RSAC is well-known for the opportunity it affords companies to present themselves as innovators. These range from very early stage start-ups still engaged in proofs of concept to some of the largest corporations in the sector. Even government agencies get in on the innovation act: this year, for example, NSA made its Ghidra reverse-engineering toolkit available. We'll take a look at some of the programs devoted to showcasing innovation. They range from the more advanced start-ups in the Innovation Sandbox to the early-stage companies of the Launch Pad. We also watched some interesting pitches from international companies looking for an entrance into US markets.
From the Innovation Sandbox.
The 2019 edition of RSAC's Innovation Sandbox was held Monday, with ten of the security sector's most interesting start-ups on display. The field consisted of:
- Arkose Labs, which uses global telemetry and enforcement technology to prevent online fraud.
- Axonius, a cybersecurity asset management platform that provides a unified view of all devices within an organization's environment, including cloud, IoT, and BYOD assets.
- Capsule8, which offers a real-time, zero-day exploit detection platform for Linux production environments.
- CloudKnox Security, whose solution uses activity-based authorization to provide identity and privilege management for hybrid cloud environments.
- DisruptOps, which provides a cloud-native SaaS-based cloud management platform which automatically detects and fixes security, operational, and economic issues in cloud environments.
- Duality Technologies, whose SecurePlus™ platform uses high-performance homomorphic encryption to allow advanced computations and analytics on encrypted data.
- Eclypsium, which provides hardware and firmware protection that identifies and defends against device-level vulnerabilities.
- Salt Security, which provides real-time, behavior-based protection against logic-based API attacks.
- ShiftLeft, whose Ocular solution examines software artifacts to identify technical and business logic vulnerabilities, as well as detecting data leaks from source code.
- WireWheel, which is a cloud-based data privacy and protection platform to help organizations comply with privacy regulations like GDPR and CCPA.
Axonius was chosen as this year's winner. The company's CMO, Nathan Burke, represented Axionus on stage, and he characterized the problem they solve as "unsexy," or, as one of the selectors put it during questioning, "yesterday's problem." Unglamorous and all too familiar, but Burke nonetheless made a plea for addressing asset management, calling the challenge "a big, nagging problem that's only getting worse." It's a familiar CISO pain point, and Axionus seeks to approach it in a way that enables its customers to adopt its solution without replacing their existing investments in security tools. As the selection panel summed it up in their explanation of their choice, Axionus solves a problem that's been around for decades, and it's interesting because of the pain enterprise security managers experience from "never having a straight answer about their assets."
As he has for several years, Dr. Hugh Thompson emceed the proceedings. A preliminary discussion between Thompson and one of the judges, RSA veteran Niloofar Razi Howe, summarized the themes that drew the judges to the ten finalists: hybrid cloud, asset discovery, container security, API security, and privacy. That's as good a list of the high-profile topics that seem to be engaging participants at RSAC 2019 as any.
The criteria the judges applied during their deliberations came down to these. They looked at the problem a candidate company sought to solve, and for whom. They assessed the originality and soundness of the company's approach. They looked at its go-to-market strategy, and the company's probable impact and reach. The quality of the candidate's leadership team was an important aspect of the judges' evaluation. And, significantly, the judges looked at market validation.
Inaugural Launch Pad highlights three early-stage start-ups.
A follow-on program, RSAC's first Launch Pad for three innovative companies, was held late Tuesday. Emcee Hugh Thompson called it "an opportunity to see inside the start-up pitch room." Three early-stage companies each received five minutes to sell themselves to a panel of venture capitalists with extensive backgrounds in security sector investment: Enrique Salem, Ted Schlein, and Theresia Gouw. The event is expected to become a regular feature of the RSA Conference.
The three companies selected to pitch themselves were (listed here alphabetically) included NuID (which offers a "trustless identification solution based on blockchain technology and zero knowledge cryptography, a contribution to post-password authentication technology), Spherical Defence (which specializes in automated, unsupervised anomaly detection informed by machine learning, offering an alternative to web application firewalls and legacy API security tools), and Styra (next-generation authorization that promises security and compliance in the cloud stack that can simplify and enable faster development in Kubernetes).
