable.
But as the cloud took off, infrastructure became dynamic: Open-source software and reusable software modules became foundational building blocks, and development times compressed to days/weeks. Today, the SOC is left to handle only the highest-risk threats and vulnerabilities that need deep security forensic expertise. The remainder of the incidents will be automatically routed to developers and DevOps teams that have the context to remediate the issues. This has created an opportunity for new companies to provide new, more-targeted tools for these developers and DevOps teams to address security issues.
Early companies in the sector
The first wave of companies in this area focused on securing and scanning applications during the development process – primarily because these applications were revenue generating and required high availability and security. These companies included Contrast Security* and incumbents such as Veracode and Fortify. Enterprises also are starting to proactively educate developers about security best practices by delivering personalized programs and communications to help them integrate security into their workflows. Companies like Secure Code Warrior have developed educational platforms for this. While such tools were mandated by CISOs, they were built for developers and not security analysts. This meant deep collaboration between the CISO and chief technology officer (“CTO”) of an organization.
Today, other companies are providing tools that allow developers and DevOps teams to adopt security solutions organically and embed them even deeper into their workflows. JFrog* which started as an artifact repository and now offers continuous security for containers and software artifacts, boasts a community of three million developers. Snyk, which provides code-scanning security for open-source libraries and containers, has 400,000 developers on its platform and raised funding earlier this year that valued the company at more than $1 billion.
In addition, as DevOps teams shorten time-to-production using “infrastructure as code” (IaC) templates, the codification of security practices—or “security as code” (SaC)—has become part of their workflow as well. Companies such as Styra and HashiCorp Sentinel are codifying incident remediation into policy frameworks, while others, such as Bridgecrew, are automating it all together in both build-time and run-time environments.
Outside of enterprises and dev teams, cloud providers, historically focused on attracting developers, are also starting to embed security into their offerings and take security seriously. Github (acquired by Microsoft in 2018 for $7.5 billion) acquired Semmle and Dependabot to improve code quality and check dependency files for outdated requirements. Palo Alto Networks has spent more than $1 billion in the last 24 months on cloud-native security solutions such as Evident.io RedLock, Twistlock, Demisto, and others. In addition, in 2019 cloud giant Amazon Web Services held its first conference dedicated to cloud security: AWS re:Inforce.
Learnings and considerations for founders
At Battery, we have spent the last several years examining the transformation of security and its move to the developer level. We see a few key considerations to keep in mind if you’re a founder building a security-focused company for developers.
The market is still early: We are only in the early innings of this industry transformation. Large enterprises still rely on many old-school security tactics, such as employing SOC analysts and bringing on managed-security service providers. While more responsibilities are continuing to shift down to the developer level, this isn’t happening overnight. Therefore, it is critical that as a developer-centric security startup, you are trusted by the buyer. The stakes are much higher when a third-party solution is touching an organization’s code or proactively making changes to workloads and infrastructure. Our advice is to build trust with your potential buyers and ensure users can maintain their pace of development, either by: surrounding yourself with an experienced and credible team; building with ease of implementation and auditability in mind; building and engaging the developer community in some form of community relations through developer relations; and/or creating and contributing to open source projects that support the ecosystem.
Security teams will exist, but responsibilities are merging: Security teams are increasingly getting more specialized. Some of the most sophisticated companies such as Netflix, Spotify, Stripe, and Airbnb have dedicated teams for application security or cloud-infrastructure security. Gone are the days of one team managing security for the whole enterprise. As a result, the responsibilities for security by the CISO and CTO are blurring. Expect to see more CISOs and CTOs own their own security budgets— know what your security solution will ultimately touch to qualify the right buyer.
The buyer is not the user: Since it’s still early in this transformation, this is still a dual persona sale. Not only will you have to unlock budget from the CISO and security organization, but you also need to win the hearts and minds of the developers who will ultimately be using the solution. As a founder, ensure you are aligning your value proposition accordingly. We have seen some companies create collateral for both personas – the security org and the technical org. Sell to the budget but build trust and show time to value to the user.
We think it’s a great time to be a founder building a developer-centric security solution. As cloud adoption continues to rise—and software development becomes even faster—more security responsibilities will move down to the developer level and security will continue to be a paramount concern to enterprises, meaning lots of opportunity for security entrepreneurs.
Battery Ventures provides investment advisory services solely to privately offered funds. Battery Ventures neither solicits nor makes its services available to the public or other advisory clients. For more information about Battery Ventures’ potential financing capabilities for prospective portfolio companies, please refer to our website.*Denotes a past or present Battery portfolio company. For a full list of all Battery investments, please click here.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.