Why we need more startups and venture capital in cybersecurity, and what needs to change for the industry to mature
Explaining why we need more, and not fewer startups and VCs in cybersecurity, why we will lose the battle against the adversary if we don't embrace innovation, and what we must change to evolve
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
My new best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” is now available on Amazon. This book is unique as it is intended first and foremost for builders - current and aspiring startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
There are two statements people in the security industry like to repeat over and over again: “There are too many security startups - we don’t need so many of them”, and “There is too much venture capital going into cybersecurity, we need less VCs investing in the space”. In this deep dive, I am discussing why both of these ideas are understandable yet short-sighted, what problems we should be solving to move the industry forward, and where we can go from here.
What is “too many” when we are talking about startups?
How many startups are too many? Well, that depends on whom you ask. IT-Harvest, the largest and the most comprehensive source of security insights founded by Richard Stiennon, counts nearly 4,000 cybersecurity vendors. Is that a lot? The answers to this question will vary. I think it comes down to the points of comparison.
For someone who has worked in the industry for a long time, it's certainly much more than what they had to deal with twenty years ago. That is true but a lot has changed since then. Two decades ago,
There was no public cloud. Amazon launched AWS with the Elastic Compute Cloud (EC2) service in 2006. Microsoft announced that they will be entering the public cloud market in 2008, but Microsoft Azure (Formally Windows Azure) was only released in 2010. It was also in 2008 that Google announced that they were entering the public cloud market with the release of their app engine.
There was no iPhone. The first-generation iPhone was announced by Steve Jobs on January 9, 2007.
There was no widespread adoption of the Internet of Things (IoT). Cisco estimated that the IoT was born between 2008 and 2009, defining the IoT as "simply the point in time when more 'things or objects' were connected to the Internet than people".
Social media hadn’t really started. Facebook started in 2004, YouTube in 2005, Twitter (now X) in 2006, Reddit in 2005, Instagram in 2010, Snapchat in 2011, and TikTok in 2016, to name a few.
There was no Bitcoin or cryptocurrency. Bitcoin, a decentralized digital currency, was created in 2009.
This list can go on and on, but the main point is that two decades ago, the world as we know it was a different place. If we are to compare the number of security vendors to the number of vendors in other industries today, our perspective changes momentarily:
There are over 30,000 financial technology startups.
There are over 20,000 (or even 30,000) marketing tech startups.
There are over 20,000 (or even 30,000) HR tech startups.
There are over 50,000 climate tech startups.
If security is as we like to say "everyone's problem", I don’t necessarily think 4,000, or even 5,000 security vendors are a lot. Moreover, a large number of cybersecurity startups benefit the industry in several different ways. Let me explain.
How a large number of security startups benefits the industry
Innovating as fast as adversaries
We know that adversaries move fast and are constantly developing new technical capabilities, building new exploits, discovering new vulnerabilities, experimenting with new attack vectors, and even innovating their business models. To stand the chances against bad actors, defense teams need to keep up with new ideas and approaches, continue strengthening their defenses, and remain current about the innovations that can impact their ability to safeguard their organizations.
It would not be feasible for every individual security team to build all the tools they need to do their work in-house. Even if they wanted to, the reality is that 95-99% of the market does not have the resources (i.e., access to talent, time, and funding) to be able to do it. We need someone to build these capabilities and act as an innovation lab for defense teams. Academia, the government, and not-for-profit organizations have proven unable to satisfy these needs. Startups, on the other hand, are a perfect fit. Run by people willing to work around the clock to make their vision a reality, cybersecurity startups make it possible for security teams to keep up, and even get ahead of the adversaries.
Educating the market about new problem areas
Most companies do not learn about new problem areas by attending technical talks at DEF CON, local BSides, and Blue Team Con (although many would benefit from doing exactly that). New problem areas and new approaches to solving old problems do not become a broad market knowledge organically. Instead, it happens because someone is willing to evangelize about these ideas. That “someone” is cybersecurity startups.
Cybersecurity startups reach out to CISOs and security practitioners to educate them about better ways of solving security problems. For example, before Carbon Black, CrowdStrike, Cylance, and a few other companies brought to market the concept of behavioral detection, the general understanding was that having an antivirus is sufficient to protect endpoints from bad actors. Without the work of these companies, we would not have had Anton Chuvakin of Gartner in 2013 coin the term "endpoint threat detection and response", and neither would we have seen a broad market adoption of the solutions we now know as endpoint detection and response, or EDR.
