Bits, Bytes, & Barriers: A Start-up’s Blueprint to Stand Out in Digital Defense

The current state of technology worldwide has made cybersecurity solutions a necessity over the past decade rather than a mere optional value addition. This necessity applies to not just larger organizations managing trust for millions of users but also small startups storing personally identifiable information of their user base.

Technology shifts, such as the internet, the smartphone, cloud computing, and now AI, have led to an increasing span of cyber attacks across different cyber assets. At the same time, these shifts provide opportunities for tech entrepreneurs to push the limit and build groundbreaking security solutions. To understand the upcoming trends in enterprise cybersecurity software, let us first look at how the industry evolved. 

The cybersecurity industry is almost half a century in the making

The commercial cybersecurity industry has been growing rapidly for almost half a century and shows no sign of slowing down. At the helm of the ARPANET, a predecessor of the Internet, the “Creeper” was the earliest rendition of a computer virus, operating independently of human control. Thankfully, the “Reaper”, the earliest version of an anti-malware program created by the inventor of the email, eliminated the Creeper.

While both B2C and B2B cybersecurity software were blooming during the 80s, the most powerful security systems were in the hands of the government, responsible for protecting both the software and hardware of the emerging enterprises of the 20th century.

The internet, the cloud, and the smartphone are the three tectonic shifts that forever changed the face of entrepreneurship around cybersecurity. The rising access of the general public to the internet after its onset in the 90s paved the way for cyber attackers to penetrate systems that seemed a distant dream before. With government systems unable to cope with the rising frequency of attacks, entrepreneurs coming out from the recently established big techs found an opportunity to create an industry.

Bottom-up thinking led to the creation of consumer-grade antivirus and antimalware software. However, this approach of creating single-dimensional products for both consumers and enterprises proved detrimental. Cyber attackers evolved, and their tech evolved with them. No matter how antivirus software was updated, attackers always seemed to be one step ahead.

Inefficiencies in on-premise models laid the foundation for cloud computing in the early 2000s. The digitization of businesses created the need for shared computational resources and reduced complexities.

While legacy antivirus players profited, some nifty technocrats noted the need to ringfence enterprise systems. One such company, Palo Alto Networks, launched a highly intelligent “enterprise firewall” as their first product. Riding the wave of cloud computing, it became a catalyst for migrating legacy on-prem infrastructure to cloud platforms, providing trust and security for digital assets. Today, Palo Alto Networks is the largest cybersecurity company in the world.

When smartphones became popular amidst the world’s largest recession, the interactions between end-users and enterprise applications on the cloud became mainstream. Companies needed a way to open the doors of potential customers onto their applications without compromising security. This paved the way for Okta, an identity and access management company, to build products enabling security between the application and the user, such as single sign-on and multi-factor authentication.

Constant innovation and the creation of large companies in this field have made cybersecurity a playground for the next generation of entrepreneurs.

Security has become a must-have for all organizations

Over the past decade, the importance of security has evolved from being a less emphasized requirement to becoming a crucial priority for both enterprises and organizations. This shift has been propelled by several factors, including the widespread adoption of external software and applications, the growing volume of data usage within enterprise and mid-market companies, and the digital transformation of the employee lifecycle. As a result, cyber-attacks and data breaches are no longer just technology concerns but also significant business risks.

Furthermore, regulatory constraints and increased awareness among end consumers have heightened the demand for more effective cybersecurity solutions and products. Cybersecurity startups have experienced a substantial surge, with numerous entrepreneurs launching innovative solutions. Investors have recognized the potential in this sector, making enterprise security SaaS a prominent focus for investment.

Security holds varying levels of importance for different roles within an organization. The following summarises how diverse user personas approach and view different products in this context.

Going downward in the organizational hierarchy of security personnel, from CISOs to data engineers, translates to decreasing contract values. The go-to-market strategy also transitions from a pure-play sales-based approach driven by an executive network to a product-led open-source approach, building credibility around a nifty product.

