Written by Tyler Knox
The State of Play in Cybersecurity
The cybersecurity market, at the broadest level, refers to the myriad of technologies and services which safeguard enterprise networks and data. Also commonly known as the information security (infosec) industry, cybersecurity is becoming a matter of paramount concern to organizations of all sizes and across sectors, highlighted by the catastrophic data breaches and ransomware attacks which have plastered the headlines in recent years. For the enterprise, the key is to build out their infosec solution stack to achieve full security coverage while minimizing redundancy across the six key market segments: network security, application security, data security, identity & access management, endpoint security, and security operations.
From the 2017 Equifax data breach to the 2018 Marriott hack, the deleterious reputational and financial implications of these cyberattacks have elevated the importance of enterprise security teams — the Chief Information Security Officer (CISO), risk managers, and technical and IT staff — and the infosec vendors they rely on from “back office” concerns to chief operational priorities.
As Yoav Leitersdorf of LV Ventures puts quite succinctly in a recent article in Protocol, “What board of directors is willing to cut spending on security and increase exposure to cyberattacks?” It is perhaps no surprise that Pitchbook estimates that the $120.6 billion cybersecurity market is expected to grow at an 8.8% CAGR to $183.6 billion by 2022, powered by growing enterprise demand and innovative offerings being developed by both legacy vendors and new ventures to counter emerging threats.
Covid-19 & Infosec: A Market Catalyst
Since the onset of the pandemic, the shift toward work-from-home has only further encouraged actors looking to penetrate enterprise networks. Indeed, coronavirus phishing scams have exploded since the epidemic began, growing from 600% between February and March 2020. Moreover, by late May, the FBI’s Internet Crime Complaint Center had received 320,000 complaints over the course of the year, compared to roughly 400,000 complaints in all of 2019. Experts have warned that the coronavirus outbreak is a perfect time for nation-state hackers to strike, and the effects of such attacks might not be felt for months. In other words, the pandemic is making real what many enterprises were only beginning to think: A comprehensive cybersecurity strategy is now table stakes.
The emergence of covid-19 seems poised to only accelerate advantageous trends for some segments in the infosec market. Cloud-based security solutions, managed security providers, and solutions focused on VPNs/IoT devices are expected to “win” from the changes wrought by the pandemic. These vendors will be buoyed by both a near-term shift to remote work during the pandemic, and in the long-term, a potential for greater optionality for work location. Indeed, securing enterprise networks and remote workers access to firm data has taken on greater importance with the shift of network activity outside the office. For example, publicly-traded infosec firms (Crowdstrike, Okta, and Fortinet) saw their stock prices rally in April, benefiting from their investments in cloud-based security products which can be remotely managed and do not rely on work in-office.
On the other hand, the “losers” from the pandemic will include incumbents and startups selling solutions dependent on securing the physical enterprise. Pitchbook predicts that firms which sell tools like firewalls and physical devices will likely take a big hit for two reasons. First, restrictions on movement will make it difficult for companies to install and manage these tools. Perhaps most importantly, the enterprise attack surface has expanded beyond the limits of the physical enterprise in a post-covid world, undermining the relevance of on-premise infosec solutions for a distributed workforce.
Key Trends: 2020 to 2025
With the pandemic boosting both enterprise prioritization and spending on the segment, where is infosec headed in the years to come? Understanding the changes wrought by covid-19 and even predating the pandemic — including the increased flexibility of the work-from-home model and the expansion of IoT and mobile device use by enterprises — forms the basis of several key thematic trends that we believe will define the cybersecurity industry over the next 5 years:
Continued expansion of online services, particularly the software-as-a-service (SaaS) business model
- IbisWorld estimates that private investment in computers and software will increase at an annualized rate of 3.0% over the five years to 2024, with the percentage of services conducted online forecast to increase to 23.2% by 2024. SaaS offerings tend to be highly integrated with cloud computing and the storage of quantities of secure (customer) information, both drivers of cybersecurity spending, especially for the network security, data security, and information access & management segments.
As noted, the Covid-19 pandemic is expected to mark a longer-term shift to distributed workforces as a part of normal business operations
- Termed the “Great Unlocationing” by Pitchbook, it is expected that the pandemic will spark a new era of fully remote venture-backed startups without central offices (that is, distributed). Indeed, we are beginning to see traditional location-based enterprises forced to work from home make significant investments in distributed capabilities, and will continue to do so in the expansion of distributed workforces, including infrastructure improvements (VPNs and cloud storage) and increased digital endpoint security.
Expansion of IoT and mobile devices for enterprise application
- According to Gartner, IoT devices in business-critical functions are expected to surpass 20.4 billion by the end of 2020. The increasing adoption of IoT devices brings about potential vulnerability and threats (e.g. hijacking, privacy leaks), as many IoT devices are not secure end-to-end, partly due to the lack of any industry-wide security standards. At the same time, the number of mobile devices used by employees also continues to rise, as does the amount of business data stored on these devices.
- While the direct business impact of mobile malware is low, we can expect an increase in the number of enterprise data breaches related to mobile device use and misuse. As IoT and mobile devices further expand the enterprise network perimeter, the potential for security breaches will only increase. For example, in March 2020, Bloomberg News reported how Mishcon de Reya LLP, a U.K. corporate law firm, warned its staff to mute or turn off listening devices like Amazon’s Alexa or Google Home, which its infosec team worried could eavesdrop on confidential client calls.
Cloud security continues to grow in importance as enterprises migrate to the cloud
- Cloud security remains one of the most important trends in infosec, with enterprises shifting their networking to the cloud concerned about data loss and leakage, privacy and confidentiality, and insider threats. The need for users to configure their cloud environments has created vulnerabilities which have led to major breaches over the past several years, including the July 2019 Capital One cloud server data breach of 100 million customers.
Data protection regulation “goes global,” expanding opportunities for data security and identity access & management vendors
- The EU’s General Data Protection Regulation (GDPR) has become somewhat of a standard for expanding data security and privacy regulations in other international jurisdictions, including Australia, Brazil, Canada, Japan, and the U.S. (California’s Consumer Privacy Act 2018). The GDPR and similar programs provide a set of guidelines to help make data security practices more organized, transparent, and protected. This “globalization” of data protection regulations is strengthening enterprise demand for data security solutions to comply with existing and emerging policies. Data security and identity & access management startups like OneTrust, the developer of a technology platform for privacy management, seem well-positioned to capitalize on the expansion of data protection regulations.
AI & machine learning security solutions are expected to grow in importance in infosec for both cyberthreat execution and defense
- According to Cylance Blackberry, 72.5% of surveyed security professionals plan to use AI for cybersecurity defense, 70.5% for malware prevention, and 68.6% for advanced threat prevention, attesting to enterprise interest in AI and ML for cybersecurity. Similarly, AI can be weaponized to both expand the scale of cyberthreats through automation and facilitate the creation of new forms of attack vectors into enterprise systems.
- However, the extent to which interest in AI solutions will lead to successful adoption and market share theft from non-AI products remains uncertain. Pitchbook believes that AI has become a source of skepticism among many CISOs, who are wary of technologies which may fail to identify zero day attacks or recognize false positives due to the fact ML algorithms are trained on historical data, especially in endpoint security.
Cybersecurity skills gap: Challenges in training, retaining, and recruiting a full security team for enterprises
- While larger companies are more equipped to recruit and retain talent specialized in infosec capabilities, the challenge becomes much more acute for small and medium-sized enterprises due to organizational and cost constraints. The cybersecurity skills gap has contributed to the rapid growth of managed security services, including the Managed Detection & Response (MDR) market offering a SaaS platform and outsourced security professionals to coordinate with enterprise teams. For example, the Denver-based Red Canary has skillfully seized on this opportunity to provide MDR capabilities to middle-market firms with its proprietary detection & analytics platform and in-house expert security team.
The “shift left” in application security has the potential to open a new market for infosec
- Pitchbook believes that security is beginning to gain a permanent place in the software development lifecycle as application security increasingly “shifts left” — the introduction of security software at the beginning of application development instead of a final step in the process. The shift left can help startups compete against incumbents’ unified platforms that address the full extent of network and endpoint vulnerabilities.
- Based on the size of this opportunity, Pitchbook argues that the DevOps security market has the potential to create multiple unicorns. For example, Snyk is a developer of security analysis tools designed to identify open-source vulnerabilities. With over $250M in VC funding to date, Snyk’s Open Source Security Management product “automatically finds, prioritizes and fixes vulnerabilities in your open source dependencies throughout the development process.” Snyk also offers solutions for detecting vulnerabilities in containers and Kubernetes applications, fixing insecure configurations, and compliance management.
The pandemic has underscored the vulnerability of enterprises to hostile actors looking to penetrate commercial networks. As employees continue to work remotely in the months ahead, infosec solutions to secure business-critical technologies outside of the office, including mobile/ IoT devices and VPNs, will only grow in importance. The 2025 key trends outlined here , matched by the rapid pace of innovation in infosec, will make the segment an exciting one to watch in the years ahead.