EULA out, equity in: Why startups are now a part of larger companies’ security budgets

Large companies are starting to invest in cybersecurity startups instead of buying their services through the usual licensing agreements.

Cybersecurity sales teams often spread the idea that companies with the most sophisticated data protection strategies got that way by spending the most money on the latest and greatest security products.

Truthfully, that’s usually not the case.

U.S. companies have begun in recent years to enter strategic partnerships with cybersecurity startups, which often offer products at lower rates and more flexible terms than established market leaders. The technique allows companies like insurance giant Aetna health and New Jersey-based telecommunications firm IDT Corp. to more aggressively experiment with the services security startups offer, sometimes even stitching together technology from multiple distinct organizations.

“I tend to choose innovators that are developing capabilities that have the potential to be game-changing, whereas leading enterprise security companies have a commitment to serve the broadest needs of the overall market,” said Jim Routh, chief security officer at Aetna. “Those needs don’t look a whole lot like our needs.”


Nearly four years ago, Aetna began exploring ways to further secure customers’ ability to access their health information via the company’s app and website. Larger security vendors suggested the company use multi-factor authentication, now an industry standard. But that binary technique would have allowed Aetna to verify users’ identities only when they logged on to the app, rather than on a continuous basis.

Instead, the health company entered into agreements with four startups that each specialized in different services, ranging from a risk-assessment engine to an identity management tool (Routh declined to name any of the security vendors Aetna works with). Aetna cobbled together those four tools into a single service the health care company now uses to verify users as they browse Aetna’s app, Routh said.

“Each of those technologies was totally different and offered something totally compelling,” Routh said. “Because they were still early stage companies, they were willing to work together.”

Aetna has saved millions of dollars by entering into agreements with startups, he added. Aetna also uses more established security vendors, albeit in a limited capacity. “They do have their place,” Routh said.

Aetna also is working with smaller firms to customize anti-phishing technology, and to test machine learning technology across different security controls, Routh said. The health care company takes equity in some of the security startups it chooses to work with.


“We spend 90 minutes every week looking at every early-stage solutions and their architecture,” he said. “We might do a proof-of-concept with one [out of] every 20 companies, but doing that gives us a feel for what’s happening out there.”

Working with smaller, more nimble startups also has companies adjust to emerging technologies like the cloud. IDT earlier this year began working with ShieldX, a cloud security vendor with roughly 60 employees, to apply machine learning to web traffic flowing through IDT’s environment. By signing up with the fledgling ShieldX, IDT saved money while allowing the young company to use the company’s network as a quasi-test laboratory, according to ShieldX founder Ratinder Ahuja.

“Larger partners can benefit from the innovations we bring in, and we benefit from their global footprint,” Ahuja said, adding that Golan Ben-Oni, IDT’s global chief information officer, provided expertise ShieldX incorporated into a patent.

“He guided us and works with us very closely as a joint development partner in some of the technologies,” Ahuja said.

In any given area of operations, IDT typically works with one or two more established firms and one startup, Ben-Oni said via email. Working with startups often means faster response times and more collaboration between IDT and vendors’ product management teams, leading to more IDT control over the final product. Unlike Aetna’s approach, IDT does not have equity in ShieldX.


“It can sometimes be challenging for an incumbent to rethink security from the ground up, which often can mean starting over or creating an entirely different approach to solve a given problem,” he wrote. “Startups on the other hand can be more nimble and are not held back by legacy technological systems or thinking.”

The notion of corporate security executives entering into these kinds of strategic partnerships is an emerging concept, according to Routh. While chief information security officers at large companies might have the flexibility to try out smaller firms, CISOs at small and medium-sized firms don’t yet have room in their budget to invest precious resources in a startup that might fail.

The trend will accelerate in the years ahead as cyberthreats become more complicated, forcing companies to adjust to new problems more quickly, Ahuja predicted.

“There always will be early adopters willing to address their pain points with newer technologies like us,” he said.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts