The 360 degrees view of cyber: notes and reflections about the state of cybersecurity after the NightDragon's 2022 year in review event
Earlier this week, NightDragon hosted its second State of Cybersecurity event. In this piece, I summarize some of the points brought up by the speakers along with my own reflections about the topic.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Earlier this week NightDragon, the leading venture capital firm for cybersecurity, safety, and privacy, hosted its second NightVision State of Cybersecurity event. In this article, I will summarize some of the points brought up by the diverse group of 15 speakers that especially resonated with me. This post is a mix of notes from the event overlaid with my thoughts and reflections; when you see something that makes sense - assume it’s the insight from the panel; for things that don’t - assume it’s my opinion. It goes without saying - all opinions and omissions are my own. To hear from speakers directly, check out the recording of the 2022 Year in Review: NightVision State of Cybersecurity here.
2022 was a year of big shifts & big records
Last year was a year of big shifts and big records, in both good and bad ways. The ransomware attacks seem to have reached their maximum and so did the cybersecurity talent gap, while the M&A activity in the industry has been incredibly strong as well despite the economic uncertainty.
Source: NightDragon
Last year started with the aftermath of the Log4j, highlighting the importance of basics such as patch management, as well as the critical role of supply chain management, and ended with breakthroughs in AI and machine learning, with ChatGPT taking over the world by storm in December 2022. The global geopolitical events and Russia’s war in Ukraine in particular have further exacerbated the already complex threat landscape. The danger levels of cybersecurity have increased with the rise of information warfare, and cyber-physical convergence we haven’t had to deal with to the same degree before.
While it might feel like everything is doom and gloom, it isn’t. The level of cross-cabinet and cross-agency coordination in the US, including that between the CISA, NSA, and FBI during the past year has been impressive. The new frameworks and regulations that have been passed, as well as those that are on the horizon, are formalizing the rules regarding disclosure and the responsibility for cybersecurity on the board level, to name a few. The growth of public-private partnerships, and the increased security spending at all levels of the government - federal, state, and local, among Five Eyes and NATO partners, has accelerated the maturation of cybersecurity practices. The government realized that its role is to support the private sector in establishing strong security practices and acted on that realization: it provided threat & vulnerability briefings to the leaders of critical and emerging sectors, equipping them with an actionable understanding of their threat profiles, produced guidance on Zero Trust, and implemented many other critical initiatives.
The private sector has been active as well. On one hand, the tide has turned on cyber spending, and security leaders are being asked to make strong business cases in order for them to get more funding, while boards are starting to get serious about evaluating the ROI on security investments. Driven by the need to cut costs and reduce complexity, simplification has become a theme of the market with many companies moving away from the “best of breed” to the “best of suite” solutions. On the other hand, the cybersecurity industry is still as lucrative as ever: with $6 trillion in losses from cyberattacks, the market opportunity for innovators is $400B - making it the largest asymmetric theater ever. Over 66% of security leaders polled by NightDragon say they are looking to increase their 2023 budgets by 6-8%, showing that security spending will be growing significantly faster than general IT, despite the economic uncertainty.
While we are bracing for the recession, the cybersecurity super cycle continues, fuelled by the threat environment which creates response by the customers, leading to more spending on security, and in turn - more investments from VCs and more new companies started by entrepreneurs looking to take advantage of the moment.
Cybersecurity: resilient but not immune
In 2022, on the buyer side, we have seen the sales cycle extensions and a push for reevaluation of the company’s cybersecurity investments. In public markets, following the impressive performance of the sector in 2020 and 2021, security was seen as a safe place to hide. However, stocks of the vast majority of cybersecurity companies were substantially down, proving that while security is resilient to downturns, it is by no means immune. That is not surprising: when a business’ margins are thin, every line of the company’s spending will get closely examined and questioned. On the other hand, the geopolitical events, and especially the Russian war against Ukraine, acted as strong reminders that cutting cybersecurity budgets drastically would be unwise.
While it is true that many great companies get started in down cycles, those that want to succeed in these economic conditions will need to change their approach to growth. Going into 2023, we will see “best of suite” platform companies having an advantage over “best of breed” point solutions, as they will be more efficient from sales and procurement angles enabling customers to consolidate their tooling and reduce vendor sprawl.
The financial health of the business is becoming critical as more and more buyers are looking for confidence that the vendor will be around in 3-4 years.
When it comes to investing in cybersecurity, the fundamentals of the practice remain largely unchanged. The VCs look at the same three parameters they have been looking at before (the three “T”): team, tech, and TAM. What’s new is that at early-stage, investors now want to see solid proof that there is demand - whether in the form of revenue or at the very least - convincing letters of intent. Early-stage has always been about understanding the complexity of technology and thinking with long time horizons in mind. The time when an idea alone in a nicely formatted pitch deck would get tens of millions in valuation at pre-seed is long gone. At the later stages, profitability and sustainable growth are as important as ever. While growth will continue to be important, VCs now expect to see recurring revenue models, profitable growth metrics with a focus on healthy cash flow, and the presence of a “land and expand” component of the strategy giving startups the ability to increase their share of wallet with the existing customer base. Having solid distribution channels and low burn is now critical to survival.
Investors in the industry have seen the competition for the best founders intensifying. VCs in the space do not see themselves competing for the customers as much as they compete for the ability to back winning teams. This is a fair sentiment, especially as the total addressable market in cybersecurity is projected to grow, while the pool of entrepreneurs with know-how and a readiness to compete in this complex market is scarce.
One of the problems with the VC community is that when it identifies an area of growth, both founders and investors run into the segment, overcapitalizing the “me too” commoditized solutions and leaving other critical security areas underfunded. This is unlikely to change in 2023, although we have seen many “tourist investors” pulling out from the space, which naturally leads to hopes that specialist investors with a solid understanding of cybersecurity can improve the situation in the upcoming years. This “market normalization” is not unexpected: it was seen in 2002, following the September 11 attacks, in 2008, following the housing crash, and is happening now.
Looking into the new year, investors have reasons to stay optimistic. Since the price of entry determines the multiples of exits, normalized valuations create the opportunity for better returns. In December 2021, some argue we were more than 2 standard deviations to the right when it comes to valuations, while today we’re way off to the other end of the spectrum, so that will likely normalize within a year or two. While the market conditions may not be as good, on a relative basis we will see software be one of the best-growing segments of the economy; within that software, cybersecurity is expected to be one of the fastest-growing sub-segments as well.
From complexity to simplification
If there is one word that can describe the year 2022 in the context of security, it would be “complexity”. Indeed, we are seeing a lot of complexity on all levels.
In the past few years, we have seen a growing number of organizations move part of their infrastructure to the cloud without fully refactoring their applications to account for this change, leading them to not achieve the anticipated return on investments. The vast majority of environments are a mix of cloud and on-prem, which creates additional complexity when it comes to securing the infrastructure. The risks associated with this growing complexity are pushing companies to start prioritizing refactoring, addressing technical debt, and reviewing what should stay in the cloud, what should be kept on-premises, and what needs to be sunset.
The question of tool consolidation keeps coming back as well, due to the growing number of products an average security team has to navigate. CISOs understand that having 100+ vendors is not sustainable, and bringing the list down to 4-5 isn’t realistic, so they are looking for ways to consolidate while ensuring that they do not compromise on functionality and create gaps in their security coverage. Every few years, we have seen the pendulum swing between the “best of breed” (point solution) and “best of suite” (platform) approaches to security. Today, it is moving again. Organizations that are fortunate to have access to talent, can afford to stitch together the “best of breed” vendors. The majority, on the other hand, are looking at “best of suite” - holistic platforms where they can address several security issues in one place. This is one of the factors that have made 2022 a great year for CrowdStrike, Palo Alto, Zscaler, and Microsoft which all saw their revenue from cybersecurity offerings grow significantly.
As we go into the new year, it is clear that consolidation, simplification, and automation will remain big areas of focus for security leaders. Some “best of breed” vendors will inevitably keep their leadership positions, especially those that tackle emerging technologies. For the majority, however, it will be harder to compete against platforms promising to address multiple issues at once. This is a part of the continuous movement: to remain competitive in the face of rapidly changing technologies, big enterprises have to acquire top startups in new categories, add them to their suite of solutions, and look for ways to grow fast by leveraging the “land and expand” strategy and economically disadvantaging the competition.
Security services are in demand, but their nature is changing
In 2022, we saw over $100B in M&A activity (as of the end of Q3), and one of the largest categories that has been consolidating is security services. Managed security services are one of the fastest growing parts of the market, and rightfully so: while more and more companies realize the need for strong security, it is also becoming apparent that building cybersecurity practice in-house is expensive, time-consuming, and for many - simply not feasible. Managed security services are growing as they address many concerns at once: the cost, the access to talent, and the knowledge of best practices, to name a few. However, talking about growth alone would miss an important point, and that is the changing nature of security services.
It used to be that security service providers would come in with their own technology, implement tools from the shortlist of vendors they had direct relationships with & manage these tools on an ongoing basis - monitor alerts, adjust configurations, and reach out when anything alarming was discovered. Today, more and more customers already have a set of solutions and are looking to own vendor and product selection in general. Managed service providers they hire are there to integrate technologies the customer has already acquired, and add value on top of that. Instead of outsourcing all IT and infrastructure management, and security as a whole, companies today are looking for ways to co-source and/or outsource select parts of IT and security responsibilities.
This is exactly the shift I recently described in-depth when looking at the evolution of managed security service providers. In the future, security service providers that will survive the competitive market will be seen as trusted advisors and will have to add value on top of tooling they didn’t choose - by understanding the business, the risks in the customer’s environment, and establishing systems and processes, including custom threat detections logic, to address unique risks of the organizations they serve.
We need to rethink the so-called talent shortage problem
I have previously published an article on TechCrunch saying that to bring PLG to cybersecurity, we need to change our hiring habits (the non-gated version is here). The same is true for the broader problem of security talent shortage, and I am glad to see that more people in the industry share this point of view.
To start, it is worth highlighting that as of the end of 2022, we had over 700,000 unfilled jobs with the word “cyber” in the title, which undoubtedly validates that there is a strong demand for experienced security professionals. The good news is that last year, we have seen the continued work from the government side to build awareness of cyber careers, and take actionable steps to close the gap including the collaboration between the Department of Commerce, Department of Labour, and Department of Education. We are also seeing the growth of cybersecurity programs offered by universities, community colleges, bootcamps, and other training providers, initiatives to reskill the veterans and get them ready for careers in security, the growth in the number of scholarships, and so on. These developments will inevitably help alleviate the problem over the next five to ten years. However, it won’t be enough. To address the issue of the talent shortage, we need to rethink what we are doing about the problem.
There are multiple reasons why trying to do what we have done before won’t work. First of all, while there are hundreds of thousands of unfilled positions, there is also a large pool of people unsuccessfully trying to break into the industry. Moving into cybersecurity from IT, engineering, and other career paths is not easy. Companies are typically looking for someone with “5+ years of experience”, leading the catch-22 for aspiring professionals: one can’t get hired because she doesn’t have experience, and one can’t get the experience because she can’t get hired. The answer to this challenge lies in companies being more open to growing and developing talent at the job, something that is hard to do when security teams are already understaffed and overextended.
It is becoming apparent that we need to start diversifying security teams by recruiting people with industry lenses. As was rightly noted at the summit, the best person to identify signs of mortgage fraud is someone who came into security from the mortgage space, bringing deep domain expertise and know-how from the field. Similarly, for a pharmaceutical company to build a strong security team, it needs to have someone who came to the industry from pharma, and the only way to do it is by hiring people who know pharma and teaching them security. We need to expand our lenses when building security teams as diversity goes beyond gender, race, and age: we need diversity of backgrounds as well. In the spirit of this idea, I have previously touched on why security teams should start recruiting product managers.
Vendors have to do their part to help address the challenge. First, this means making their products more accessible. “The problem is that the vast majority of the tools in the industry are not easily accessible. Unless you contact the sales team for a quote and can prove that you are an established business able to meet a fairly large number of endpoints, good luck getting access to some of the most commonly used tools.” - Source: Venture in Security. Vendors can do better so that aspiring security professionals can easily learn the tools they will need to do their job. Second, security vendors need to think about solutions that help companies do security with fewer people - automation, artificial intelligence coupled with human reviews, and so on.
With the maturation of cybersecurity and the need for more technical security professionals, we know that the future of security will come down to talent, not magic tools. Therefore, each part of the market needs to do what’s in its power to help shape the new generation of skilled, job-ready professionals.
Trying to find one theme for 2023 is a loser’s game
Trying to come up with one theme for 2023 is a loser’s game. There is a multitude of factors that will affect the cybersecurity space, including:
The rollout of the National Cybersecurity Strategy with its plans to shift risk from consumers to producers, and focus on building resilience - in technology, people, and the country overall. It is expected that the government’s Cyber Workforce Strategy will come to fruition as well, and it will be more action-oriented than what we have seen before.
Driven by the regulatory requirements and the headlines about many prominent companies getting breached, we will be seeing more cybersecurity awareness at the board level, especially among publicly-traded corporations.
The transformation of managed security service providers will continue. Traditional MSSPs acting as resellers of technology will be falling short of customer expectations, creating an opportunity for technically proficient rivals to expand their market share by addressing specific customer problems and becoming trusted security advisors. The M&A activity in the MSSP space will continue as well, leading to further segment consolidation.
We will continue to find new applications for AI and machine learning in cybersecurity; these technologies will have an impact on both what threat actors are able to do and how we can defend ourselves.
