When Security Vendors Fail

The following is an excerpt from Security Yearbook 2021. Available for pre-order here. For the record this was first posted to Forbes on March 26, but was taken down by Forbes.

Learning from failure is one of the most valuable reasons to study history. Successes like Check Point Software in Israel lead to more investment, economic growth for a country, and innovation as the company invests in R&D. Failures tend to be forgotten by all but those who were part of the company. Attempting research into defunct companies will often turn up all the press mentions as it got several rounds of funding, won big deals, and made acquisitions, but once it begins to fail there is no one there to write the press releases or record its demise.

Complete failures in the IT security industry are rare. Unless one has insight into the internal operations it is often difficult to even determine if a company has failed. Was the sale of the company just an exit for the founders and investors, or was it a fire sale of intellectual property and key people? In recent history, the crash of Norse Corporation is one of the few admitted failures. Norse, based in Kansas City, raised it first seed round in 2011. It went on to raise $33 million total. It appeared to be a vibrant company hiring and marketing at a healthy pace when Brian Krebs reported that there had been a major round of layoffs in January 2016. With that revelation customers who were close to buying Norse’s threat intelligence feeds canceled or put their orders on hold. That led to the CEO leaving, and eventually the company was disbanded.

Was the sale of Mirage Networks to Trustwave a failure? Was Finjan?

One measure of failure when an acquisition occurs is whether the investors turned a profit or lost the value of their investment. Bruce Schneier’s Counterpane, one of the original cohorts of MSSPs, had $90 million in investment when it was sold to British Telecom in 2006 for a reported $90 million. In such cases the founders rarely walk away with anything, a measure of failure.

Another failure attributed to the dot com boom was Vigilinx Digital Security Solutions, an attempt by investors to build a major player in the security consulting space to compete with PricewaterhouseCoopers, KPMG, Deloitte, and EY. Investors pledged $90 million to a venture of their own creation and hired Bruce Murphy from PricewaterhouseCoopers to lead it. It was only two years before it morphed into a reseller and managed security firm, and was eventually sold to TruSecure for an undisclosed amount.

Many failures are brought about by investors losing interest in supporting the companies they have funded. One of the largest failures was that of Nexsi, an attempt to create the god-box of networking to compete with Cisco and Juniper in the carrier space. The investors had poured $100 million into the development of Nexsi’s first product, a datacenter solution that in addition to being a switch, had a full-fledged firewall. A turnover in partners led the primary investor to pull the plug on Nexi before it had a chance to start delivering products.

Cosine Communications, founded in 1998, was the last dot com company to go public. It too created a god-box for switching, networking, and security. It raised $230 million in its IPO in 2000 and its stock jumped 195%. It employed over four hundred people when it ran out of money and shut down in a few short years. Its portfolio of 80 patent applications and its leftover gear and few remaining customers were handed off to Fortinet at fire sale prices.

Crossbeam Systems was another hardware venture deemed a failure. It had gone to market with what was, in retrospect, a failed strategy. Crossbeam invested $72.5 million to create and sell a multi-blade security appliance. Up to ten cards were load balanced to handle high throughput for security software products, primarily Check Point, and ISS. It was eventually sold to Thoma Bravo and then sold to Blue Coat.

In 2019 ThinAir shut down. It was a startup in the data discovery space. Its agent deployed to Windows desktops allowed a customer to discover what data was on each of its endpoints, a valuable capability for compliance with data privacy regulations. In late 2018, as it was burning through its remaining funding, it attempted to sell to a competitor that pulled out at the last minute. It had to lay off its employees and shutter operations.

2020 Failures

Herndon, Virginia, based GigaTrust, an information rights management solution, shut down its website and Linkedin profile page in 2020, although its customer ticketing system is still active. There was no explanation and no news coverage. Glassdoor reviews by employees highlight the implosion and dissatisfaction with executive leadership. GigaTrust took in a total of $46.2 million in funding with the final infusion of $20 million provided by private equity from Balance Point Capital Partners. It had 37 employees at the beginning of 2020.

NS8 saw a meteoric rise in early 2020 growing from 80 employees at the beginning of the year to 214 by July. That growth came after a $123 million Series A round led by Lightspeed Partners valuing the fraud prevention company at $400 million. After irregularities involving handling of corporate funds it was reported that the SEC was investigating the firm. The CEO left abruptly and they laid off most employees in September. The IP of NS8 was acquired by Avolin.

Failures in the security space are remarkably rare considering the number of vendors. The reason is that most vendors that survive a couple of years actually provide products that customers value. The customers renew and companies continue to make headway as they take on investment, hire marketing and sales teams, and focus on a geographic region or an industry vertical.

Do you know of any other failed cybersecurity ventures? Let me know so I can add them to the 2022 edition!