5 Tips for Securing a Place in a Crowded Cyber-Security Market

There are concrete things an auto cyber-security start-up can do to stand out. Susan Kuchinskas reports.
Blockchain cyber-security start-up Buglab recently put out a multi-million dollar bug bounty – it offered up to $2M in bitcoin tokens to white hats and security researchers who could find breaches in bitcoin exchanges. The hacking contest is a way to promote Buglab’s own service of penetration testing on the Ethereum blockchain, which is an open-source, public blockchain platform. It’s an excellent publicity stunt but should automotive cyber-security start-ups take the cue?
Top automotive cyber-security trends
The auto cyber-security market is wide open and full of opportunity but it’s crowded and confusing. Cyber-security solutions may address hardware or software, individual ECUs to full systems. Greg Basich, associate director for AIT and ACM at Strategy Analytics, says: “This is all a work-in-progress.” There’s no solid information about how, or whether, any cyber-security product or technology will actually work in the field. It’s much too soon for benchmarking but Basich notes key trends:
Vertical integration is a goal for automakers. In the traditional automotive supply chain model, security software would be a Tier 2 product that would have to be dolt to a Tier 1 supplier, which would then sell on to the carmaker. “That is breaking down across the entire industry,” Basich says. “Cyber-security companies are going straight to the OEMs, and OEMs are increasingly seeking partners.”
However, Basich doesn’t see automakers as ever completing this kind of vertical integration. “Automakers’ strength is managing huge supply chains but they are looking to get more control of it, as the types of things they want to do with the vehicle are more complex.”
Consolidation as Tier 1s acquire cyber-security companies. “This implies that Tier 1s see security as a critical part of their offerings,” he says. “They are often acting as systems integrators: They will be expected to make all this work together and to secure it. So, it’s in their interest to offer a suite of solutions.”
No single solution can address total cyber-security for a vehicle. Says Basich: “OEMs would love to have a one-size-fits-all solution but vehicles are too complex. It’s not possible to just install something like an antivirus product, and that’s it.”
Interoperability as a selling point. Companies that haven’t been acquired need to show that their solutions work as part of a broader solution.
How can start-ups use understanding of these trends to make their case? We talked to experts about the best ways for a start-up to stand out in a crowded and confusing marketplace. Here are their top tips:
- Focus on customers, not pitches. Young autotech start-ups should definitely lean on investors and advisers for introductions, as well as speak at conferences, says Elizabeth Kerton, executive director of the Autotech Council. “But, if you focus on making your current set of customers happy and build your marketing around proofs-of-concept and customer case studies, the next batch of customers will come to you.”
- Make the case for interoperability. Kerton identifies technical fit as the key to getting deals with automakers and their Tier 1 vendors. “Not only does your technology need to be superior to what they already have in order to justify the time and money expenses of overhauling multiple systems, it also needs to fit with their other suppliers, multiple company’s technology roadmaps, and pass the ‘will this last for 11 years on the road’ test,” she says.
- Make serendipity happen. Some of the best partnerships come about via serendipity – two people happening to be in the same place at the same time. The more potential partners that are in one place at the same time, the more likely serendipity is to take place.
The Michigan Economic Development Corporation (MEDC) is actively courting automotive start-ups specific to mobility and autonomy to move to Detroit. Sarah Tennant, MEDC’s strategic adviser for cyber initiatives, says: “It’s a unique space and a relatively small market. We’re looking to have companies collaborate with each other and with OEMs. We are looking to bring as many companies as possible to the state so OEMs have a variety of choices.”
Adds Seun Phillips, director of Planet M: “It’s a global industry but companies still have to connect in Michigan to do business. There’s a lot happening in the valley but at the end of the day, they want to put it in a car, so they will be connected to Michigan.” Planet M is an Initiative of MEDC that acts as a “concierge service” for global mobility companies. It provides matchmaking services between start-ups and potential customers; operates hackathons; and has created Michigan Cyber Range, a platform for cyber exercises, product testing, and digital forensics, along with professional certifications, to increase the cyber-security talent pool.
Does this mean start-ups should relocate to one of the big hubs like Silicon Valley or Detroit? Maybe. Yes, it could be expensive but MEDC, for one, feels the pain and helps out with grants. More than $1M is available for mobility start-ups of all kinds, including cyber-security start-ups, to support testing and technology pilots. In each case, the start-up pays only 25% of the cost of testing or piloting. “We don’t want there to be a cost barrier,” says Phillips.
- Be skinny with funding. Automotive start-ups may take many years to begin to offer returns to investors, Kerton says. She advises relying on friends-and-family rounds for as long as possible before calling on angel investors.
- Advocate for the industry Todd Benoff, a partner in the law firm Alston & Bird who focuses on liability and cyber-security issues unique to autonomous vehicles, identifies another kind of “attack surface” for which there is as yet no remedy: liability. Says Benoff: “There is no cyber-security system that’s 100% bulletproof. Any system can be breached.” If that happens, automakers and Tier 1s may be on the hook for damages resulting from loss of property and even life.
Benoff’s analysis of current law is that, in the event that an autonomous driving system was hacked, resulting in a crash or other disaster, strict product liability would apply. “It doesn’t matter if you have best-in-class security,” he says. “This would put a manufacturer in an impossible situation if a breach occurred.”
While start-ups certainly need to focus on technology development, the bigger role they can play in helping to guide standards and legislation, the bigger impact they can make in the marketplace.