Having many companies channel their marketing dollars to talk about the same problem area or value proposition of a specific solution, greatly accelerates market awareness and education about a problem. For example, if we did not have so many companies talking about API security, we would have unlikely ended up in a place where so many practitioners know that API security is important, why that is, and what they can do about it.
Speeding up the adoption of best practices
Although education is important, market-wide adoption of best practices doesn’t happen simply because someone publishes a whitepaper or gives a talk at a conference. In security, timing is everything, and the quicker a new approach can gain traction, the better outcome we will see. For example, it is not enough to have a few companies that invented a password manager or multi-factor authentication (MFA) and could make it available for those actively looking for new solutions.
Additionally, we cannot hope that the government is going to move fast and create demand for important security measures by legislating minimum security requirements. A lot of that work has to happen in the private sector. Someone needs to proactively reach out to the market and get it to buy the new solution. This work is done by security startups: by investing in sales and go-to-market more broadly, security startups greatly expedite the adoption of new practices.
Competition creates incentives for the best approaches to win
The cybersecurity market benefits from increased competition. When there is competition, companies in the industry are pushed to innovate, bring the best products to market, and make them accessible by offering them at the most competitive price. Without strong competition, and a large number of security vendors that create it, cybersecurity solutions would only be accessible to Fortune 1,000 enterprises, and those who would be able to afford exorbitant prices of monopolistic vendors. We already have a situation where the majority of security tools are only available to large enterprises, and it would have been even worse if the number of security vendors was lower.
Moreover, it is precisely the competition in the industry that forces companies to improve their capabilities and prevents them from locking customers into decade-long contracts and restricting the ability of buyers to integrate with tools outside of the walled gardens of large vendors.
Accumulating, refining, and distributing domain knowledge
It would be amazing if a person or a company that initially came up with a new idea would always succeed in implementing it and becoming a market leader. In reality, that is not typically the case. Successful innovations are iterative, and most companies that come out as “winners” in different markets are built by leveraging the ideas, achievements, and learnings of those that failed before them.
Think about cars as an example. Before Henry Ford introduced the Model T in 1908, tens and hundreds of others innovated what later became the building blocks of the modern car. In 1769, Nicholas-Joseph Cugnot built a self-propelled vehicle with a steam engine. In 1886, Karl Benz patented the three-wheeled Motor Car, known as the "Motorwagen”. Then, in 1873, American engineer George Brayton developed a two-stroke kerosene engine. In between these milestones, there were countless others that eventually led to Ford, Mercedes, Tesla, and others.
Technology is no different. Although Steve Jobs is most definitely one of the greatest visionaries, he wasn’t the first to come up with an iPhone (for anyone who wants to better understand how that story originated, I highly recommend watching “General Magic”). We would not have gotten Wiz, Palo Alto, and Cloudflare, to name some, if tens or even hundreds of cybersecurity founders, many of whom eventually failed, did not lay the foundations for them to emerge.
The only way the line “We don’t need this many security companies” would hold is if the first company attempting to solve a problem would be successful 100% of the time. The issue is that a first entrant rarely becomes the winner. This is especially the case in cybersecurity where first entrants have to allocate enormous amounts of resources to educate buyers who aren’t easy to convince, don’t like to recognize that they indeed have problems, and are swamped with other work to even consider trying new solutions.
Laying the foundations for large platforms
Although it is tempting to think that we don’t need the so-called point solutions, and all we need is security platforms, that statement misses the understanding of how platforms come to be.
Every company that becomes known as a platform has to start as a point solution. We were too quick to forget that Palo Alto was just a firewall company, CrowdStrike was just an endpoint detection and response (EDR) tool, and Cloudflare's primary product is its content delivery network (CDN), which helps websites deliver their content more efficiently to users worldwide, not the security capabilities it is known for by many in the industry.
I have previously talked about the shortage of cybersecurity founders building companies, not features or products. While I stand by what I said in that piece, it is worth acknowledging that every platform starts as a point solution. It is the size of the vision, the ability to execute, the market conditions, and of course luck that define who will become a platform and who won’t, not the first feature the company started with.
Large platform vendors innovate through acquisitions
As companies become too big, they lose the ability to innovate. This is true for any industry, and security is not an exception. It doesn’t matter how nimble the company stays, - eventually, it will need to expand into uncharted waters where it has no expertise, no talent, and maybe even no competitive advantages.