The pitches were all fluent and attractive to at least one or more of the panelists. They were early-stage pitches, certainly pre-A Round, as Dr. Thompson explained to us in a conversation during the social hour that followed the event.
A US state is open for business (and Australia, Israel, the Netherlands, Spain, and Sweden have noticed).
That state would be Maryland, whose Department of Commerce convened a pitch competition Wednesday morning, in Venable's offices not far from the Moscone Center. Ten international start-ups pitched a panel of venture capitalists and other experts on investment in the security sector. At stake were preferential terms for tenancy at bwtech@UMBC, a start-up incubator in Baltimore County among whose specialties is providing a place from which young companies from outside the US can gain some perspective on US markets.
The companies who pitched were Alias Robotics (Spain), Baffin Bay Networks (Sweden), CryptoLoc Technology (Australia), CyberMerc (Australia), Cyber Observer (Israel), CyGov (Israel), Enigmedia (Spain), SecureStack (Australia), SightLabs (the Netherlands), and Votiro (Israel).
The panelists selected a winner and two runners-up. The third runner-up was Enigmedia, which provides privacy solutions based on a proprietary encryption system. Their principal interest in the market isn't, however, in protecting personal information, but rather in contributing to the security of industrial control systems, where they believe their low-latency solution has particular applicability. Placing second was CyberMerc, whose market is the under-served small and medium enterprise. They offer a mesh defense network, and their solution involves providing a hardware appliance to help smaller businesses achieve a "comprehensive, visual, real-time performance overview and critical security control analysis." And Votiro placed first. Its File Disarmer security solution is designed to allow "safe and free use of data," with particular protection against unknown threats.
The investment pitch, considered as a genre.
Considered as a genre, what are we to make of the investment pitch? It is, of course, a persuasive performance, designed to prompt a specific action--and investment--by the audience. It's not primarily informative (although it must be true), nor is it designed mainly to inspire or amuse (although those are certainly side benefits). Generally speaking the pitch frames a problem, presents a solution, and offers an opportunity. Taken as a group the pitches we heard at RSAC were generally fluent and well-rehearsed, and they tended to follow the rules of the genre. But some lessons for start-ups can be drawn from the performances.
The first is consideration of the audience. When the audience is composed of venture investors with experience in the security sector, it's important to frame the problem you've undertaken to solve, but it's worth doing so with due attention to the background knowledge you can presume that audience has. Many companies devoted more of their allotted time than was probably strictly necessary to convincing the audience that a particular problem was real. Unless the problem is novel or unusually obscure, this audience is likely to be aware of it. It is, however, important to frame the problem in a way that sets it up for treatment by your solution.
That solution will need to be explained. Some of the pitches, having described the problem, did little more than offer a bare description of the solution they were offering, and then asserted that the solution would indeed solve the problem. But more than assertion is needed: the investors will want to know how your solution in fact addresses the problem. More than once panelists had to pull that information out during questioning. And the investors will want some evidence. How do you know it works? Are there studies? Proofs of concept?
Differentiation in the market is important. It's unlikely in the extreme that any company, no matter how innovative, has no competitors, and it's vital to show how your solution is different from, and superior to, that competition. Claiming that you're better because of superior execution may be true, but it's difficult to make that claim credibly in a short investment pitch. Similarly with claims of having uniquely qualified personnel. Again, that may be true, but it's difficult in most cases to show this convincingly in a short briefing. In fairness to the start-ups doing the pitching, this seems to be driven by the VCs, who say they want to invest in people, in finding a great team, and so on. True, but an org-chart with photos is unlikely to succeed in making that case. Nor is the founder's personal story likely to make the difference in a five, ten, or fifteen minute presentation. There's time for that once you've attracted the investors' interest.
The pitches we heard were clearly well-rehearsed. There remain, however, technical aspects of presenting that are easily overlooked. Consider just one: speaking into a microphone. It's surprising how much trouble this causes people. They may gesture with a hand-held mic, or they may not understand that the podium mic they've been given is highly directional. Those who coach start-ups might consider the value someone with a background in technical theater might bring to rehearsal, someone who understands sound and lighting, and is sensitive to blocking the briefer's movement on stage.