These days, you hear a lot more about “consolidation” and “maturity” in the security industry than about innovation. VC investments in security startups have halved over the last 2 years. And a recent survey by Goldman Sachs indicates that the growth of IT security budgets will decline from the double-digits to just 8% in 2008 and 6.5% in 2009

So it would seem that doing a security startup today is somewhat akin to train surfing. I beg to differ.

First, the fundamental drivers of security threats are accelerating.  Gary McGraw’s “Trinity of Trouble” describes these as connectivity (growth of the internet & web services), extensibility (widespread use of plug-ins, mashups) and complexity (exponential increase in the length of code bases).

It is unsustainable for the severity of threats to increase at a rate greater than the resources available to mitigate them – that trajectory implies that swathes of IT infrastructure will gradually be rendered unusable. I believe there is the opportunity for innovators to plug the gap with a different approach, possibly spawning the VCs’ holy grail – the next $1B+ security category. While only time would tell the details of its composition, I expect that aspects of automation and semantics will be involved.

Second, security is a perpetual game of cat-and-mouse, implying a continuous need to build new defenses to adapt to the shifting threat environment. So while things like anti-malware and anti-spam are indeed “mature”, the tectonics of technological innovation are exposing new surface areas of attack, from virtualization to rich internet applications to mobile phones.

While many enterprises tend to be more concerned about mature attack vectors than emerging ones, it usually takes just one CNN Moment for corporate wallets to rapidly spring open. And at that point, startups that have developed rock-solid defenses for those new attacks will find themselves well placed.