With the 20th Black Hat and 25th Def Con wrapped up, security pros are remobilizing their defenses against adversaries who froze power plants, held dozens of banks, hospitals and manufacturers hostage, and may have influenced the U.S. election. Alongside these real-world attacks, the Vegas stage shined a glaring light on new hacks to "pwn" voting machines, cars and even radiation detectors.
I’ve left similar talks feeling naked just for connecting my devices to the internet. Freshly reminded that everything is hackable, I asked industry experts about security investments to understand what’s next for this space.
Follow the money trail.
PitchBook data shows that VC cybersecurity investments peaked in 2015 at $4.2 billion and are trending down -- $3.6 billion in 2016 and $2.8 billion in 2017 as of late July. But Kyle Stanford, VC analyst at PitchBook, predicts that “2017 is on pace to eclipse the highest deal value and come close to the highest number of completed transactions [in cybersecurity].” One reason for this uptrend is the expectation that AI and machine learning funding will enhance security innovation for identifying and thwarting attacks.
Zooming in on buying patterns from the past three years reveals the warped speed at which the industry moves. Neil MacDonald, the security oracle of Gartner, takes hundreds of customer calls each year. He notes a shift in 2014, when customers began investing in tools to “rapidly detect and respond” to threats that evaded antivirus and firewalls. Those post-perimeter threats drove demand for tools that analyze access through user behavior, network traffic and endpoint detection. Today, the cyber response has again broadened, this time with an emphasis on fortifying processes. Two of the hottest investment areas for customers are building security into IT operations and development and raising workforce awareness.
User appetite for the cloudification of everything has exponentially expanded the attack surface and with it the nuances in security response. Strong customer demand and VC funding continue to fuel innovation. But the problem is, just one misconfiguration, one ill-fated employee click, can unlock access for hackers. “Even if the good guys bat .900, they’re going to get pwned,” Accel Partners’ Jake Flomenberg says.
The C-suite weighs in.
Danny McPherson is Chief Security Officer at Verisign, a company that ensures the security, stability and resiliency of key internet infrastructure and services. He says: "As the internet gets more interconnected, multi-tenancy means more systemic dependencies."
Lookout’s Chief Strategy Officer Aaron Cockerill emphasizes the need to secure the connected ecosystem: “Increased mobility means IT departments need to secure their companies’ data and assets outside their traditional perimeter, on the endpoint.”
“As companies race to the cloud, security teams or proper security controls are often left in the dust,” notes Ben Johnson, co-founder of Carbon Black and Obsidian Security.
These perspectives reflect the complexity of securing data across the many layers of the cloud. Add in the litany of breach disclosures and the ghosts of government surveillance leaks, and it’s understandable why security on and off the cloud has become a boardroom issue. As a result, security war chests have grown even as the cyber-skills shortage means not enough human talent to fill the need.
In this context, it makes sense that the growing markets MacDonald cites address security gaps by maximizing efficiency. Bringing security into processes for building and running connected things helps reinforce broken defenses, as does growing security-consciousness among employees. Plugging these holes won’t cancel out the need for more security pros, but they are necessary fixes in a connected world.
VCs eye new bets.
According to PitchBook, top VC firms Accel and NEA are among the most active investors in cybersecurity startups in the past five years. Like MacDonald, both see green pastures in companies that can secure DevOps processes. One particular sub-sector seems to resonate:
“I’m increasingly excited about companies in the security orchestration and automation space,” Flomenberg notes. Already he has led a series A for Demisto, which automates simple, repetitive tasks, freeing security responders to focus on “the highest value problems.”
Aaron Jacobson, principal at NEA, also sees opportunities for security orchestration companies. “The cybersecurity talent shortage creates a ripe opportunity for investment. Analysts are simply overwhelmed responding to incidents,” he says.
It makes sense why this space is so promising. As McPherson at Verisign sums up, the defense framework is understanding: "What assets do I care about? Where do they live? Only then can you determine the most effective controls to protect them."
More connected things and data traversing on- and offline networks expand the terrain for defenders to cover. This increases the need to bake security into the DevOps lifecycle for each piece of the connected ecosystem from consumer-facing devices to back-end infrastructure. In this environment, security automation can absorb basic tasks like monitoring SIEM alerts or scanning for malicious attachments. Orchestration comes into play by connecting tools (like automation), systems and processes -- enabling human talent to focus on strategic workflows.
Getting dry powder.
Flomenberg observes, “Early-stage security deal volume still feels robust.” He is quick to note: “My intuition is, we’re seeing a separation from the haves and the have-nots.” Those who scale live to fight another day towards becoming the next security platform. Those who fail to scale could still salvage a respectable exit by way of acquisition.
“While we’ve seen a slowdown in early-stage activity in cybersecurity, the market is there for growth-stage companies,” says Jacobson. That is because later-stage brands can tap the public markets and private equity growth avenues unavailable to less established players.
But, cautions Johnson, “I’ve seen very smart, experienced teams have trouble raising funds.” This happens when seed or series A companies fail to stand out in the crowded field and when late-stage startups can’t show revenue to justify follow-on rounds.
Somewhere off Sand Hill Road, I’m waiting for a friend. A few feet away, two VCs chat quietly, optimistically about an emerging space. I sip my old-fashioned, feeling a smidgen safer.
