Security innovation: Where will it come from next?

Silicon Valley, where I live and work, is the obvious answer as to where to find the most innovative security products.  Money flows up and down Sand Hill Road, showcase offices spring off of University, startups gather on either side of the 101 from San Jose to San Francisco, and deals are being made daily at coffee shops like Philz, RedRock, and Coupa (where a latte costs .007 bitcoin!).

When I started my innovative IPv6 company 10 years ago, I chose the DC area, as it had the one thing that Silicon Valley was missing back then--customers. Since I was there, great new incubators have taken off, like 1776 and Mach37, and there is strong governmental support for security startups across the region, as well as the remains of the AOL zillionaires to fund.

Austin has the Dell-ionares eco-system, and Israel has the Mossad mystique running full speed in support of their security startups. And Silicon 'fill-in-the-blank' cities have taken that (very outdated) moniker about as far as credibility will permit.

But this question is not about geography, and I've no interest in sparking an east-west gang cyberwar (though it would make a good reality show Thom Beers!). I've posed this question to discuss if startups are the best and only place to bring true security innovation to the market.

This question arose at a reception after a DHS tech transition council meeting at SRI (in the heart of Silicon Valley) last night (March 2015). Are startups, which are highly innovative in approach, truly meeting the needs of the great enterprises around the world? We'd just heard from major CISOs explaining how difficult and time-consuming it is to introduce new disruptive tech into his company. I know I've tried as a systems integrator to bring emerging tech companies into certain situations only to be challenged by the CISO with questions of their longevity, mission critical practices, real quals, and trustworthy future. I know may very strong technologies that will never get their chance to save the world due to these factors.

For years, security innovation rarely came from large established companies, due to the Innovators Dilemma, which Clayton Christensen described so well in his best selling book of the same name. The premise of protecting one's current customers and products, at the cost of innovation, was a very real thing back in the day. Companies that sell buggy whips are the last to embrace the internal combustion engine.

My belief (and I've just voted with my feet by just joining 129 year old Unisys Corp to head their security business, instead of a much shorter commute down the 101) is that big companies--if they truly embrace innovative practices--can be an important force in innovative security products by combining that new style with their existing substance of mission-critical people and practices, large IP portfolio, global scale, customer intimacy, routes to market, financial trustworthiness, and long-term outlook. It was that IP portfolio, strong talent team, and integrated routes to market, that were worth more than an A, B, and C round combined. Sure there are different sets of challenges at a big company, which is why this approach isn't for everyone, but being able to take a long term approach to earn trust with a company over years is a great luxury few VC's allow a startup. In the end, there must be balance.

I believe not that there is room for everybody, as most new products never see the light of a major deployment, but there should be input from both camps. Many people in the security business today are in it for all the right reasons-- we want to do good and help save the world. As it happens, if you do that you'll probably make a buck or two for you and your stakeholders, but the 'do good' part is clearly what gets us out of bed every morning.

Working together, whether through ISACs, with law enforcement, incubators, or groups like SI/Net, advanced innovative security products can and must emerge that have the trust and confidence of enterprises around the world.

Join the CSO newsletter!

Error: Please check your email address.

Tags DellsecuritySecurity Leadership

More about AOLDell

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Patterson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place