Educating consumers about privacy and cybersecurity will become critical, especially in areas like healthcare. Now that consumers are gaining full access to their data, they will need to understand the process of granting permissions for other parties to access their information, the boundaries of healthcare providers’ vs their own responsibility for safeguarding the data, and more.
The government, especially at state and local levels, will need to continue investing in security as it has been an easy target for attackers in the past few years. Local and state governments are typically unable to attract the right talent both because of the relatively low maturity of security practices, and budgetary limitations to what they can afford.
Since most security teams won’t be expanding, the focus on automation, creating playbooks, and reducing repetitive tasks to free up time will continue to increase. Additionally, we will see a growing emphasis on getting the most out of the existing tools and infrastructure.
Increased focus on cyber literacy. We are seeing a growing realization that the earlier we can get people to develop good cyber hygiene habits, the earlier they can start contributing to building a safer future. While it is important to educate the company boards, senior management, and staff, it is equally critical to work with high school youth, and college, and university students who will be joining the workforce in the future but are active users of the internet from a young age.
Push for building cyber resiliency, helping organizations to “prepare to recover”. The core assumption is that every company will be breached, so minimizing the impact and building the ability to recover quickly is as important as having sound defense capabilities to reduce the chances of the cyber attack happening.
The geopolitical uncertainty and the war in Ukraine will continue to pose a threat of cyber attacks from nation-states.
This is only a small part of what we can expect to see, and even that is a lot to process.
When it comes to industry segments, it is even harder to name a single theme. Securing Operational Technology (OT) will be critical, as we are talking about 20-40-year-old equipment that was not designed with security in mind. Segments such as manufacturing, oil and gas, telemedicine, digital health, cloud, and 5G all require attention and thoughtful design of defensive capabilities. There are simply too many gaps all around to be able to say that “X is the most important area we need to address”.
Taking the long-term perspective
As the pace of technological changes is accelerating, it is important to take a long-term perspective when thinking about the future of cybersecurity. Some trends such as the move from promise-based to proof-based security, the evolution of security service providers, as well as the growing importance of security engineering, are strong and easy to observe, while others are much more blurry and uncertain. Unlike other areas of tech-driven innovation, the pace of innovation in cybersecurity is set by the offense (I have previously discussed this and other unique characteristics of investing in cybersecurity in depth: Investing in cybersecurity: a deep look at the challenges, opportunities, and tools for cyber-focused VCs). To identify the areas that will be mainstream among defense a few years from now, it is critical to look at where the offense is today as it takes about 4-6 years for the defense to catch on with the offensive playbooks.
In the short term, areas such as IoT and industrial security as well as the problem of weaponized data are critical. In the medium term, we will have to advance in solving the problems of cloud security and automation. Within the next decade, we will need to tackle the problem of confidential computing capabilities in a world where the chances of quantum computing are increasing every day. Even if the risk of quantum computing disrupting cybersecurity as we know it might still be a decade away, companies need to start assessing the potential impact and planning for that today.
The two areas of growth for upcoming years that are worth calling out separately are data security and identity.
In the data-driven economy, we depend upon trustworthy data for everything we do. If the data used as input for decision-making is compromised, the consequences can be catastrophic. While today when we think about data security, we often imagine deep fakes and misinformation, the impact of data weaponization goes far beyond that. Think about the automated stock trading systems & Bloomberg terminals programmed to execute decisions at wire speed - the consequences of bad data can be catastrophic. The same is true for applications that leverage AI and machine learning: the impact of feeding compromised data to algorithms and the output of machine learning models is hard to predict. When thinking about security, we ought to ask ourselves a question:” What is the mouse after?”. The mouse is after the cheese. Attackers are trying to get access to the data, hence that is what we need to secure. We need to protect data at rest, in transit, and importantly - in use; this is where new advances such as homomorphic encryption will become critical for the future of cybersecurity.
The problem of identity remains to be solved as well. Today every platform asks users to provide their personally identifiable information over and over again, which makes it impossible to control who has access to what. In the coming decade, we should be moving to a place where consumers will own their own identity and share select parts of it with those who need it. The infrastructure for privacy and data sharing is being built today.
Gratitude
Thanks to NightDragon & its CEO Dave DeWalt for organizing the event, as well as all the speakers open and willing to share their perspectives - Kemba Eneas Walden, Richard Watson, Kris Lovejoy, Vijay Bolina, Vijaya Kaza, Jen Vasquez, Sterling Auty, Fatima Boolani, Rob Owens, Bob Ackerman, Nadav Zafrir, Alberto Yépez, C. Kelly Bissell, and BJ Jenkins. To hear from speakers directly, check out the recording of the 2022 Year in Review: NightVision State of Cybersecurity here.