The New World Order of Cybersecurity
A decade ago, few would have thought that hackers could compromise our gas pumps, contaminate our water supply, cripple our hospitals, and change the course of a war. As software and the internet structure more and more aspects of our lives, and we store and share more and more of our personal information digitally, the threat of cybercrime continues to mount. This rising danger has prompted immense growth in the global cybersecurity market, which is expected to reach over $400 billion by 2027: a nearly fivefold increase from its market size in 2017.
At Foundation Capital, we’ve long had conviction in this category. Since 2001, we’ve made 23 cybersecurity investments that have led to three IPOs and 10 successful acquisitions. As we approach the end of this year and cautiously inch towards the post-Covid era, I wanted to provide an update on the cybersecurity landscape (which was dramatically reshaped by the pandemic), share three key trends my partners and I are seeing in the market, and elaborate on the themes Foundation Capital is tracking this year and beyond.
The Cybersecurity Market in Review
By every measure, 2021 was a banner year for the cybersecurity market.
- We saw five new IPOs, one of them being our portfolio company ForgeRock. Today, there are 28 public cybersecurity companies, compared to just 10 in 2010.
- M&A volume increased 300% year-over-year to over $75 billion. We’re proud to count three of our investments in this flurry of activity: CloudKnox (bought by Microsoft), Respond Software (bought by Mandiant), and MistNet (bought by LogRhythm).
- A record $30 billion flowed into cybersecurity startups across over 1,000 new financings. Cybersecurity startups saw more dollars invested in 2021 than the last three years combined.
The narrative in 2022 is slightly more complex.
- As we entered the year, market volatility increased as a result of inflationary pressures, supply chain problems, and the Russia-Ukraine war. During the first half of the year, public cybersecurity stocks decreased ~25%: roughly in line with the S&P 500 (~20%) and NASDAQ (~30%) corrections. Meanwhile, M&A activity maintained its rapid clip, with $102 billion of transaction value driven by major acquisitions of VMWare, SailPoint, Mandiant, and Barracuda.
- Venture dollars continued to flow into cybersecurity in the first six months of 2022, with $12.5 billion of capital raised across over 500 new financings: roughly in line with the first half of 2021. Yet, while 2022 began in the green, deal volume in Q2 2022 dropped 20% from a year earlier.
- As we went into Q3, cybersecurity stocks started underperforming the market and fell 7.2%. (By comparison, the NASDAQ fell 5%, and the S&P 500 fell 6.3%.) Similarly, venture funding activity plunged to $3.1 billion across 189 deals: a 60% decrease from a year ago.
We expect both the public markets and the venture funding market to further cool in Q4 and into the first half of 2023. We also expect continued take-privates of public cybersecurity companies by private equity firms as public valuations drop further.
3 Key Trends in Cybersecurity
Over the past two-plus years, we’ve observed three important trends that we believe will increasingly define the cybersecurity market.
1. Ransomware poses a constant threat
Privileged access abuse continues to be a primary route for ransomware breaches. This is likely why identity and access management is either the first- or second-highest category of spend for information security leaders today.
According to data from CrowdStrike, ransomware attacks rose from around 1,500 in 2020 to over 2,500 in 2021: an 82% increase. Examples include the Colonial Pipeline hack in May 2021 that cut off nearly 45% of all fuel provided to the East Coast, the JBS attack in May 2021 that jeopardized a quarter of the U.S. meat supply, and the Kaseya breach in July 2021 that impacted up to 1,500 businesses worldwide.
Motivated by the outsize profits to be made, ransomware has coalesced into an organized, multibillion dollar industry. Groups like DarkSide and LockBit provide “ransomware as a service”: a subscription-based model that enables bad actors to use ready-made tools to execute cyberattacks and earn a percentage from each payment that results. These organizations are highly sophisticated, and many of them have nation-state affiliations. They often post their financial statements online for the world to see and reap billions of dollars from their exploits every year.
2. Migration to the cloud is in full force
The pandemic demonstrated the value of hybrid cloud infrastructure to companies around the world. With lockdowns keeping employees at home, demand soared for certain products and services (such as grocery delivery, at-home IT equipment, and e-commerce) and collapsed for others (such as travel and retail). As how we worked, collaborated, and accessed information shifted fully online, cloud infrastructure enabled quick capacity adjustments depending on demand, along with the ability to add new software without the need to access on-prem data centers.
Gartner predicts that global public cloud end-user spending will increase by 20% annually, reaching $495 billion by 2022 and nearly $600 billion by 2023. Morgan Stanley’s 2022 CIO survey showed that cloud computing was the IT category with the largest year-over-year spending growth. It follows that cloud security is also the fastest growing category of cybersecurity spend, having increased 41% between 2020 and 2021 to $840 million. Despite these gains, cloud migration is still in its early innings. For example, Barclays Research has found that only a third of workloads are in the public cloud today.
