UP18 – it-sa’s cyber startup pitch contest

For the first time, the largest German cybersecurity conference it-sa was started by a warm-up event to get into the conference groove. Initiated by the it-sa team, the Digital Hub Cybersecurity and the Bavarian IT Security Cluster, and based on a concept that by now can be considered established, sixteen IT security-related startups from Germany, Switzerland and Austria were invited to present their offerings in three-minute pitches followed by a short Q&A with a panel of experts. DCSO, and the TSE team in particular, were present as a sponsor of the event – but decided to abstain from voting for reasons relating to market neutrality. As it turned out, it would have been hard not to be biased anyway, as DCSO had already discussed partnering opportunities with one of the competitors earlier this year, while another was founded by a former colleague of one of the team members.

Identity, Phishing and a Bit of Everything Else

With the current IT security trends in mind, some of the topics addressed were not surprising.
Identity and authentication topics already checked all of your BINGO cards with recent hypes like adaptive and biometric-based authentication (TSE assessment coming soon …), certificate-based authentication in the age of post-quantum crypto (not yet sure when this will actually become reality), which of course also works for IoT and OT devices as well a distributed, blockchain-based platform for sovereign identity (think Verimi without the enterprise constraints involved). Furthermore, security awareness, especially with a focus on phishing attacks, was a prominent segment with three startups, each with slightly different approaches and target groups. Adding tools for application security testing and multi-cloud governance as well as some solutions, we were not entirely sure that we understood their objective or approach, the competition did not nearly include as much encryption as would be expected from Germany’s security scene.

Following three blocks of pitches, people were invited to network and to vote for their favorites based on three chips per attendee (competitors were allowed to vote as well). After about 90 minutes of talking and handshaking, IT-Seal was announced as the winner of this year’s contest. As one of the three phishing awareness competitors, the focus on social engineering-backed spear phishing simulations combined with strong KPIs and analytics garnered the most votes from both audience, expert panel and competition. Using e-mail for malware campaigns and phishing, in particular, is well known as one of the most relevant attack vectors, and getting more sophisticated and more targeted every day. In addition to complex and expensive detection technologies for filtering unwanted mail traffic and respective attachments, awareness training adds another, more preventive layer enabling users to identify and report such e-mails. Furthermore, the required research and technological complexity is comparably small, so it is a market segment with a low entry barrier for new players (probably another reason for the number of solutions in this field).

Phishing awareness is not a new topic and has already been addressed by well-known players such as Proofpoint and Cofense Phishme. Still, a German company might excel due to its strengths in data privacy and know-how involving local policies both in terms of compliance and works committees. Focusing on medium-sized enterprises outside of the stated companies’ sales focus could also pose opportunities for a smaller and more flexible company with a German background.

How German is too German in IT security?

Overall, it was rather different than similar startup events that include international vendors. As seems to be the nature of Germans, (self-) marketing is not a major strength and companies tend to present what they already have – instead of a disruptive vision that might or might not come to fruition in a couple of years. Given the fact that most of the participants are still in a very early stage of their life, this should be considered a positive feat, at least for us as a scouting team. Still, a bit more fire would have helped to make the pitches more entertaining and catchy. Adding to this feeling, most companies obviously don’t “shoot for the moon” but are happy to find a solid niche where they can have a slice of the cake that is big enough to make it.

Also, the event itself was not nearly as spectacular as others, such as the Innovation Sandbox Contest at RSAC, but more sober and down-to-earth. Events such as this contest might help encourage German vendors to expand their network, connect with potential partners and customers, and generate overall exposure. But to become actually relevant in a very marketing-oriented world, both the hosts and the participants need to invest more effort into this format (starting with an actual prize worth winning). Otherwise, this promising contest won’t live up to its potential.

As it is always hard to uncover hidden gems in the German industry for the stated lack of marketing (which goes hand in hand with the way smaller budgets compared to VC-backed companies from the US and Israel), however, we as TSE were happy to join this event and get the opportunity to meet some early-stage companies in the making.

Who we are
The “Technology Scouting & Evaluation” (TSE) service identifies and evaluates promising IT security solutions. With this service, DCSO supports companies in staying ahead of a dynamic and ever-changing market. The centralized and unbiased evaluation process is supplemented with the experience of all community members.