Startups and fast-growing security vendors are avoiding labelling their products as using AI, as they look to attract both enterprise customers and investors.
Instead, newly founded businesses are focusing on filling gaps in CISOs’ existing security measures. These include giving security teams better insights into their operations; governance, risk and compliance (GRC); and attack surface management (ASM).
Startups are also identifying areas where CISOs can save money on their security budgets and reduce the number of tools they use, as well as areas to improve security response times.
“We talk about automation, not AI,” Matt Conlon, CEO of ASM company Cytidel told Infosecurity.
“A lot of companies are talking about putting AI into their platforms. But we are using it for a specific use case.”
For Cytidel, this use case is helping organizations deal with the increasing speed of cyber-attacks, but to do so by making better use of the infrastructure and data they already have.
“Hackers are going from 30 days to exploit to 24 hours. You need the latest data right now, you can’t wait,” explained Conlon.
According to Conlon, the focus has to be on value and bringing new technology into play quickly.
“A lot of tools are rip and replace,” Conlon said.
Cytidel focuses instead on working with existing tooling, threat intelligence and data feeds.
RMI Cyber is another company working on ASM. According to Simon Woods, CEO, the vendor provides discovery and mapping, threat intelligence, vulnerability scanning and handling the human issues around cybersecurity.
The idea is to chain together, enabling customers’ security teams to take the right actions in the face of an attack.
“What people are interested in, is being able to make intelligent decisions,” explained Woods.
CISOs also want ASM tools that work across all their assets, rather than just focusing on one part of their operations.
Nagomi Cyber also works in the security data field, describing itself as a threat exposure management vendor. Their goal is to help security teams drive better value from the tools they already have.
“Seventy percent of breaches could be avoided by customers using the tools they already had in place. It’s effective security with what you have,” says sales engineer Nick Colman.
“A lot of organizations are trying to understand the effectiveness of their security programs. We try to answer that automatically.”
Improving visibility around risk and making better use of security data feeds was just one focus area for new vendors, however.
Other startups at Infosecurity Europe included Commugen, which uses a no-code approach for GRC automation, Datambit, which uses machine learning to detect deepfakes in audio, video and images, and Astrix, which focuses on securing non-human identities such as APIs and service keys.
Disruptive Competition
Startup vendors face stiff competition from the established market, as well as a reluctance from more risk averse CISOs to invest in new vendors’ technologies.
As Dr Andrea Isoni, chief AI officer at AI Technologies, explains, start ups’ technology has to outperform that of established vendors, and not just by a small margin.
“The way to diminish the risk for a CISO is for the results from tests to be way better than other vendors,” Asoni said.
“Then you have proof.”
Usually, established firms will have the edge when it comes to providing security tooling and services to enterprises, according to Howard Holton, COO and CTO at analyst firm GigaOm.
“Traditional vendors are clear leaders for large enterprises,” he explained.
These organizations have complex, legacy systems with massive distribution and too many stakeholders to count. This makes them ideal for large platform vendors that can handle large swaths of the technology need, including cybersecurity.
“For smaller companies, or those with tighter, modern stacks, startups can offer more pointed solutions that are disruptive to the status quo,” Holton argued.
At the same time, established vendors can be slow to adapt to the new ways technology is being used, and even to new threats.
Peter Garraghan is CEO at Mindgard, a company spun out of research at Lancaster University. It provides red team services targeted at AI applications.
“In security, it’s easy to conflate maturity with capability. But the truth is many large vendors are slow to adapt, constrained by legacy platforms and customer demands,” he told Infosecurity.
“What customers get from startups is precision, speed and solutions borne from solving the hard problems directly.”
Additionally, there can be commercial benefits from taking a risk on a startup, suggests Rory Duncan at analysts Richmond Advisory Group.
“The market is developing so quickly that there is a decent chance that a startup may have developed something unique and special that could become a market-leading solution,” Duncan said.
“Getting in early usually means preferential or ‘early bird’ pricing, often free or as a discounted proof of concept. Startups are also much more open to feature or function input and integration or compatibility requests.”
However, this might not work in areas such as highly regulated industries, where new software may not yet meet certification requirements.