Moreover, the innovator’s dilemma is real (for those not familiar with the concept, I highly recommend reading Clayton Christensen’s book). Wikipedia summarizes the problem well: “Large incumbent companies lose market share by listening to their customers and providing what appears to be the highest-value products, but new companies that serve low-value customers with poorly developed technology can improve that technology incrementally until it is good enough to quickly take market share from established business”. The innovator’s dilemma explains quite well why the present of cybersecurity isn’t defined by companies like Symantec even though they certainly had the chance to establish themselves as leaders for years to come.
Large cybersecurity vendors innovate through acquisitions. They do it by waiting until leaders or winners in segments they are interested in emerge and then acquiring one of the top companies that meet their criteria. In other words, there are hundreds of problems that might become important tomorrow, but no one knows for sure which few of them will. Startup founders take the risk to pursue innovations that are likely to go nowhere, thus creating this large number of startups many in the industry like to complain about. Large companies, on the other hand, cannot afford to invest in pursuing thousands of different directions and are instead focusing on their core value proposition. Once startups de-risk new ideas, incumbents can just pick the winners and integrate them into their portfolios.
What follows from this is that if we want to see platform companies continue combining more and more solutions under one roof, we need startups solving small problems because those that win will become components of a platform (or even build their own).
If there was one security platform, it would be very insecure
One last reason why the security industry benefits from startups is the fact that any monolithic platform becomes less secure as it grows in size. People who had an opportunity to work with a large legacy platform, be it SAP, Salesforce, or Workday, know that the bigger the platform, the less efficient it becomes. Moreover,
Large platforms drown in technical debt.
Large platforms have poor support channels.
Large platforms become insanely hard to implement, especially in fields that require customization.
Large platforms are expensive because most customers are paying for a multitude of features they will never use.
Large platforms are expensive because the deeper they become embedded into the customer’s workflows and the more areas they cover, the harder it becomes to switch and the more power the platform vendor has over the buyer.
Last but not least, the larger the platform, the bigger its surface area, and the more vulnerabilities it ends up introducing. To top it off, bad actors find it easier to focus their efforts on poking holes in one single tool which unlocks all doors, thus leading to the situation when the biggest security products may also become the most insecure single failure points.
Three real problems with startups in security
To sum it up, I don’t think we have a large number of security startups. That, however, doesn’t mean that there are no problems. When people say “there are too many startups”, what I am hearing instead is “I find it hard to differentiate between all the options on the market and make informed decisions”, “I find it hard to validate vendor’s claims”, and “I find the go-to-market practices in the industry not acceptable”.
These three problems are the real reason why so many security leaders and practitioners are becoming disillusioned about the security industry. And, these are the three problems we need to solve.
Navigating a large number of undifferentiated security tools
The 4,000-5,000 security vendors are not as many as people assume, especially when compared to other fields. The world has become incredibly competitive, and it is just the way it is.
One factor that makes dealing with a large number of vendors especially tough in security is that most solutions in the industry are entirely undifferentiated. When I navigate to different company’s websites, I often find it hard to even understand what attack vector the product is designed to tackle, let alone how it is different from the competition.
Marketing sites are littered with statements like “We stop zero days” and “We make companies secure”, and it can be impossible to tell if I am looking at, say, a cloud security product, a managed security services provider, or a reseller of firewalls.
Last but not least, it is not always clear how many startups are able to deploy funding well and truly create innovative approaches and ideas, and what percentage are simply a copy of open source solutions sold via traditional go-to-market channels.
Evaluating security tools
A lot of cybersecurity innovation is deeply technical, and the value of different tools is hard to assess. When comparing one solution to another, it is often impossible to see which of the two tools does a better job of preventing, detecting, or responding to threats they are designed to tackle. This, combined with the fact that most solutions are undifferentiated, makes it incredibly frustrating to navigate the vendor market.
I have previously discussed the move from promise-based to evidence-based security, but the truth is that the trend is not as quick to materialize as one would like. That is because it relies on security talent which most organizations simply don’t have. As the industry matures, we have to get better at evaluating security products. That is how we can differentiate between tools that work from those that don’t, and let the market forces decide what solutions are going to win, and which will fade away, regardless of how much capital they raised.
Dealing with the go-to-market approaches in cybersecurity
Most security buyers are disillusioned about the current go-to-market approaches in the industry and inundated with cold calls, email spam, and other aggressive sales and marketing practices. They are rightful to be upset: the industry needs to evolve. There is a lot I could say on this topic but I have written about this at length before, and some ideas are worth repeating.
“We are witnessing that the next generation of security leaders - older millennials - have a different approach to the sales process, they:
Only want to be contacted when they are interested in evaluating a new solution (the traditional “push” model is being replaced by the new “pull” model).
Value the ability to find what they are looking for easily, how and when it works for them.
Value the ability to sign up and try a product on their own, without having to go through lengthy demos and sales negotiations before they decide the product in question could potentially be a solution.
Look for the ability to make a purchasing decision without a pushy salesperson.
Need the ability to do a technical deep dive with the vendor and its security team.
Take to social media to say what they don’t want to see in the industry.
Call out specific vendors for their behaviors, and openly promote tools they find valuable.
As generations of buyers change, so will the GTM tactics that work. These shifts have happened in fields such as software engineering, and they will happen in security. However, monumental shifts like this don’t happen overnight. I think that for large enterprises, the changes I am talking about are roughly a decade or two out; for SMBs, they are already underway. This evolution is bringing new, fresh perspectives to go-to-market strategies in cybersecurity, enabling companies to choose nurturing community over perfect attribution, lead quality over lead quantity, and improving the buyer’s journey over pushing its products.” - Source: Cybersecurity marketing: in need of fundamental change
How much is “too much” venture capital in cybersecurity?
“There is too much venture capital in cybersecurity” is another statement commonly repeated by security leaders and practitioners. How much venture capital is “too much”? As usual, the answer depends on what we chose as a point of comparison.
Momentum Cyber data shows that between Q3 2021 and Q2 2023, investors have invested $41.3B into cybersecurity.
Source: Momentum Cyber
Is that a lot? Certainly. But, if we look at funding in fintech, we see that in two quarters alone, Q3-Q4 2021, a whopping $67.6B went into fintech. In other words, two months of investment in fintech exceeds two years (!) of investment in cybersecurity by 36%. Suddenly, our perspective changes.
Source: TechCrunch
Mike Privette of Return on Security recently published a 2023 market summary stating that last year, there were 684 funding rounds across 100+ unique product categories worth ~$12.7B. This number is ~20% lower than the value of all investments than went into financial technology in one quarter (Q1) of 2023.
Another example is investments in cleantech. Just three or four months of funding in cleantech greatly exceed two years worth of venture funding allocated to cybersecurity.
Source: Cleantech Group
Looking at funding in other industries doesn’t help us understand how much is “too much” venture capital in cybersecurity. But, it highlights the fact that there is simply a lot of venture capital available, and security is not unique, and neither is it where the majority of the capital is being deployed.
How venture capital benefits cybersecurity
Cybersecurity, both as an industry and an area of professional practice, greatly benefits from access to venture capital.
Venture funding allows us to keep up with the adversary
All the work done by startups - innovation, market education, adoption of best practices, and accumulation of knowledge - is only possible because of venture funding. Somebody has to pay for research and development, provide money for security vendors to hire researchers and software engineers and build products, and fund marketing - the same marketing that makes it possible for security vendors to evangelize about important problems and provide solutions to these problems at scale.
A large amount of VC funding indeed leads to the growth of security startups, most of which will fail. What people forget is that every startup adds not just to complexity of the industry, but to its body of knowledge. Every startup, whether or not it will end up growing into a successful business, contributes back learning that others can use to move forward. Large platforms don't invent the whole space - they leverage knowledge created by others (point solutions!), and bring it all under one roof.
Without VC funding and the pressure from investors to move fast and innovate, we would not be able to stand against highly motivated, highly agile, and well-funded adversaries who are also moving fast and innovating. Ironically, the same pressure from VCs that causes startups to grow their revenue and scale operations, also accelerates the adoption of security best practices such as password managers, MFA, vulnerability management, cloud security posture management.
Venture funding is critical for the platformization and consolidation of cybersecurity
People who suggest that cybersecurity needs less venture capital often don't realize that innovation would be much slower, and tool consolidation would not at all be possible without VC funding.
To build a platform company, founders need to find product-market fit in one segment, and then move fast to expand into other problem areas. I do not believe that any platform company can happen in security without venture backing. Palo Alto could have bootstrapped building a small firewall player but not a company capable of offering a broad platform; the same applies to CrowdStrike, Wiz, Snyk, Cloudflare, or any other platform player.
Platform creation is a two-step process. First, VCs fund the accumulation of knowledge. The unwelcome side effects of that are crowded marketplaces and the creation of point solutions. Then, the same VCs fund consolidation and refinement of knowledge which results in the creation of security platforms. Therefore, it follows that if we want to see industry consolidation, we should welcome venture funding in cybersecurity.
Two real problems with venture capital in security
To sum it up, I don’t think we have “too much” venture capital in cybersecurity. That, however, doesn’t mean that there are no problems. When people say things like “there is too much venture capital”, I am hearing that “companies should be able to succeed without venture backing”, and that “not every company should get funded because not every company brings real innovation”. In my opinion, these two are legitimate concerns that we as an industry should be looking to solve.
There is barely any room for bootstrapped teams to succeed in the security market
Not every founder should be building a venture-backed company. Some cybersecurity problems are better solved by building open source projects, bootstrapping small point solutions, or monetizing one’s expertise by establishing service providers. Ideally, entrepreneurs would be in a place to decide if they should be raising VC capital. The challenge is that that is easier said than done.
When most cybersecurity companies raise a lot of capital, the few startups that don't will often find themselves unable to compete. The idea that the best solution should win is a good one, but in real life startups with access to more resources can more effectively educate the market about its offerings, hire a bigger or more capable team, ship new products and capabilities faster, iterate more frequently, and go to market more efficiently. This flywheel effect unlocked by venture funding makes it highly improbable that a bootstrapped security company can win in a competitive category. I completely understand that this is likely to be upsetting to people who still remember the time when one could build a business around an open source tool and not raise any external funding. However, at this point, this is just the reality of the market, and the time of small, bootstrapped teams, in my opinion, is over. There will always be exceptions such as Wazuh and Thinkst, but it will get harder and harder for new founders to take this path.
Getting venture backing is not a guarantee of success, and the fact that a company received more money than its competitor doesn’t mean it will win. That said, I think that the chances that startups with no venture funding will start outcompeting their VC-backed competitors are low. It may be possible in some market segments where there is less interest from VCs, but not in those that present lucrative business opportunities to security entrepreneurs.
It is worth adding a note that the recent economic downturn will certainly force startups to become smarter about deploying capital, and is likely to weed out companies that do not solve real problems for customers willing to pay for having them solved. It is, however, unlikely to change the broader reality of VC-backed vs. bootstrapped companies, especially if we are talking about products.
Investors need the ability to evaluate security startups better
We don’t need less capital, fewer VCs, or fewer startups in the industry. We need VCs to be able to discern the bad from the good and evaluate security startups better.
I have previously discussed at length the fact that it is hard for “tourists” to understand the inherently complex cybersecurity space. Specialist VCs (investors who are either fully or partially focused on cybersecurity) have a tremendous advantage when it comes to being able to assess security companies. It is even better when former security founders and CISOs become investors, as is in the case with Zane Lackey, previously the Co-Founder and Chief Security Officer of Signal Sciences and now a General Partner at Andreessen Horowitz, and Stephen Ward, former CISO at The Home Depot and now a Managing Director at Insight Partners.
A great way to ensure that investors are up to speed with what’s happening on the ground is to embed them within security teams. It may sound counterintuitive to some, but nothing is more effective in helping VCs understand the pain points of security teams than working in the same room as security teams. Several corporate venture funds are leading the way in doing exactly that. This collaboration benefits both sides: investors get to stay as close to the problems as possible, and security teams get an opportunity to evaluate the latest and greatest technologies before they hit the broader market.
Being a security leader and being an investor require different skill sets, and we should not expect that people making investment decisions will all turn into security engineers. The key to solving many industry problems lies in forging a closer collaboration between investors and security professionals. For startups, security practitioners can add value by becoming angel investors (such as what we are doing with VIS Angels) or advisors. By working closely with VCs, security professionals can help investors build a better understanding of different problem areas and market segments, and even assist with evaluating companies during due diligence.
I don’t think that the industry will benefit from having VCs throw more and more capital at security problems without understanding what they are funding. However, I am also failing to see how taking it to social media and saying that “We don’t need so many VCs in cybersecurity” is going to help move cybersecurity forward. We are all going to be better off if security practitioners and VCs find ways to work together to identify innovations worth funding.
