Security is such a strategic issue for enterprises that few are willing to put their money behind a young company that doesn't already have a few Fortune 500 entries on its customer list.
These are tricky times for enterprise security start-ups.
Breaking into this vast and diverse technology market means more than just having a good product; newcomers need to bring revolutionary technology, an elegant resolution to a vexing problem, an offering that integrates unusually well with the world around it - something to distinguish it from the crowd. At the same time, security is such a strategic issue for enterprises that few are willing to put their money behind a young company that doesn't already have a few Fortune 500 entries on its customer list.
"In security, you want to be the best. There aren't many customers out there that will brag they have the second-best security solution," says Mark Levine, managing director with Core Capital in Washington, D.C.
Security start-ups also are challenged by the existence of a few behemoths -including Symantec, McAfee and Trend Micro - that dominate the market and often eclipse best-of-breed, point solutions with the promise of one-stop shopping for multiple security needs.
In addition to start-ups with revolutionary technology, some young companies are turning heads because security is at the heart of their products even though the function of the products is to perform something unrelated.
"We didn't view this as an investment in a security start-up but in unstructured data management; the fact that the company does encryption was a byproduct," says Craig Gomulka, a director with Draper Triangle Ventures in Pittsburgh, which invested in BitArmor. "But the encryption is the enabling technology; without that base you wouldn't be able to do this."
Below are 10 security companies we think are worth watching. Some are new to the market, others have reinvented themselves recently, still others are just beginning to make their mark on the corporate mind-set. All of them are worth keeping an eye on.
CEO: Patrick McGregor, who held a technical position at Hewlett Packard Laboratories
Funding: $5 million from Draper Triangle Ventures and Clearwater Capital Partners
What the company offers: BitArmor Security Suite, software that lets IT protect and manage the life cycle of stored data. The product eliminates the need for public key infrastructure-based key management through a proprietary, automated approach.
Why the company is worth watching: In addition to encrypting data, BitArmor lets administrators create policies for data storage and retention. Policy management is a growing issue with encrypted data.
How the company got its start: Co-founders Patrick McGregor and Matthew White were undergraduate students together at Carnegie Mellon University and continued postgraduate research on what eventually became the BitArmor Security Suite.
Where the company got its name: After discovering that companies already had taken nearly every name of a Roman or Greek god, the founders focused on a name that describes the product's function.
Who uses it: The product began shipping in September. The company has not released customer names yet.
CEO: Ralph Scobie, former CEO of PCS Wireless
Funding: Not disclosed
What the company offers: Unomi, a risk-management software service for cognitive authentication: the process of evaluating user behavior during the online authentication process by tracking input-device responses to various questions.
Why the company is worth watching: With Unomi, Cogneto is seeking to use academic research on cognitive psychology, behavioral biometrics and online behavior for a real-time analysis of risk based on a score of 1 to 100.
How the company got its start: Cogneto's Chief Scientist Martin Renaud believed the cognitive psychology research of Barry Po, a computer science professor at the University of British Columbia who is Cogneto's director of user experience, could be developed into a risk-management product for government and industry to authenticate users online.
Where the company got its name: Cogneto is derived from the word "cognition."
Who uses it: Unomi is set to be released this month.
CEO: Clovis Najm, whose previous experience includes sales and marketing positions at CryptoCard
Headquarters: Owings, Md.
Funding: $150,000 from the U.S. Navy and the state of Maryland, plus an undisclosed amount of private funding
What the company offers: The Mobio handheld device supports multiple strong authentication methods, including encryption-generated one-time passwords, VPN methods, a fingerprint scanner that can convert this biometric into a biocode number, plus a wireless-based door reader for physical access. The Cryptolex Universal ID System has a back-end software library for building an authentication server on Unix-, Linux- or Windows-based computers. Specialized applications bundled with the product allow for Cryptolex-based authentication on PDAs and laptops, network access, and physical-access control.
Why the company is worth watching: Combining support for multiple strong authentication types in a small handheld device would be convenient at companies and government agencies with highly mobile users.
How the company got its start: The U.S. Navy and the state of Maryland funded research to come up with a mobile authentication device.
Where the company got its name: "Crypto," because RSA-based encryption is an underlying technology for it, and "lex" stands for "lexicon."
Who uses it: The U.S. Navy is testing it.
CEO: Rich Person, former chairman and CEO of Poindexter Systems
Headquarters: Newburyport, Mass.
Funding: Not disclosed
What the company offers: Antispam, antivirus and denial-of-service protection software at the mail-server and gateway levels, whose unique technology catches the malformed e-mails where viruses hide. This gives customers a new approach to zero-day protection.
Why the company is worth watching: Not as much a start-up as a reinvented company, Declude was founded six years ago but has tapped just 2% of the market because its original e-mail security product was designed to work only with IMail and SmarterMail mail servers. In September the company released Declude Interceptor, a version that sits at the gateway, thus opening up the potential user base substantially.
How the company got its start: Scott Perry, an e-mail administrator, was looking for an effective e-mail security solution, so he built his own, shared it with friends and colleagues, and then started the company.
Where the company got its name: The name Declude has its roots in the words deduce, include and exclude.
Who uses it: Customers from their IMail products include AAA, the Boston Celtics, JVC, Korean Air and Sheraton.
CEO: Bob Bales, founder of PestPatrol, the antispyware software company acquired by CA in 2004
Headquarters: Marietta, Ga.
Funding: Undisclosed amount of seed capital from angel investors
What the company offers: SocketShield, desktop software for scanning network streams and intercepting and blocking exploit attack code against desktop machines, such as drive-by downloads.
