Failure to launch

This post is inspired by By Ross Haleliuk's Substack about cybersecurity startups worth exploring in 2024. To my delight, mobile security was mentioned multiple times :) He argues some markets enjoy attention from VCs, CISOs & the wider community. E.g. endpoint protection, identity, cloud security, etc. Every CISO has three or four "items" on their list. If a startup is about blockchain, IOT, mobile security or OT; then tough luck. These companies would have to launch a whole lot of marketing to educate security practitioners on why their industry deserves attention. This quote from the article sums it up perfectly 

Over a decade after acknowledging the importance of securing IoT, we haven’t seen IoT security companies become a swiping success. Mobile security has never really taken off as a market as well which is unfortunate as we’re drowning in smishing, vishing, and other types of attacks. Blockchain and 3D security are not a thing either. We hope that security for AI will be different. It may or may not; most likely, there will be many winners but the size and shape of these victories remain to be seen. 

This is unfortunate as it's been more than 15 years (Approaching two decades 😄) since the launch of the first iPhone but the "mobile security" industry is still in its infancy. Why? Let me hypothesize

Lack of major security incidents. Even though mobile devices have a full network stack, they are not connected to the internet. They don't have IP addresses and are not accessible to the internet. This significantly reduced their attack surface. Hence, they are not exposed to risks that come with other connected devices such as servers. Of course, there have been many security incidents over the years. Exploits, zero days, banking trojans, etc but nowhere near the level of panic and destruction caused by Petya, NotPetya, Sandstorm, etc. The latter even got a book covering its origins, actors, political implications, etc. Mobile has not risen to this level just yet. The closest news we have is the zero days targeting dissidents, journalists, etc. The infamous Pegasus spyware by NSO group was allegedly used to track down Jamal Khashoggi. 

Secondly, a relatively small number of security engineers focus on mobile security. Most IT security professionals come from the traditional infosec world which has limited exposure to mobile. I have been on numerous sales calls where we had to go through concepts like sandbox, permissions, OS security features, etc. This is not to chastise folks but to lay out the realities. This in turn forced many mobile-centric startups to focus somewhere else. Here are few areas 

1. Privacy - Especially consumer privacy! Given the numerous scandals revolving around the handling of private data; most people feel their data is misused. Think Google & Facebook and the massive surveillance industry that collects, sells personal data for billions. Even the US gov is involved 😊. E.g. Jumbo Security - acquired by Coalition 

2. Device Forensics - High value individuals like gov officials and journalists are often targeted by various groups. Famously, Jeff Bezos was targeted by Pegasus Zero Day through Whatsapp. A good example is Zecops getting Acquired by Jamf

Let me know if I overlooked an area where mobile security can be big

Cheers