Source: Momentum Cyber
Going into the future: we all need to reset our expectations
As we go into the future, I am hoping more people in the industry will understand the complexity of the startup space and stop saying things like “We need fewer startups” and “We need fewer VCs”. If anything, we should be encouraging more people to go out and try to solve hard problems. Not just build tiny features and sell them as SaaS solutions, but innovate, try different approaches to old problems, and help mature the industry. This is how innovation works: different approaches compound and successful companies are built on top of many failed ones.
I also think we need more VCs and more capital in cybersecurity. We need investors that understand the nuances of security, and capital that is used to support ambitious founders with big visions tackling hard problems. Innovation needs capital. Bad actors are investing in evolving their capabilities and building new ones, and so should we if we want to defend our infrastructure.
Innovation in security is inevitable, as it should be. We cannot wish that whoever was there first would define the direction of the market. Moreover, I don't think we should be hoping that Symantec, one of the oldest cybersecurity companies out there established in 1982, is going to solve all security problems. Startups are the drivers of innovation while large platforms drive stagnation. When we advocate for industry consolidation, we should be very careful what we wish for: talk to anyone who has to use 50-year-old Enterprise Resource Planning (ERP) tools, or someone who has to customize a single screen in a legacy Customer Relationship Management (CRM) product if you want to hear some horror stories.
What we need as an industry is a great reset of expectations.
Security vendors need to stop assuming that they can just keep going with what they have been doing, forever, and it is going to work. Founders need to start thinking about ways to deploy capital effectively, and ways to get their companies to profitability. Moreover, security startups cannot hope they can keep their go-to-market strategies the way they have done before. CISOs are tired of poorly targeted sales and marketing activities. Founders need to know what they are building and learn how to communicate that, in ways that buyers and users of their products can understand.
Investors need to understand that the security market in its current state is, as Cole Grolmus puts it, a game of musical chairs. Large companies will continue to buy products as that’s how they preserve their ability to innovate. But, there are somewhere between five to ten chairs, regardless if the category has 25 or 250 vendors. Palo Alto won’t buy ten versions of the same solution, and neither will Microsoft or Okta. Private equity firms won’t acquire startups that don’t have a strong product-market fit. The list of security buyers is not infinite, and at some point, when the music stops, too many companies will have no chairs to sit on. Any new kids on the block that enter a saturated category without the underlying changes in technology or the market that are strong enough to justify their existence (think of going from antivirus to EDR), will be entering a bloodbath. And, investors need to be ready for the fact that at some point, playbooks that have worked for what seems like forever will stop being as effective.
Lastly, security leaders and practitioners need to accept the fact that the industry has evolved; not just accept but truly embrace it. Security is not going back to what it was when it was defined by the hacking culture, underground communities, and what seemed like a vendor-free landscape. The number of attacks is only going to increase, and with that, so will the number of startups in the field. Instead of hoping that we can somehow avoid dealing with complexity, we need to accept it as a given and find ways to add value to this new reality. For once, we need to get to the point where we can better evaluate security tools, verify the claims vendors are making, and adapt what the products offer to the unique environment of every organization. As I’ve said before, tools alone won't save us but if all we have is tools - why don't we at least use them?
As for the industry as a whole, it will continue evolving. Regardless of what the next decade will bring, three laws will remain true. First is the law of natural selection. Companies that solve real problems, are built by world-class teams, and out-execute their competition, will win. Second is Price's Law, a mathematical principle that essentially states that for any productive community, 50% of the results are achieved by the square root of the total group. In cybersecurity, this means that of all security startups (let’s assume there are 5,000 of them), about 71, or the square root of 5,000 will own 50% of the market. Lastly, as Jim Barksdale said, there are only two ways to make money in business: one is to bundle; the other is to unbundle. The cybersecurity industry is not unique in that it deals with the same pendulum, going from what we call best-of-breed (point solutions) to best-of-suite (consolidated platforms) and back.
Excellent article again Ross! Great points and incredible depth!
Great article. I've been doing cyber security corp dev and have been involved in the cyber security industry for almost 2 decades..and I've always heard folks say this is the year the market consolidates. It's almost always in January! :-) I'm currently at Structural Capital and focus on writing $20 million to $50 million venture debt checks. Curious how you view the venture debt side of the market.