Highly publicized cyberattacks have put cybersecurity on C-suite and boardroom agendas, but this good news for entrepreneurs in the space also brings challenges. Ted Schlein, general partner at the venture firm Kleiner Perkins Caufield & Byers and a veteran cybersecurity investor and practitioner, discussed the new industry landscape with Risk & Compliance Journal.
Are boards and C-suites really serious or merely giving lip service to cybersecurity?
Mr. Schlein: There absolutely has been a huge shift in the boardroom. I think the seminal event was the firing of the Target CEO because of a security breach. You now have boards asking the CEO, “How secure are we?” It’s a very hard question to answer, which is not very acceptable to boards. The trend you are going to see is that more security pros will end up on boards of directors, possibly on audit committees of boards. There will be some sort of cybersecurity report done as part of corporate hygiene.
What challenges does this shift present to entrepreneurs?
Mr. Schlein: How people look at the threat has changed dramatically and attention is being paid. I think that’s very good for the cybersecurity companies because you quickly find out if there is or is not going to be budget for your solution, instead of spending time with tire kickers down below. The challenge is in getting entrepreneurs to focus on their key message. What is the true problem they are going to try to solve and can they get above the noise level to be recognized as being best in world at solving that problem?
What is the biggest mistake among cybersecurity startups?
Mr. Schlein: Probably the single most common error is that they just don’t differentiate themselves, and don’t stand out. Why am I different, why is my team different, why do I uniquely solve this problem? Buyers are being bombarded by mainstream security companies and a lot of startup companies and there’s a lot of confusion. The mistake a lot of startups make is to add to the confusion rather than clarify.
How can they avoid that pitfall?
Mr. Schlein: In cybersecurity, the industry at the forefront of adoption is financial services. They have the largest budget and biggest perceived need, so getting early adopters among financial services companies, who will both buy and be references, gives you a leg up. Word of mouth among information security officers can be a huge benefit. Another thing you can do is get industry influencers to be associated with the company, whether somebody out of government or a very well-known chief security officer.
What industrial structure do you expect to see in cybersecurity in five years?
Mr. Schlein: I would say the entrenched establishment got sleepy, because they became dependent on a technology that outlived its usefulness: antivirus. I think you see the rise of a new establishment taking place, in Palo Alto Networks, Inc. and FireEye Inc., companies that recognize there is a shift in how to battle bad elements and tackle it with unique technology solutions. There’s good reason for consolidation. If you are a customer and can deal with one vendor you probably would opt to do that instead of piecing together multiple technologies from multiple vendors.
How does the changing security landscape affect the potential client companies?
Mr. Schlein: There is one major shift that people need to understand if they are on boards of companies or running companies. I firmly believe there are only two kinds of companies in the world, those who have been breached and know it and those that have been breached and don’t know it. Trying to prevent a breach is not sufficient. You need to move to a mentality of detect, contain and remediate. The average breach is inside a major company for 229 days before it is detected. How can you make that five minutes? It is a mental shift on how one looks at securing organizations.
I believe we are headed to a world of highly encrypted information. The innovation is going to be how you manage it. If you can encrypt the information, it won’t matter if bad guys steal it, because they can’t do anything with it.