vege - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Security startups: What do CISOs need to know before being customers?

Being a customer of security startups comes with some risk. Expert Mike O. Villegas discusses this risk and how CISOs can dodge the potential issues.

There's been quite a bit of venture capital money flowing into cybersecurity startups over the last year, particularly in the cloud security market. But is there risk in relying too much on startups that could suddenly be out of business or acquired by another company? Should CISOs/CIOs have some sort of policy or guidelines to vet cybersecurity startups before becoming customers?

Cybersecurity Ventures published a list of the top 500 cybersecurity companies to watch in 2016, including cybersecurity companies with brand names that have been in existence for many years. Some of the companies are not as well known, but they all have one thing in common -- they began as startups. However, not all startups can land on this list.

Since 2010, venture capitalists have been willing to invest in cybersecurity startups, but recently, investors have started to move away from this market. Private investors put $4.6 billion into 229 cybersecurity firms in 2014 and 2015, and they're not seeing attractive returns for their investment.

Unfortunately, there is a risk to CISOs in relying on a security startup that could unexpectedly fold. But not all cybersecurity startups fall into that category. Let's look at some questions the CIO/CISO should consider before engaging with a startup for professional services or products.

  • Is the cybersecurity startup providing comparative or better products or services needed by the enterprise than those from more tenured competitors? This is almost rhetorical; otherwise, why would they even be considered?
  • How long has the startup been in business? A list of clients might be worth reviewing. What makes it difficult is when your enterprise is one of the first of the startup's clients.
  • Who are the principals/founders of the startup? The founders should be pundits, luminaries or seasoned experts in the field, though keep in mind that someone being an expert does not necessarily mean they can run a company.
  • Obtain company profile information about the startup. Who manages its operations? How is it structured? How many employees does it have? Where is it located?
  • What was the company's revenue last year? Sometimes this is difficult to obtain, especially if the startup is not a public company.
  • Has the company been independently assessed by a third party? If it's subject to the Payment Industry Data Security Standard, have the company provide an Attestation of Compliance. An SSAE16 SOC 2 would also be helpful, but if it is not independently reviewed, care should be taken before deciding whether or not to engage with the startup.
  • Does the startup have sufficient cyber insurance to cover the services provided? Legal should be involved in determining the right amount of insurance required.
  • The terms and conditions should include a bilateral limitation of liability clause, termination clause, right-to-audit clause, source code in escrow, service-level agreements and a non-disclosure agreement.
  • Ask for a reference. This means requesting a conference call with one of the startup's customers. Ask the reference questions related to service or product satisfaction, whether the cost is commensurate to the value of the service or product and if they had to do it all over again, if they would still choose this startup.

Typically, cybersecurity startups are considered by enterprises because their products or services meet or exceed the sought out features offered by brand name companies, and the cost is often less than their competitors. But some startups find a niche that sets them apart from others and so hope to grow quickly, return investment capital with higher yields and gain sufficient market share with the intent of expanding or ultimately getting acquired by a larger competitor. At the risk of being left holding the bag, perform proper due diligence on a startup before you decide to work with them. 

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn how security startups are tackling the art of deception techniques

Check out these three best practices for cloud SLAs

Find out how vendor risk assessments can help enterprise security

This was last published in August 2016

Dig Deeper on Security vendor mergers and acquisitions