Consequentially, an expanding market drives further innovation in this space 

Security in the digital realm is of utmost importance for specific industries, while it lurks as an implicit necessity for others. These sectors encompass a wide spectrum, including banking and financial services, information technology, manufacturing, healthcare, retail, government, telecommunications, media, entertainment, energy, utilities, and defence.

Enterprise cybersecurity software’s Total Addressable Market (TAM) quantifies organisations’ cumulative investment within these prioritized verticals to fortify their digital defenses.

By adopting a top-down approach, one can gauge the TAM to be approximately USD 350 billion, representing a colossal and steadily expanding opportunity for enterprises.

Intriguingly, the cybersecurity market is far from homogenous; instead, it is highly fragmented, with a substantial portion of cybersecurity resources allocated towards in-house product development or the engagement of external experts.

Surprisingly, the collective revenues generated by the top 8 cybersecurity firms merely scratch the surface of the global cybersecurity spending pie. Given the vastness and fragmentation of this market landscape, cybersecurity presents an alluring domain for entrepreneurs seeking to embark on new ventures and craft innovative solutions.

Nonetheless, considering that cybersecurity revolves around a singular objective with numerous avenues of approach, it becomes an arduous challenge for emerging companies to carve out a distinct competitive advantage or a clear path to success within this industry.

Cybersecurity entrepreneurs have to be creative to capitalize on this opportunity

After evaluating over 100 cybersecurity startups in India and the US, we’ve realised that the only way a new startup can capture the cybersecurity market significantly and differentiate itself is via moats that catalyse trust with security teams. There are four such moats:

Cross-sell motion

Established cybersecurity stalwarts initiated their journey by crafting a select few products, gradually amassing an initial clientele of enterprises. Over time, they expanded their product portfolio, strategically offering new solutions to their existing client base, bolstering their Average Contract Value (ACV).

The allure of a comprehensive, all-encompassing cybersecurity solution lies in its ability to create customer loyalty, shifting an organization’s focus away from security concerns and towards other revenue-generating endeavours.

Many startups in this domain have embraced a similar trajectory, leveraging this approach to achieve substantial growth and significantly elevate the barriers to client switching. Notable examples include companies like Palo Alto Networks and Fortinet. Conversely, a few well-established enterprises like Akamai have augmented their ACV by incorporating cybersecurity offerings into their pre-existing suite of synergistic services, such as content delivery and cloud operations.

Since many of these comprehensive solutions have already attained a full-stack status, the landscape has become increasingly challenging for newer startups seeking to replicate this level of diversity and scale.

Distribution and Domain Expertise

Another prevalent approach to achieving scalability entails developing case studies within specialized domains, building a reputation for domain-specific expertise, and securing additional clients within that niche. A notable illustration of this strategy is exemplified by Leidos, a comprehensive engineering platform that has cultivated a deep well of knowledge and proficiency in specific sectors, such as defence. Leidos collaborates closely with defence firms and government entities to safeguard their digital assets.

Similarly, many versatile cybersecurity solutions have meticulously crafted robust security offerings tailored to the unique demands of critical verticals, including fintech, healthcare, and retail. This has restricted the manoeuvring space for emerging startups aspiring to scale through this method, as the landscape in these domains is already well-saturated with established expertise and solutions.

Ease of Use

Given the inherently technical nature of cybersecurity products, their utilization often proves challenging for individuals lacking specialized cybersecurity training. This creates a notable opportunity for startups offering products and tools with ease of use, straightforward deployment, and comprehensibility.

One striking example of this competitive advantage can be found in Okta, a company that honed its focus on a specific category – identity and access management (IAM) – and developed products renowned for their user-friendliness. This strategic emphasis on usability propelled Okta to attain widespread adoption within the IAM sector.

