Startups are volatile and doing business with them comes with a degree of risk. Some may not know what they're doing, and some might not be around for long. They usually don't have the breadth of features and services established vendors tend to offer.
But there are benefits to working with a startup that can offset the risks, and savvy data center operators shouldn't ignore new kids on the block.
For one, startups don't have to contend with legacy architectures or cost structures. They can offer products and services that are more innovative than those from incumbents, and they can sell them for less.
Agility is especially important in cybersecurity. By virtue of being smaller and less laden with bureaucracy, security startups can react faster to changes in the threat landscape.
And, because they only have a few customers, they can pay a lot of attention to those customers – including incorporating customers’ requirements into the core of their products or services.
The Weight of Legacy
People who start new companies aren't necessarily smarter than those who work at the big vendors. Given how much money the big players can afford to spend on salaries, the brain-power advantage is probably on the side of the giants.
Plus, despite what pop culture may lead you to believe, very few startups actually have unique, groundbreaking tech that no-one else has or cannot copy.
"It is rare that a new idea or technology is developed in isolation or singularly," said Ross Rustici, senior director at Cybereason Inc.
But, for reasons mentioned above (no legacy platforms or bureaucratic red tape) startups are often better positioned to take advantage of the new ideas that do bubble up.
"Rapid change in an industry, or a radical departure from the existing technology almost always leaves established vendors on their back foot and trying to approximate a solution that fits with what they currently offer rather than pivoting and embracing the change," Rustici said.
For example, established intrusion-detection vendors make their money from selling appliances, which, according to John Viega, CEO at Capsule8, are getting less and less effective.
They’re also not a good fit for cloud and hybrid environments, he said. "The entire appliance regime needs to be replaced with stuff that works better."
This particular problem with legacy intrusion detection solutions provides an opening for startups, many of whom are tackling it with both cloud-based services and on-premises software.
Capsule8 is a startup of the latter kind. It launched its on-prem security software product this spring at the RSA conference.
Not Just a Little – a Lot Better
It’s not enough for a startup to be a little better – it has to be dramatically different just to get attention in a crowded market. That goes double for security startups.
Given the risks involved, why would anyone buy a product from a startup with an uncertain future rather than from an established, trusted vendor if the startup’s product is only somewhat better?
A strong cybersecurity startup doesn’t attempt to build a better firewall or better anti-malware software, Brian Contos, CISO at Verodin, said. "They strive to do something actually different, building solutions for problems that haven’t been solved yet. This is truly innovative and is rarely seen in established vendors, as they tend to focus on driving greater revenue from existing solutions."
Disruptive Business Models
Another big-vendor weakness some security startups are exploiting is the big vendors’ tendency to charge clients based on volume. They often look for ways to get more money out of existing customers and don’t lower prices unless they absolutely have to.
If a big security vendor’s client sees a problem that suddenly gets very large – a DDoS attack, for example, or fast-spreading malware – the cost to handle it can quickly go through the roof.
Not only are they expensive, large-scale attacks can overwhelm some legacy products. "Some vendor solutions actually stop working when limits are hit," Clayton Dukes, CEO at LogZilla, said. LogZilla is a startup whose technology helps companies deal with sudden spikes in attacks.
Since they're not tied to old business models, startups can provide services in new ways, which allow them to lower costs dramatically.
"Newer and smaller vendors are offering alternatives to help increase scale during breaches, hacks, or any data storm, allowing any size enterprise to increase security operations agility without delay, further costs, infrastructure requirements, or complex installations," Dukes said.
To be sure, a startup won’t always offer a better price or greater scalability just by virtue of being a startup. There’s a lot to be said for both the economies of scale and scale of the infrastructure a large vendor can leverage.
That kind of scale, however, can be a security threat in and of itself, Michael Landewe, VP of business development at the cloud security company Avanan, said.
If every company uses a particular security product and hackers discover a flaw in it, everyone is vulnerable. Hackers often test their malware against the biggest antivirus platforms first, for example.
It’s worth mentioning that startup-versus-incumbent doesn’t have to be an either-or decision. Sometimes, it pays to have both. "We might find a new startup that might only catch 10 percent of malware, while the old companies catch 90 percent,” Landewe said. “But, if the new company catches the 10 percent that the old ones don’t, the combination of the two is better."
Hackers move fast. A new exploit is discovered, and malware attacks begin almost instantaneously.
Startups are often better positioned than big companies to respond to new kinds of threats that don’t fit into established categories. New IT architectures and new business models – such as social media or cloud infrastructure services – birth new types of vulnerabilities.
Though they’re catching up now, established vendors were slow to address cloud security, Reuven Harrison, CTO at Tufin, a Boston-based security company, said. But there’s now a whole new way to architect applications, and security startups are ahead of market incumbents, according to him. "Startups today offer solutions for securing containers and microservices platforms, which the established vendors still don't provide."
Or, take vulnerability management vendors. Established players, who built their platforms a decade ago, focused on unpatched servers. Those platforms weren’t built to address the breadth of asset types companies are dealing with today, such as cloud, employees’ personal devices connected to corporate networks (BYOD, or “bring your own device”), and the Internet of Things.
Balbix, which launched just a year ago, uses more than 20 machine-learning algorithms to assess risk across more than 200 attack vectors, Mark Weiner, the company's chief marketing officer, said. Many of them didn't exist when the established vendors were founded.
Like visiting a mom-and-pop store on Main Street versus a Walmart, a client typically gets more individual attention from a startup than they do from a big vendor.
"A startup, for better or for worse, will feel the impact every time a customer is lost or left unsatisfied," Troy Kent, threat researcher at Sunnyvale, California-based Awake Security, said. "If you are a customer of a startup, it’s likely that if you’re unsatisfied, the company is going to do whatever it takes to change your mind or win a bake-off."
A client can also have a lot of say in the startup’s technology roadmap.
For example, in its startup days, security vendor BeyondTrust would build new features customers requested almost on-demand. "When we were a startup, many of these items where coded as patches just to meet the request – immediately," Morey Haber, the company’s CTO, said.
Today, the company is considered an established mid-size vendor and customer feature requests are deployed as part of a schedule set out by its Agile development process. That means a request may or may not be included in the next one or two product cycles, Haber said.
Customers that got onboard early usually have more power over the solutions they get from the startup. That’s especially true for smaller clients.
If your company isn’t a household name a big vendor can drop in its marketing materials but has unique challenges that need special attention, good luck getting that level of support from the largest vendors.
You’ll get a more attentive set of ears from a new company clawing its way into the market, and that alone might be worth the risk.