How fear and self-preservation are driving a cyber arms race
Silicon Valley is pouring more money into Internet security companies than ever before.
When a man was fired from his job in Minneapolis, Minn., last May, he inadvertently touched off a boom in Silicon Valley.
Gregg Steinhafel, then a 35-year veteran of Target and its CEO, was shown the door after hackers infiltrated the retailer's computer systems, stealing 70 million shoppers' information and 40 million credit and debit card numbers. It turned out the hack might have been prevented, had the company not ignored warnings from its own security systems.
It happened again in December, when Amy Pascal, one of the most powerful women in Hollywood, was fired from her job heading up Sony Pictures after hackers exposed thousands of financial documents and emails revealing the film studio's inner secrets. The hack captured the world's attention and elicited criticism from customers, industry leaders and even the president of the United States.
Pascal's and Steinhafel's exits sent shockwaves through corporate America. The message was clear: Top executives will be held responsible for their companies' cybersecurity failings.
The result, venture capitalists say, has been a boom for cybersecurity startups. In ways that previous attacks on consumers never did, the firings have sparked a scramble for new security technology by companies desperate to head off the next costly, embarrassing cyberattack. And venture capitalists are responding, pouring unprecedented billions into a dizzying array of young companies and their, largely, untested products.
Last year, these companies received an aggregate $2.39 billion in funding, a 35 percent increase over 2013, according to venture capital data firm CB Insights. That's the most money that's been funneled into cybersecurity companies ever. Silicon Valley is betting companies have woken up to the real dangers of living in the Internet age.
"The demand is off the charts and so is the confusion," said Venky Ganesan, a venture capitalist at Menlo Ventures. Companies, he said, are becoming obsessed with staying a step ahead of hackers, who themselves are using ever more sophisticated attacks. "It is an arms race," he said.
The types of technologies being funded range from the germane to the bizarre. One company called Armour.io claims to protect company data. Another called Injector helps you generate and store strong passwords. Praesidio helps protect bankers on the Internet. Thunder Defense aims to block governments and hackers from monitoring you through your webcam.
Then there's Team8, a cybersecurity startup founded to help found other cybersecurity startups.
Making cyber lemonade out of security lemons
Hacking isn't new, but the attention paid to it is unprecedented. In 2014, The New York Times devoted more than 700 articles to discussing data breaches, up from 125 the year prior. Verizon, in its annual cybersecurity report released in April, concluded "data breach," had become part of the American public's psyche.
In the past year, it's happened to police departments, banks, schools, the Ukrainian military and even some email systems at the US State Department and White House.
And now it's terrifying corporate boardrooms.
Facing that threat is costly. Companies and governments worldwide are expected to spend $80 billion on hardware and software to protect themselves against cybersecurity attacks this year, up from $74 billion in the last year, according to information technology research firm Gartner.
"It's a big market growing faster," said Enrique Salem, managing director at Bain Capital Ventures.
Salem ought to know. He's the former CEO of Symantec, a massive antivirus company which, along with Norton and Kaspersky, became a household name for many PC owners over the past three decades. But today, according to Salem, antivirus software isn't enough. In fact, experts say that type of software is becoming irrelevant as hackers shift their focus to attack smartphones through wireless and cellular networks, instead of the old days when they targeted desktop computers connected to the Internet over telephone cords.
So, Salem is investing in companies like Attivo Networks and Evident.io, all of which help companies that are in danger or have already been hacked. What they offer helps to reduce the damage hackers may have already done.
Call it pessimistic or grim, but it's not unique.
Ajay Arora is one of the entrepreneurs who's benefiting. His company, Vera, markets itself as a kind of Snapchat for businesses, promising a way to delete a user's files, videos and images on demand.
When Arora was formulating his company's technology two years ago, potential corporate clients often directed him to their IT staff. Now he meets with top executives because, he said, they "are scared to death."
Venture capitalists are concerned this sudden attention for the cybersecurity industry could attract poorly conceived startups, the digital equivalents of snake oil salesmen peddling magical new technology that can't actually protect a company.
"Products don't lie, but PowerPoints do," said Ganesan of Menlo Ventures. "Unfortunately, right now, we're in the PowerPoint stage...Eventually, the dam will break."
But those concerns haven't stopped venture capital firms including Ganesan's from increasing the percentage of its investments allocated for security. Menlo predicts its current $400 million fund will allocate 20 percent toward cybersecurity, up from 5 percent in its last fund which began five years ago.
And Menlo Ventures isn't alone: Intel Capital, Accel Partners and Kleiner Perkins Caufield & Byers are actively betting on the sector. Each has invested in more than 15 cybersecurity startups, according to CB Insights.
Meanwhile, Battery Ventures has increased the number of cybersecurity-focused startups it backs from one company three years ago to four today.
Roger Lee, a general partner at Battery, says his investment strategy boils down to a basic assumption. "This notion that you haven't been breached is unreal."