Similar arguments hold for companies like Drata and Vanta in Governance, Risk Management, and Compliance (GRC) products. These firms have elevated their Average Contract Value (ACV) by delivering an exceptional user experience by automating compliance processes for standards like SOC2, ISO27001, HIPAA, etc. Their success is underpinned by a commitment to simplicity and usability, setting them apart in the competitive landscape.

Integrations

Another pivotal factor that contributed to Okta’s success was its extensive array of integrations with SaaS applications. By offering organizations the ability to bolster security on widely used enterprise applications seamlessly, Okta enhanced user experiences and established a compelling acquisition incentive.

In a landscape where the utilization of SaaS applications continues to surge, the prospect of offering such integrations emerges as a potent mechanism for newer companies to attract and retain customers, potentially becoming a synergistic driver for their growth and success.

AI will increase the efficacy of identity protection and cloud security software

The objective of bad actors in cybersecurity has shifted from spreading malware and breaking systems to entering systems in stealth and getting access. Over 70% of adversary activity was identified as malware-free in 2022 compared to 40% in 2019, indicating a move beyond malware to get initial access and persist.

Access brokerage has taken off over the last two years. All these are indications of increasing interest and propensity for identity attacks. Identity and Access Management continues to remain a top priority for organizations. While tools in this space have undergone significant and rapid technology transitions, Artificial Intelligence is the key to creating foolproof privilege access and identity management systems. 

With the ability to find patterns in data quickly and efficiently, AI will enable accurate and real-time detection of threats with much fewer false positives. AI-based security tools serve as an opportunity for upcoming entrepreneurs to redefine legacy cybersecurity tools by building smarter tools capable of making adaptive decisions to eliminate live and new threats based on threat data collected over the last two decades.

AI can significantly improve identity protection with the ability to model the digital behavior and intent of every employee within an organization as well as every customer of a company. Penetration testing becomes robust, and strategic decision-making by CISOs becomes much more informed with AI-driven simulations of social engineering attacks. With data and cloud becoming the most critical digital assets in an AI-first world, startups building unique data and cloud security solutions have great potential to scale globally.


The persona of founders building cybersecurity tools has also been changing consistently. Unlike at the beginning of the millennium, when cybersecurity tools could be built only by industry veterans who had strong relationships with clients, understood the space, and had access to enormous datasets, the coming decade presents an opportunity for young and highly talented entrepreneurs to leave their mark in the security industry.

While enterprise sales will remain the preferred go-to-market strategy for most experienced founders, the increasing acceptance of open-source security software will allow product-led growth for security tools built by founders right out of college and build credibility. Trust is key within the cybersecurity ecosystem, and an open-source strategy allows you to create that trust with strong evangelizers in the tech community and without any prior experience to show your credibility.

Redefining Finance: Insights from Global Fintech Fest, India

The Indian financial services sector has seen massive innovation in the last decade. The country has also witnessed an unprecedented creation of public infrastructure and financial rails to allow scale & inclusivity. The industry seems to have reached a point where collaboration is likely to supersede disruption, and this sentiment could not be more visible in the Global Fintech Fest (GFF) last week. 

A massive shout-out to GFF organizers for putting together one of the most significant events of its kind in India. And for bringing together 50K delegates spanning industry leaders, policymakers, entrepreneurs, investors, ecosystem enablers, financial entities, and regulators.

Venture Highway’s portfolio had a great showing as well, with our companies like Cheq, Gripinvest, Fam launching innovative products & sharing market insights.

In this brief article, we capture some of the top learnings and key insights from the various conversations and sessions during the event. 

