Guest Post

Channel partners must understand the cybersecurity market

COVID-19 and consolidations have reshaped the cybersecurity market. Channel partners and customers must keep up with the market and best practices, including insurance policies.

Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.

All organizations, whether channel partners or their clients, must invest in their cybersecurity. An understanding of the cybersecurity market can help. In this video, Sobel discusses the perspective Gary Guseinov, a cybersecurity company investor at RealDefense Holdings, has on how the market is changing and the importance of cybersecurity insurance policies.

Transcript follows below. Minor edits have been made for brevity and clarity.

Dave Sobel: Tell me a little bit about what you and your firms do because you've got two different involvements from my background understanding.

Gary Guseinov: RealDefense Holdings is a holding company that's in the consumer privacy and security space. We acquire often underperforming assets or divestitures of companies that are larger, and they're looking to divest a smaller group within the organization or an enterprise company who wants to divest a consumer brand or product. We take these assets and we optimize them. We increase sales. We improve operating environment. We bring in new management if necessary and optimize this organization so they increase lifetime value and most importantly improve consumer satisfaction and product quality.

Sobel: A lot of my listeners are IT services owners that are generally consumers of a lot of these cybersecurity products. Give us a little bit of insight into how you measure success in your investments.

Guseinov: Multiple ways, but our go-to-market strategy is we take consumer product software, for example, and bundle them with services. So very similar to how a Telco company will bundle telephone service with internet access or cable television networks. By doing so, they increase lifetime value, increase retention and reduce their operating expenses. Our approach is the same, or similar, I should say. What we've found is software in today's cybersecurity, privacy environment cannot be sold without insurance. It just doesn't make any sense for consumers.

There are too many moving pieces, too many devices. Average consumers in the United States have eight to 10 devices connected to the internet. In the near future, that's going to probably double and triple as you get IoT devices being connected and managed internally or by the head of the household and various different threats are emerging. Your cars are getting connected to your home. Your home's getting connected to the internet. All those conversion technologies need to be managed from a security standpoint. We are building an environment where consumers can plug into our platform and they can manage all of their security from one place. Imagine an enterprise environment out of your home and so that's what we're building at RealDefense.

Sobel: Give me a little bit of a sense of how you look at the timeframe. When you buy something or invest in something, are you looking for a return on that investment in a year, three years, five years? Is it a machine to pull money out of forever? How do you guys measure it financially?

Guseinov: We have many measurements, but we're not looking to build this and sell. We're looking to grow it and generate profit. RealDefense has been a profitable company since day one. We are trying to build a bigger organization by adding creative acquisitions to our company. Before we do a transaction, before we get an acquisition completed, we look for synergies and we look for ways that we can benefit from the combined entity before a transaction is completed. The transactions that we have completed in the past couple of years, they've all been doubled in size in terms of revenue and profitability. Declining businesses have turned into growing businesses. We have a formula that works and we're very happy with it. It's not just technology; it's also human driven. We have a very good management team and good investors, Global Capital Partners who are very strong in this category in terms of providing the right structure in terms of debt and equity that give us the flexibility to grow the business.

Sobel: The reason that I wanted to talk to you was that with all this flood of money that's coming into the space, you've got some thoughts on the way that this is directly changing product roadmaps. Tell me a little bit of the way you think that the flood of venture capital money in the security space is changing the way software's being developed in those roadmaps.

Guseinov: There's a lot of things going on. One is that consolidation on the enterprise side is necessary for companies to develop new categories of products or new services quickly and deliver those products and services to clients. It's very difficult for companies to invest into R&D because it takes time. If you can acquire a creative solution that's going to ultimately make your client more secure and better off, you may want to do that. That's going to serve the client better. It's going to serve your organization better and build, hopefully, a complete suite of solutions. There's also a lot of gaps. If you look at the enterprise space, we're always catching up. We're always behind the curve. Bad guys are always ahead of the curve, so we're trying to build solutions that address the future of the threats, zero-hour attacks. And in the enterprise side or the consumer side, it's the same problem.

That's why there's a lot of evolution, a lot of M&A, a lot of money going into it. As a percentage of total spend, in terms of corporate on the profit and loss side, you'll see that the amount of money that's spent on cybersecurity is relatively small compared to other expenditures. Companies are realizing that now, and governments as well, and you're going to see a lot more money flowing into cybersecurity. If you look at global GDP, I think it's over $100 trillion. Shouldn't we spend at least half a trillion dollars on protecting $100 trillion dollars in GDP? I think we should, and that's not including existing assets. If you look at it in totality, it's a lot more to defend and the threats that we're seeing now with cryptocurrencies in particular, it's very hard to trace these individuals. That's why there's a lot of M&A activity.

Sobel: I'm going to put forth a premise and then I want to get your take on the premise, right or wrong. My premise is that with all the M&A that's in this space, this seems really good for investors. It seems really good for product companies, but actually it's bad for customers. And it's bad for customers because nothing is allowed to mature and with this model, plus the speed of the attackers, customers never get ahead. What's your take on that?

Guseinov: In some instances, they do get ahead and then for some instance on the consumer side, I think the problem for consumers is a lack of choices. Recent transactions with McAfee and Norton, where they've acquired Avira and BullGuard and Avast, and kind of gobbled up all of the large players, there's just less options for consumers, which means price will probably go up, which means there will be less innovation because there's less R&D labs, less need to innovate because there's less competitors out there.

Sobel: Let me push on this, because what space do you think is less competitive? Is that antivirus or endpoint detection and response? Because when I look at the cybersecurity space, all I see is thousands and thousands of vendors. How is there less competition there?

Guseinov: Let's just take consumer cybersecurity, for example. There are only a handful of companies that actually make their own antivirus engines. Most of the ones that you see out there, if you're seeing 100s of antivirus companies, they're using someone else's engine. They're licensing someone else's. The actual development of antivirus engines is done by a handful of companies. Those companies, some of them are undercapitalized and some of them are very big. There's a very small middle market in this space. The consumer is going to have less options because of acquisitions. When there's less options, there's less R&D; there's less innovation. And so, to certain extent, consumers may benefit from maybe better comprehensive solutions from one particular vendor -- let's say Norton, for example -- but they're going to not benefit from price and maybe not benefit from not having more options in the same category of products.

Sobel: Well, that's antivirus, which is one small piece of the puzzle. And to be fair, antivirus is [a] rather commoditized piece and a reasonably mature technology of which it's only one small part of the stack. I guess I'm not entirely understanding how that space that's maturing, having a few less players, I guess I'm not really seeing where that's the problem in the larger cybersecurity space.

Guseinov: If you take a large antivirus company, they're not just building an antivirus technology. So they have identity protection products and services. Norton LifeLock is a good example of that. They have technologies for optimization. They have technologies for privacy management. It's not just antivirus. Antivirus is a go-to terminology when people think about cybersecurity, but it's far more than that. One of the things that RealDefense is working on is creating solutions for companies that want to include cybersecurity within their technology stack. As you're building, let's say a Twilio telecommunication stack, you may want to include a component of cybersecurity within that stack. If you're building an app for grocery shopping, you may want to include a cybersecurity stack within your technology stack.

Developers don't typically think about these things. They build a product first, and then they learn later that there is some kind of a hole, or their technology is not part of a bigger cybersecurity ecosystem. And they have to catch up to it. We're seeing companies are now thinking ahead and then thinking to include cybersecurity within their technology stack. As that happens, consumers will definitely win. But today, to your point, what's happening is because of consolidation and part of it is R&D because it's very difficult to develop these technologies and stay ahead. Companies want to buy technologies that are out there and R&D teams that are out there. But as you compress them and put them under one umbrella, you're going to have less innovation. This is just what happens with automotive. It happens in the airline industry, same thing.

We're going in that direction. Ultimately, the consumer's going to win. Where the dangers are is that the technologies in general that are built out there -- whether it's hardware, IoT, software -- they don't incorporate cybersecurity as part of their technology development process. It's an afterthought. It has to be the other way around. If you build something, you got to say, 'okay, how am I protecting my users from cyber attacks?' If you can't think through how to protect users, don't build a product.

Sobel: I want to go a little further on this space, because I get the investment and why everyone wants to put products into the space, but one of the other areas that I've been focused on here is that for most of these products, those that develop the product have very little financial risk involved with what happens. The risk actually falls on the services provider and on the customer.

You've talked a lot about the antivirus space. If something fails from an antivirus perspective, the creator of the engine suffers no financial risk to that. The service provider has to do a bunch of cleanup. The customer does a bunch of loss. But there's no actual financial incentive to be good at this besides sell a product. I think this needs to change. In order to have the product, people need to start getting involved. For example, something like what SentinelOne is doing with their actual warranty offering or like a resilience where it's an investment of software plus cyber insurance. What's your take on the financial incentives of those developing products in this space?

Guseinov: It's a good question. The analogy here is your home, right? You have an alarm system in your home, on your front doors, in your windows, and then the alarm system company will never guarantee that their alarm will protect against every intrusion. Right? There's no such guarantee. They can make sure that technology works, and they'll notify you if there's an intrusion. They can't block it from happening if the thief was able to break in. So how do you protect yourself? You get insurance policy. The insurance policy covers you in a situation if something was stolen or if your home was breached. Now on the consumer side, when it comes to cybersecurity, it's not something consumers think about, so they don't buy cybersecurity policies. Not yet, at least. Enterprises do and my company would have it. We're protected against various different intrusions.

The insurance industry itself has to catch up to definitions of what is a cyber threat, because they protect against certain types of cyber threats, but not others. And the reason is because they don't understand those other threats. That industry is still relatively young in terms of comprehensive solutions, even for enterprises and businesses. On the consumer side, it just doesn't exist. Consumers don't buy cyber insurance. You also have to look at the costs, right? How much are you going to spend as a household, for example, to protect your digital assets. Are you going to spend $100 a month or are you going to spend $1 a month? Until consumers realize that the danger is real -- and I think they're starting to -- and are willing to invest into hardware, software insurance to protect their digital and hard assets properly, we're going to have these gaps. It's unfortunate, but it is what it is.

Over the next five to 10 years, you're going to see a dramatic shift to a clearer understanding of what the real need is: product fits for the market that evolve around where the demand is. We're also looking at a very new consumer post-COVID-19 time. You have consumers who are now using telemedicine; they're using zoom more frequently than they have before. PC sales have skyrocketed in the past couple of years. They're now at new highs post 2012, when everyone thought everyone's going to be using the cloud, and everyone's going to be using iPads and no one's going to be using PCs. And the opposite happened. Now all these devices are out there in the market. All this demand is out there. Consumers are working from home and studying from home. The understanding of what is needed to be secure is different than it was two, three years ago.

To a certain degree it's a good thing because now the awareness has lifted and demand is there. Product developers, product companies need to come up with new products to sell. That's exactly what we're doing. We're compiling various different technologies and products and services to bring to market, to bring to these consumers and explain them. That's why we have services as an included component to all of our software sales, because of this. It's exciting and I think it's going in the right direction. It's finally going the right direction.

About the author
Dave Sobel is host of the podcast 
The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade and has worked for vendors such as Level Platforms, GFI, LOGICnow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.

Dig Deeper on MSP business strategy

Cloud Computing
Data Management
Business Analytics