We believe cybersecurity will continue to be crucial to enabling the transition to cloud infrastructure. We’ve already made six investments that tackle this opportunity from various angles, including protecting data, identity, and access before, during, and after a cloud security breach.
3. Software supply chain attacks can create devastating domino effects
Today, most code is assembled rather than written by developers, who rely on open-source libraries and integrations with vendors to power their programs, from data management and authentication to messaging and payments. These “low code” and “no code” platforms have spurred a dramatic uptick in the pace of software development. Indeed, between 2020 and 2025, Microsoft Research predicts that 500 million new software apps will be built.
The interconnections and dependencies that result mean that a single zero-day flaw can have far-reaching impacts. We saw this play out in December 2021, when a vulnerability surfaced in Log4j, a Java-based data-logging utility widely used in products from companies like Amazon, Cisco, Atlassian, and Nutanix. Over 100 million devices were impacted, with over 10 million attempts to exploit this vulnerability every hour tracked.
This breach followed the SolarWinds supply chain attack in December 2020: the largest and most advanced of its kind to date. It resulted in malicious code being sent to over 18,000 customers via an update to SolarWinds’ Orion product, which is used by companies to manage their IT resources. Likely inserted by Russia’s foreign intelligence service, this code provided backdoor access to the IT systems of many of SolarWinds’ clients. This, in turn, allowed the hackers to install additional malware and spy on their targets.
A survey conducted by SecureLink and the Ponemon Institute in 2021 found that 51% of organizations had experienced breaches due to a third party. Better software solutions can help security, IT, and engineering teams defend against this risk.
Our Cybersecurity Investment Themes
At present, we organize our cybersecurity investments around five core themes:
1. Securing the modern development stack
As developers rely on open-source repositories and third-party integrations to speed up their workflows, new security vulnerabilities are emerging. To prevent security from becoming a bottleneck, companies need new tools that satisfy security decision makers, developers, and infrastructure teams alike. We’ve already invested in two startups that are tackling this problem: DevZero, which enables developers to code securely in the development cloud, and Levo, which provides API discovery and security testing.
2. The intersection of cloud, data, and identity security
As the amount of data proliferates, and the risk of high-value customer and employee data loss grows, enterprises need to better understand which identities have access to which data sets. Achieving this task is complicated by the nature of cloud infrastructure, where services are co-managed with third-party cloud providers. We’ve been very active in this category through investments in Stacklet (cloud governance as code), Skyflow (data-privacy-vault APIs), Fortanix (multi-cloud data security), Anvilogic (security operations platform for the cloud), and Permiso (cloud identity detection and response).
3. Protecting the IT, OT, and IoT attack surface
In recent years, the connected devices that compose the Internet of Things (IoT) have caused information technology (IT) and operational technology (OT) — historically, siloed domains — to converge. The result has made our physical infrastructure susceptible to cyberattacks, as the Colonial Pipeline incident and numerous hospital ransomware cases underscore. From 2019 to 2020, there was a 2,000% increase in operational technology (OT) attacks, while 90% of organizations experienced at least one OT system intrusion in 2020 alone. Despite the scale of the threat, there are still no public cybersecurity companies that focus specifically on OT and IoT. We believe this will change, and we’re excited to back startups working on the challenges of securing our real-world, connected infrastructure.
4. Managing human error in cybersecurity and reducing the impact of phishing
According to research from Verizon, 95% of cybersecurity breaches are caused by human error. Since the start of the pandemic, business email compromise scams have seen a 65% spike and have drained $43 billion from victims’ coffers. As targeted phishing becomes more sophisticated with clever social engineering campaigns, existing messaging security and cyber awareness providers have not kept up. We’re on the lookout for solutions that reduce human risk while also improving user experience for employees and customers.
5. Network security for the ‘new normal’
In the coming years, we believe network security will undergo a renaissance. With hybrid work now the norm, security teams can no longer assume that offices are the only perimeter they need to defend. The adoption of 5G, with gigabit speeds that are equivalent to the fastest fiber broadband, is also changing how employees access the internet. Securing this ever-expanding attack surface will require novel approaches, and we believe this will spawn a new generation of network security companies.
As we look toward 2023, we’re excited to deepen our commitment to this critical market and advance the urgent mission of protecting our digital world. If you’re looking to start a company in this category, we want to hear from you! We partner early and are eager to roll up our sleeves to support the next generation of cybersecurity startups.