General Learnings:

  • Fin-techs not looking to ‘disrupt’ incumbents anymore. The name of the game is ‘collaboration’ with BFSI, with each party focusing on what they do well
    • Collaboration is more seamless & organic in B2B (selling to BFSI). Alignment on business policies etc., can take longer in B2C
  • Embracing regulation is key. Companies should anticipate potential regulations in their respective verticals & boost their systems beforehand
    • BFSI / large platforms more likely to partner with such companies
    • Regulators taking an early view, as a sector is on the verge of breaking out, can set that vertical up for success & growth in the long term. Case in point: P2P
  • ONDC – Open & accessible commerce for everyone
    • Published standard guidelines for all, along with a collective feedback mechanism, to build trust
    • One platform for all needs, instead of different apps for different use cases
    • Meant to empower SMEs & give them a level playing field
    • Execution is tricky, along with some structural challenges. Time will tell whether this becomes the next UPI moment or the next Aadhar moment for India
  • Indian start-up ecosystem could be insulated from global downturns (like public markets, to an extent) when late stage capital (Series B to D) starts coming from Indian corporates & family offices
  • Acceptance of tech in Tier 2+ on the rise:
    • A bank app / tech is perceived to be more secure than say an ecom app
    • In the next 10 years, every family in India will have at least one member who can access, understand and transact via tech
    • Banking needs to be built for Bharat, in partnership with B2B fin-techs
    • Vernacular needs a big push

Payments:

  • Push towards proprietary payment stacks (UPI, Rupay, etc.) to continue, with the intention of taking it global. Expect many fin-techs to start building on top of this infrastructure (e.g. credit on UPI)
  • Core transactions in payments are only a hook to retain customers & deliver a smooth experience. Real revenue to come from bundling, adjacencies & deeper integrations. Many suites are likely to be built for merchants / B2B to monetize customers
  • Monetization for UPI transactions continues to be an active debate. ~90%+ such transactions are driven by fin-techs, with negligible revenue. It remains to be seen whether the regulators will enable a revenue model here

Lending:

  • Digital credit has been driven by digital payment infrastructure. Future growth avenues for digital credit:
    • Penetration to Tier 2+ geographies via vernacular solutions & ‘phygital’ models
    • Voice commands
    • Interoperable KYCs for faster payments
  • Maximum monetisation still coming from credit, hence founders are migrating towards it & looking to build innovative hooks
  • Credit on UPI
    • Trying to capitalize on existing & wide-spread user-behavior of transacting via UPI
    • Opportunity to expand credit users from existing ~30M to the entire UPI base of ~300M. Likely to enable micro-credit across demographics
    • Built on the Rupay network, will further boost the penetration of India’s proprietary payment stack
    • Key questions:
      • How to underwrite the UPI users, across demographics, in real-time?
      • Those who are eligible for credit, would they not utilize other existing channels?
      • What would the collection infrastructure look like?
      • Would everyone jump in the fray, like existing UPI apps, BNPL players, stand-alone credit on UPI players etc?
    • View from Axis CMD (one of the pioneers in credit on UPI partnerships): Cautiously optimistic

Insure-tech:

  • ABHA ID (unique health ID for all) is touted to be the next game changer in health & insurance. Will connect insurers, healthcare facilities & customers via one switch
  • Radical changes being brought in by IRDA. Target is ‘insurance for all by 2047’. Insurance 2.0:
    • More dynamic, proactive, responsive & tech-led
    • Continuous underwriting & seamless experience
    • Personalized offerings. Sachet / bite-sized products
    • DIY / self-serve products to cater to young millennials
    • Re-imagined retirement plans for non-millennial cohorts living for longer
    • Real time data to provide instant claims. No need to file or wait for settlement
    • Need more insurers (than the existing 70), more products, more distribution partners & more tech
    • Customize for exhaustive needs of MSMEs
    • Adapt to new risks – climate change, pandemic, cyber threats

Wealth-tech:

  • Lever to grow is simplicity, democratization & passive investing
  • Need to reduce cognitive overload in investment decision making
  • Can’t operate in regulatory gray areas. Most sub-verticals likely to come under regulatory purview soon

Closing thoughts:

We couldn’t conclude more aptly than how Vijay Shekhar Sharma put it: ‘For the next 10 years, financial services and EV ecosystem are the most attractive sectors to build in.’

If you are building in FinTech, please reach out to me here.

.