Follow the Cybersecurity money
By Lee Sustar
For anyone who’s made it through the twin expo floors at the annual RSA Conference – past the big-name vendors with magicians, fast-talking comedians, flashy free gadgets and weighty swag bags – you’ll find a collection of startup booths with basic brochures, big ideas and an intriguing demo. But will venture capitalists or a Fortune 500 company send enough dollars in the newcomers’ direction to turn their innovations into a scalable solutions? And the investments and buyout terms keep getting ricker.
“I think there is more money chasing limited companies,” says John Dickson, principal at the Denim Group. “Why do I think this? The daily inbound solicitations from venture capital and private equity companies tell me it’s a seller’s market.”
The challenge facing those startups – and their potential customers – is a cybersecurity industry that is increasingly dominated by a shrinking number of big companies. A look at cyber investment in recent years, including investments by venture capitalists along with mergers and acquisitions, highlights four related trends: a move from hardware to cloud-enabled and cloud-native services and tools; a focus on analytics and automation; market consolidation that will see many startups either purchased or crushed by established players; and the increase in security tools and services offered by public cloud service providers.
To gain perspective, climb up the cyber money mountain. According to Cybersecurity Ventures, total global cyber spending will top $1 trillion between 2017 and 2021, including not just investment in tech vendors but categories like ransomware insurance and defense budget outlays.
For beleaguered cybersecurity teams facing multiple challenges, following the cybersecurity money isn’t about speculation, but strategy. Enterprise-scale organizations are looking for help in automating and synthesizing the cyber tools and technologies accumulated in recent years as well as making the transition to cloud-native IT. Consequently, large organizations are interested in security orchestration, automation and response (SOAR) platforms to help lash their existing products together. Research and Markets estimates that worldwide SOAR spending will rise from an estimated $868 million in 2019 to $1.8 billion in 2024, with an annual growth rate of more than 15 percent.
But spending on and venture capitalist investment in SOAR technology doesn’t mean it can fully address the problems of integration that often challenge IT security teams. “SOAR still requires analysts who are goot Python developers,” says John Johnson, a veteran information security leader. “If you don’t have the expertise on staff, you need to look at professional services. Automation can be good for opening tickets, but still not smart enough to reopen and check the status of open tickets.”
A similar study by Industry Research.co predicts even faster growth for endpoint detection and response (EDR), a must-have product to replace old-school antivirus products – a nearly 23 percent annual increase from 2019-23 to reach $3.4 billion.
But all that EDR log data – which increasingly includes end user behavior analytics – has to go somewhere. Thus, the Security Incident and Event Management (SIEM) platforms providing an overall view as CISOs struggle to get a handle on what matters – and what doesn’t – in order to reduce their cyber technical debt. IDC pegged SIEM spending worldwide at $3 billion back in 2018, a 12.4 percent annual increase from the previous year.
But the money flowing into securing endpoints and log-everything analytics leaves another pressing need, application security, unaddressed, says Larry Ponemon of the Ponemon Institute. The reason: “It’s out of their area of expertise,” he says, pointing out that CISOs nd their second in commant often have backgrounds in networks and systems operations and can be reluctant to spend money on application security products if they lack sufficient expertise to use them. “CISOs are under pressure from the board to show a return on investment, “Ponemon says. “They don’t want to spend on application security and have it turn into shelfware a year later.”
A look at some of the last decade’s biggest investments shows that cybersecurity investors are indeed focusing spending on companies that can meet those demands – both on premises and in the public cloud infrastructure. For example, Tanium, which provides EDR and security monitoring, pulled in $375 million in 2018 alone, making the decade’s top 10 deals list twice.
A closer look at the biggest 2019 venture capitalist cyber investments, according to figures collected by the Wolf Hill Group., shows the SOAR and EDR trends gathering momentum. The cybersecurity awareness vendor KnowBe4 bagged what appears to be the biggest investment of the 2010-19 period, with $300 million in June 2020, a bet that rampant ransomware will drive organizations to ramp up training to mitigate the risk of successful phishing. Securing end users was also the implicit focus of a midyear $200 million investment in Cybereason as investors look for EDR vendors that can match the success of Tanium and challenge established players such as Crowdstrike.
Another $200 million of venture capital rolled into OneTrust, which automates privacy assessments and maps data inventor. Another key indicator of cybersecurity investment trends comes from the 2019 deals incumbent vendors who make the beat-them-or-buy-them calculus about new rivals. Yet there are many more cybersecurity investments are harder to put a pricetag on because they are internal to the company making them.
Amazon is the prime example. AWS in 2019 held the first-ever Re:Inforce cybersecurity conference in which the public cloud giant gave prominence to AWS’ own cyber products, from the general availability of the Security Hub tool to built-in security features of new Nitro EC2 instances based on IO cards, chips and hypervisors that AWS says are more secure than previous versions of the popular cloud computing instance. Microsoft Azure Security Center, which rolled out enhancements at the 2019 RSA Conference, can be expected to try and keep pace with AWS, while Google Cloud Platform (GCP) will likely continue to build on services such as Cloud Armour – the WAF that got a boost in 2019 – to make GCP it a viable competitor to AWS and Azure from a cybersecurity standpoint
Unlike the big-dollar investment rounds in which the public can watch venture capitalists attempt to pick infosec winners, calculating the spend on public cloud security is a matter of inference and confidence that the vendors will deliver the functionality promised on their respective roadmaps. That’s a challenge for users who must decide either to allocate budget to shoring up the defense of sunsetting legacy systems or accept the risks of not while focusing spend on securing emerging cloud-native infrastructure.
All these investment dynamics puts growing pressure on cyber startups to either outperform the established players in those sectors or come up with new products and services with no current competitors. Using public cloud providers as a platform may enable those innovators to gain a foothold with limited investment. Despite market consolidation, new players have continued to attract attention from investors for initial funding and some corporate users prepared to take a chance on a small company. Moreover, the rise of cloud-native IT will require a new approach to cybersecurity in many respects. Cybersecurity market consolidation will continue, but innovation from outsiders has the potential to make a breakthrough.
But VCs are motivated by profits, not by a commitment to securing data and networks – and cyber may soon take a backseat to other trends, says Nate Hartman, CISO at Truvantis. “I see VCs doing what they always do – striking at anything that’s shiny,” Hartman says. “From an investment prospective if big data, artificial intelligence and machine learning are hotter than infosec companies securing endpoints the money is going to go there.”
But there is still plenty of money in the investment and M&A pipeline. The people running the booths in the back of the RSA Conference may not yet be on the radar of cyber-oriented venture capitalists or the subject of multi billion-dollar acquisitions. But the trip across the showroom has provided a glimpse of cybersecurity’s future.