Venture capitalists have poured money into cybersecurity in recent years – their investments offer a glimpse at what products, solutions and startups are on the horizon.  Lee Sustar reports.

For anyone who’s made it through the twin expo floors at the annual RSA Conference – past the big-name vendors with magicians, fast-talking comedians, flashy free gadgets and weighty swag bags – you’ll find a collection of startup booths with basic brochures, big ideas and an intriguing demo. But will venture capitalists or a Fortune 500 company send enough dollars in the newcomers’ direction to turn their innovations into a scalable solutions? And the investments and buyout terms keep getting ricker.

“I think there is more money chasing limited companies,” says John Dickinson, principal at the Denim Group. “Why do I think this? The daily inbound solicitations from venture capital and private equity companies tell me it’s a seller’s market.”

The challenge facing
those startups – and their potential customers – is a cybersecurity industry
that is increasingly dominated by a shrinking number of big companies. A look
at cyber investment in recent years, including investments by venture
capitalists along with mergers and acquisitions, highlights four related
trends: a move from hardware to cloud-enabled and cloud-native services and
tools; a focus on analytics and automation; market consolidation that will see
many startups either purchased or crushed by established players; and the increase
in security tools and services offered by public cloud service providers.

To gain perspective, climb up the cyber money mountain.
According to Cybersecurity Ventures, total global cyber spending will top $1
trillion between 2017 and 2021, including not just investment in tech vendors
but categories like ransomware insurance and defense budget outlays.

For beleaguered cybersecurity teams facing multiple
challenges, following the cybersecurity money isn’t about speculation, but
strategy. Enterprise-scale organizations are looking for help in automating and
synthesizing the cyber tools and technologies accumulated in recent years as
well as making the transition to cloud-native IT. Consequently, large
organizations are interested in security orchestration, automation and response
(SOAR) platforms to help lash their existing products together. Research and
Markets estimates that worldwide SOAR spending will rise from an estimated $868
million in 2019 to $1.8 billion in 2024, with an annual growth rate of more
than 15 percent.

But spending on and venture capitalist investment in SOAR
technology doesn’t mean it can fully address the problems of integration that
often challenge IT security teams. “SOAR still requires analysts who are goot
Python developers,” says John Johnson, a veteran information security leader.
“If you don’t have the expertise on staff, you need to look at professional
services. Automation can be good for opening tickets, but still not smart
enough to reopen and check the status of open tickets.”

A similar study by Industry Research.co predicts even
faster growth for endpoint detection and response (EDR), a must-have product to
replace old-school antivirus products – a nearly 23 percent annual increase
from 2019-23 to reach $3.4 billion.

But all that EDR log data – which increasingly includes
end user behavior analytics – has to go somewhere. Thus, the Security Incident
and Event Management (SIEM) platforms providing an overall view as CISOs
struggle to get a handle on what matters – and what doesn’t – in order to
reduce their cyber technical debt. IDC pegged SIEM spending worldwide at $3
billion back in 2018, a 12.4 percent annual increase from the previous year.

But the money flowing into securing endpoints and
log-everything analytics leaves another pressing need, application security,
unaddressed, says Larry Ponemon of the Ponemon Institute. The reason: “It’s out
of their area of expertise,” he says, pointing out that CISOs nd their second
in commant often have backgrounds in networks and systems operations and can be
reluctant to spend money on application security products if they lack
sufficient expertise to use them. “CISOs are under pressure from the board to
show a return on investment, “Ponemon says. “They don’t want to spend on application
security and have it turn into shelfware a year later.”

A look at some of the last decade’s biggest investments shows that cybersecurity investors are indeed focusing spending on companies that can meet those demands – both on premises and in the public cloud infrastructure. For example, Tanium, which provides EDR and security monitoring, pulled in $375 million in 2018 alone, making the decade’s top 10 deals list twice.

A closer look at the biggest 2019 venture capitalist cyber investments, according to figures collected by the Wolf Hill Group., shows the SOAR and EDR trends gathering momentum. The cybersecurity awareness vendor KnowBe4 bagged what appears to be the biggest investment of the 2010-19 period, with $300 million in June 2020, a bet that rampant ransomware will drive organizations to ramp up training to mitigate the risk of successful phishing. Securing end users was also the implicit focus of a midyear $200 million investment in Cybereason as investors look for EDR vendors that can match the success of Tanium and challenge established players such as Crowdstrike.

Another $200 million of venture capital rolled into OneTrust, which automates privacy assessments and maps data inventor. Another key indicator of cybersecurity investment trends comes from the 2019 deals incumbent vendors who make the beat-them-or-buy-them calculus about new rivals. Yet there are many more cybersecurity investments are harder to put a pricetag on because they are internal to the company making them.

Amazon is the prime  example. AWS in 2019 held the first-ever Re:Inforce cybersecurity conference in which the public cloud giant gave prominence to AWS’ own cyber products, from the general availability of the Security Hub tool to built-in security features of new Nitro EC2 instances based on IO cards, chips and hypervisors that AWS says are more secure than previous versions of the popular cloud computing instance. Microsoft Azure Security Center, which rolled out enhancements at the 2019 RSA Conference, can be expected to try and keep pace with AWS, while Google Cloud Platform (GCP) will likely continue to build on services such as Cloud Armour – the WAF that got a boost in 2019 – to make GCP it a viable competitor to AWS and Azure from a cybersecurity standpoint

Unlike the big-dollar investment rounds in which the
public can watch venture capitalists attempt to pick infosec winners,
calculating the spend on public cloud security is a matter of inference and
confidence that the vendors will deliver the functionality promised on their
respective roadmaps. That’s a challenge for users who must decide either to
allocate budget to shoring up the defense of sunsetting legacy systems or
accept the risks of not while focusing spend on securing emerging cloud-native
infrastructure.

All these investment dynamics puts growing pressure on
cyber startups to either outperform the established players in those sectors or
come up with new products and services with no current competitors. Using
public cloud providers as a platform may enable those innovators to gain a
foothold with limited investment. Despite market consolidation, new players
have continued to attract attention from investors for initial funding and some
corporate users prepared to take a chance on a small company. Moreover, the
rise of cloud-native IT will require a new approach to cybersecurity in many
respects. Cybersecurity market consolidation will continue, but innovation from
outsiders has the potential to make a breakthrough.

But VCs are motivated by profits, not by a commitment to
securing data and networks – and cyber may soon take a backseat to other
trends, says Nate Hartman, CISO at Truvantis. “I see VCs doing what they always
do – striking at anything that’s shiny,” Hartman says. “From an investment
prospective if big data, artificial intelligence and machine learning are
hotter than infosec companies securing endpoints the money is going to go
there.”

But there is still plenty of money in the investment and M&A pipeline. The people running the booths in the back of the RSA Conference may not yet be on the radar of cyber-oriented venture capitalists or the subject of multi billion-dollar acquisitions. But the trip across the showroom has provided a glimpse of cybersecurity’s future. 

From the March 2020 Issue of SC Media