Why the company is worth watching: SocketShield focuses on real-time protection against exploits, crimeware and other zero-day threats to prevent vulnerability-targeting malware being installed on unpatched PCs. An exploit is a bit of code that's used to force another bit of code (usually with a malicious intent) to run.
How the company got its start: In researching attack code launched against unpatched systems, CTO Roger Thompson became convinced nearly all the code was created in handwritten assembly code, not in a compiler, and therefore could be identified through signatures.
Where the company got its name: Its sole focus is on exploit prevention.
Who uses it: Initially available only to consumers, it later will be distributed to the corporate market.
CEO: Tony Fascenda, former executive with a number of wireless companies, including Aether Systems
Headquarters: Bethesda, Md.
Funding: Privately held
What the company offers: VPN client on a USB token. KoolSpan's SecureEdge tokens set up a Layer 2 VPN that uses two-factor authentication and per-packet encryption keying, both extremely secure methods.
Why the company is worth watching: SecureEdge eliminates the problem of installing and maintaining client software on remote PCs by supplying all the software needed within the token itself. Plus, it automatically provides two-factor authentication, something that generally requires a separate infrastructure.
How the company got its start: Fascenda and two co-workers from Aether broke away to create SecureEdge.
Where the company got its name: With some help from his daughter, Fascenda came up with a name based on the cool factor behind the product's innovation and the wide span of applications that could take advantage of it.
Who uses it: Customers include Sandia National Laboratories.
CEO: Joel Bomgaars, former engineer at Business Communications
Headquarters: Ridgeland, Miss.
Funding: $7 million from Southern Farm Bureau Life Insurance and GulfSouth Capital
What the company offers: Secure remote control of PCs and servers; the only remote control appliance that enables help desk sessions and collaboration.
Why the company is worth watching: The company started with a simple mission - to speed up resolution of help desk calls - and has made the process more secure by putting all the technology in the customer's hands, not the service provider's. Also, it uses no client software, so the remote machine cannot be taken over via NetworkStreaming's SupportDesk platform unless the user initiates a session.
How the company got its start: Bomgaars was looking for a way to eliminate his having to drive for hours through the Mississippi heat to support his help desk customers, and so invented the platform.
Where the company got its name: The founders were looking for a name that implied the connection of computer to computer.
Who uses it: Customers include Electronic Data Systems, Hilton Hotels, Humana, Panasonic, Texas A&M University and the U.S. Navy.
CEO: Co-founder Ken Steinberg, formerly held senior positions at companies Digital Equipment, Hughes, Hitachi and the John Von Neumann Super Computing Center for the National Science Foundation
Funding: Not disclosed
Headquarters: Nashua, N.H.
What the company offers: Software for Windows and Linux servers and desktops to protect against malware by taking a cryptographic-based snapshot of applications so that unauthorized changes can't be made.
Why the company is worth watching: The approach could play a role in containing and mitigating the spread of malware infestations.
How the company got its start: Steinberg says he saw a basis for protecting software from malware with the so-called "sliding acoustical" signature he created for taking a digital fingerprint of a user's application.
Where the company got its name: "Savant" means a learned person or scholar.
Who uses the product: Connecticut River Bank, Neueon
CEO: Joseph Collins, who formerly founded his own company, Griffon Energy, which bought and sold gas stations.
Headquarters: New York
Funding: An undisclosed amount of seed funding from Aegis Holdings
What the company offers: What's more secure than e-mail that doesn't leave a trace? VaporStream is a Web-based service that lets two parties communicate with their standard e-mail addresses; the message is transmitted as an encrypted image, and browsers on each end are instructed not to cache it, so there is no record. Instead of jumping through all sorts of technical hoops to secure e-mail communications, the service simply vaporizes them. "You can trust that once you read a message it is gone," boasts the company Web site.
Why the company is worth watching: Void is attempting to bring privacy back to electronic communications. The security that VaporStream offers represents a breakthrough in simplicity - sorely needed in the realm of security technology - but the company may have a tough time convincing enterprises that making e-mails disappear is the best way to communicate. Most likely the service will find niche markets that can take advantage of this simplicity without being concerned about the consequences associated with not archiving an e-mail message.
How the company got its start: Collins, looking to reestablish privacy and confidentiality in workplace communications, teamed with technologist and friend Amit Shah.
Where the company got its name: The founders believed there were gaps or voids in the world of communications and felt they could fill those voids.
Who uses the product: Currently, consumers. Void is working on an enterprise version of VaporStream, as well as versions for BlackBerrys and Windows Mobile devices.
CEO: Shlomo Touboul, founder and CEO of Shany Computers, Finjan Software, Runway Telecom and Runway Telecom Venture Partners
Funding: In May received $1.8 million in first round of venture capital
Headquarters: Tel Aviv, Israel
What the company offers: Yoggie Gatekeeper, a gateway that protects laptops on the road so they're as secure as PCs in the corporate office.
Why the company is worth watching: Most mobile-client security measures require running several security applications and agents on the laptop, making them dependent on the security capabilities of the underlying Windows operating system. As a separate, inline appliance, Yoggie offloads the security software stack from the laptop and sidesteps Windows.
How the company got its start: Enterprise customers installed the content-security appliances from Touboul's previous start-up, Finjan, then asked, "So, now we have a great security solution for users within the corporate network, but what are we going to do with the traveling users connecting from elsewhere?" "I never had a real answer for this," he says. After leaving Finjan, he finally answered it with Yoggie Gatekeeper.
Where the company got its name: Touboul picked a made-up word that had the same sound in almost any language and was easy to remember.
Who uses the product: The product is scheduled to be available in November.
-Additional reporting by Tim Greene, John Cox and Deni Connor.