RSAC Innovation Sandbox 2019: Cloud, identity, application security take center stage

Next month at the RSA Conference (RSAC), entrepreneurs, cyber warriors and a ragtag mob of security practitioners will scratch their start-up itch in San Francisco. There they will compete, network and be entertained by a battle for the ultimate prize. These Shark Tank-style competitions are the closest thing security startups have to the Super Bowl.

Our daily routines, security tools and the buzzwords chased for resume-building will be defined by the trends on the RSAC expo hall floor this year. Of course, the new tech on display will have been years in the making. If you want to see farther out into the future and watch our industry’s luminaries debate and conceive of the next big thing, come a day early and watch Innovation Sandbox.

2019 Innovation Sandbox finalists

Months ago, aspiring entrepreneurs submitted video pitches and met one-on-one with judges, hoping to sell their late-stage startups as worthy of the top ten. This process of selecting finalists is simply beyond reproach. Innovation Sandbox has been around for 15 years; a whopping 42 percent of finalists from its first ten years have been acquired. Finalists in the past five years have received $1.5B in funding. All but 5 percent of the finalists are all still running.

Those numbers bode well for 2019’s finalists: 

1. Arkose Labs– fraud and abuse prevention, through global telemetry
2. Axonius– cybersecurity asset management
3. Capsule8– real-time Linux exploit detection
4. CloudKnox Security– identity and privilege management
5. DisruptOps, Inc.– cloud infrastructure detection and remediation
6. Duality Technologies– encrypted asset analytics and collaboration
7. Eclypsium, Inc.– hardware and firmware threat prevention
8. Salt Security– cloud API protection platform
9. ShiftLeft Inc.– protects and audits software code
10. WireWheel– privacy management technology

The founders of these ten companies will battle it out live on the RSAC stage in front of a massive audience and a feisty panel of judges. Each founder will give a 3-minute pitch and then respond to tough questions from the judges. This back-and-forth banter is one of the most entertaining parts of RSAC. In the end, two finalists are chosen, and the final winner goes home with the ultimate bragging rights.

RSAC is also introducing a new competition. Held the following day, LaunchPad is for early-stage startups. A pure Shark Tank-style competition, three founders will chase funding live before a panel of venture capitalists (VCs). If the VCs like an entrepreneur’s pitch, they will in turn compete live to secure an investment in this up-and-comer.

CSO spoke with three Innovation Sandbox judges to learn how they pick the technologies of the future.

Seeing like a visionary

Monitoring current and future regulatory policy is a fascination of VCs. On their minds are things like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) and how they’re driving current spending trends. Unlike the average insider, VCs are more likely to focus on predicting upcoming regulation, for things like IoT, for example, and project out the far-reaching consequences.

How IoT collides with society’s reclaimed privacy rights and policies is on Niloofar Razi Howe’s mind. “Data privacy and regulation is interesting because it touches on what people are not thinking about as much. Everybody knows that IoT is not secure… but the thing we don’t talk about as much is the implications of privacy with respect to all the data that is being generated by these devices as they go through corporate networks,” says Howe, a cybersecurity strategist and entrepreneur. “How are we going to deal with all the data privacy regulation as we move towards smart cities, autonomous cars, and delivery drones, and personal assistants in smart homes?”

Vulnerability management is a bedrock of security, and Patrick Heim, operating partner and CISO at VC firm ClearSky, sees the nightmare IoT will cause. “Historically we’ve treated these devices as durable goods with a lifespan of 10+ years, like refrigerators, for example. We’ve added a computing component and we still expect them to be useful 10-30 years, or whatever it may be. But the vendors are probably not going to be willing support them for that time period,” Heim says.

Like everyone else, VCs are watching the advent of new vulnerabilities, attack vectors and analyzing breach reports. “Even though the Bloomberg story we recently saw about hardware implants, was maybe somewhat debunked at the time, if you really analyze it, it makes perfect sense to have that attack surface evolve. Same thing with attacks into the BIOS,” says Patrick Heim.

VCs operate at the intersection of technology and enterprise buying culture; this is how they visualize return on their investment. Sometimes the easiest way for entrepreneurs to change the world is to innovate within existing spending buckets. Far off ideas are great, but, Howe points out, “there are existing categories of spending” that you can’t ignore. She adds that “reimagining and reinventing old and well-understood market segments is where innovation can happen.” For example, the judges CSO spoke with all mentioned data loss prevention (DLP) as a category ripe for reinventing — not surprising given the current regulatory climate.

Building the future

The entrepreneurs and judges of LaunchPad focus on funding early-stage technology. They’re building the future where markets don’t yet exist and taking the initial stabs at solving emerging problems. This requires a unique way of looking at things, but it also requires meeting and talking to a lot of different and interesting people, says Enrique Salem, a partner at Bain Capital Ventures.

“What problems do I see that are happening? That comes from spending lots and lots of time talking to folks who are users of whatever technology they’re engaged with. What’s working, what’s not, what are the hard new issues they’re facing.”

New technologies also enable hackers to build next-generation cyberweapons. Salem has his attention on technology that fundamentally alters computing. “If quantum computing happens in the near term, all the security we know today can be compromised,” he says.

How to impress the VCs

Whether you’re pitching a VC in the hallway at RSAC or submitting a video to become an Innovation Sandbox finalist, communication skills are king. For his part, Salem is “looking for clarity in a description of the problem. That doesn’t mean the market is already there, but can they say ‘Here’s the problem we solved’ in a succinct way.” Howe echoes that point, saying “They have to be able to tell their story. I can’t emphasize enough the importance of storytelling.”

For her part, Howe is looking for “a company that has a novel approach to an interesting problem, with a large addressable market and a team capable of executing against a vision.” She warns of incomplete ideas or features posing as companies. Heim elaborates on that, saying that feature companies, which “solve a very small or narrow problem and do that extraordinarily well” may not be defensible “if you already have large vendors out there who say, ‘That’s a great idea, I’ll add that as a feature to the next release of our product.'”