Cybersecurity Startups: Investment Opportunities & Risks //25.09.20
For five consecutive years, enterprise security has been the number one technology sector in the US for M&A activity with “216 transactions worth over $39.5B in 2019 alone. This trend will likely continue into 2021 as the security public market sentiment consistently leads over broader markets.” VC and PE firms are flush with cash looking to fund companies riding the wave of disruptions in the security market that are being fueled by digital transformation as well continued growth in criminal and state-based hacking. Several established security companies received double digit exits in 2019 and we saw some historic valuations as high as 120 and 46 times ARR with SaaS companies averaging at 8.2.
Innovations in cybersecurity have been a direct result of the ballooning pace of enterprise digital transformation, migration to the cloud, global privacy regulations, growing complexity of security operations, talent deficit in cybersecurity, and continually increasing threats and attack surface due to cloud-native applications and IoT device upsurge.
Digital transformation and migration to the cloud are having the biggest impact on the enterprise security market driving innovations in categories such as Secure Access Service Edge (SASE), Cloud Workload Security, Cloud Security Posture Management (CSPM) and DevOps technologies driving continuous integration and delivery (CI/CD) enabling application development teams to deliver code changes more frequently and reliably.
According to a research study by the Cloud Security Alliance (CSA), 69% of enterprises are moving complex, mission-critical applications to the cloud. Cisco predicts that by 2021, SaaS will account for 75% of all enterprise workloads, as corporate concerns of cloud security have been more or less addressed. This has paved the way for incumbents and new entrants to offer traditional on-premise security solutions with a SaaS go-to-market differentiation.
Privacy Regulations such as GDPR, CCPA have expedited the need for stronger digital identification & verification: multi-factor authentication (MFA), use of biometrics, and migration from password-based to password-less authentication. New companies are emerging with improved technologies for identifying, classifying, securing and sharing user data through stronger and futureproof encryption techniques, zero knowledge proofs and blockchain technologies for minimizing user data exposure, creating immutable transactions logs, and ensuring supply-chain security. Regulations are also driving a need for fraud detection, continuous risk assurance and cyber insurance strategies.
Complexity of modern security operations and the cyber talent shortage are the primary factors contributing to the need for automation and better artificial intelligence (AI) and machine learning (ML) assisted threat detection and incident response in the security operations center (SOC), augmenting available security resources with increased cyber awareness training for non-security employees. A large complexity and security talent deficit have resulted in more companies leveraging managed security services providers (MSSP)s to outsource their SOC or complement it with advanced services such as managed and extended detection and response (MDR, XDR) while complementing common security functions such as vulnerability patching and incidence response with risk-based and predictive approaches. Furthermore, ever increasing budgets for operationalizing security have created a need for security program management tools aimed at measuring effectiveness and ROI of investments in security technologies and board-level reporting.
Increase in threats and attack surface from cloud, mobile and IoT are being compounded with multi-cloud workloads. This is creating a need to upgrade traditional security solutions with next generation iterations to combat the biggest attack vectors with improved anti-phishing, anti-malware, 3rd-party risk assurance, data-leak prevention (DLP), network and endpoint solutions, among others. Moreover, the weaponization of social media to compromise users and endpoints and sudden increase in work-from-home due to the pandemic have created a need for security operations and risk managers to source preemptive threat intelligence and manage disinformation campaigns affecting the brand and reputation of the company.
Access to easy capital is drawing tons of new entrants with hundreds debuting in 2019 and 2020 to join the 3,000+ companies already looking to get a piece of the enterprise security pie. Pre-revenue security startups are increasingly getting $10M+ valuations and each sub-category within security is inviting more and more “me too” companies with incremental improvements over incumbents. For the foreseeable future, cybersecurity will be a “buyers” market and this will inevitably result in consolidation i.e. survival of the fittest and convergence of multiple vendor tools into platforms. Furthermore, the risk of startup failure is much higher due to the ongoing pandemic and stretched corporate budgets.
There has been more innovation in cybersecurity in the past five years than ever before and it is becoming highly competitive for both entrepreneurs and investors. However, there is still enormous opportunity for highly differentiated, best of breed companies in various subcategories, especially those discussed in this excerpt. And, the jury’s still out on many recent technologies such as AI/ML although they’re part of mainstream vendor messaging. Additionally, there are many nascent areas in cybersecurity such as trusted AI, quantum security, disinformation tech, 5G, robotic, automotive, physical security, and more that are primed for innovation.
- Cyber Market, Investment and Exit Trends – AGC Partners Report, February 2020
- The Future of Network Security Is In The Cloud, Gartner, August 2019
- What’s Your SaaS Company Worth? SaaS Capital, v1 2019
- 2019 State of DevOps Report: Presented by Puppet, CircleCI, and Splunk
 Cyber Market, Investment and Exit Trends – AGC Partners Report, February 2020
 SaaS Capital TM
 The Gartner Secure Access Service Edge (SASE) model addresses the changing security landscape resulting in convergence of network and security services like Software Defined Networks (SDN), Zero Trust Network Access (ZTNA), Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), Data Loss Prevention (DLP), etc. converging into a cloud-native model utilizing global, high-capacity, low-latency edge computing networks to drive down costs and optimize the user experience.