There are plenty of market assessments showing venture funding totals in cybersecurity startups have retreated from their recent highs. These macro perspectives show that investing in the space peaked in late 2021-early 2022, a time when work from home drove changes in enterprise security architectures, and CISO budgets appeared to be uncapped. Understanding the macro environment, and how it’s changed over time specific to cybersecurity, can help startups chart a path forward.
How Did We Get Here?
Historically, security’s place in enterprise spend has largely been a combination of best practice (often driven by regulatory and compliance requirements) and tooling that’s reactive to emerging threats. Some organizations tie corporate infrastructure security to a percentage of revenue, while others will look to define a risk mitigation strategy whereby the cost of the control must be less than the expected loss in relation to the likelihood of the event (and for those high-impact, low-likelihood events, risk outsourcing through the use of insurance products often makes sense).
Security’s watershed moment was the Target breach of late 2013. While breaches had been previously reported at large enterprises, never before had a CEO from a publicly traded company stepped down in response. This quickly elevated the role of cybersecurity from cost center to business enabler as boards took notice. New regulations were passed, and the role of Chief Information Security Officer (CISO) became codified as a respected member of the executive team.
Meanwhile, the rate of innovation accelerated, giving rise to technologies like Endpoint Detection and Response (EDR), Next Generation Firewalls (NGFWs) performing stateful inspection of traffic, and Commercial Threat Intelligence (CTI) to inform how these systems alerted on threats. This also resulted in transformational changes in log parsing within Security Incident and Event Management (SIEM) attempting to keep pace with all of the new alerts. Tech stacks matured quickly, fueled by venture capital investments at a rate that matched enterprise spend.
What Did the Pandemic Boom for Cybersecurity Look Like?
The rise of ransomware was directly correlated to the pandemic. Gift card scams, skimmers, and all fraud requiring in-person transactions, often conducted by unsuspecting “mules,” was quickly neutered. This forced international crime rings to look at ways to do business remotely.
The ransomware threat matured quickly, developing into a true business ecosystem of access development suppliers, foothold maintainers, and those that actioned the targets for extortion. Access developers would look for externally-exploitable flaws (leading to the rise of Attack Surface Management vendors) and phishing (leading to new vendors focused on email security, as well as security awareness training).
The other buying driver for new capabilities was security’s need to keep pace with the shifting of enterprise infrastructure. Moving to more cloud-enabled services dictated new ways to inventory, audit, and secure access to these resources. The meteoric rise of companies in the Cloud Security Posture Management (CSPM) space was clearly propelled during the pandemic.
Another consideration, with so many security employees working from home some looked to evaluate new tools, while others began developing their own products or side hustles. Saving the commute time, combined with less social activities, enabled new research and exploration – timed with what felt like exponential growth in threat activity. The perception of an unbound need for new solutions, combined with the explosion of new endeavors, only fueled more interest and growth.
How Did the Private Investment Markets React?
Meanwhile, the lack of opportunities to spend money (vacations, commuting, eating out) created a unique situation where many individuals had additional disposable income; much of which landed in investments. Many public SaaS companies were trading at 15x-25x revenues, driving hyper-valuations in private markets; and this excitement transcribed to Friends and Family angel capital, often investing in people — not the promise of a sustainable business.
With so many companies launching, and the seemingly unlimited growth, many institutional investors made their first investments in the space. This kept the flywheel going — more new startups, more enterprises evaluating new tech, leading to more investment in the space.
Public markets for enterprise SaaS companies peaked in December 2021. By the end of 2022, the dip in public markets hit while many venture investors continued to make speculative bets on cybersecurity companies.
When Did the Shift Happen?
Coinciding with public market weakness, fears of a recession started taking hold in late 2022. The U.S. Government pumped approximately $2 trillion dollars into the economy through various stimulus programs without matching economic output; stimulus activities made for a temporary, but strong bump. The job market, believed to be reduced due to lack of in-person services work, was not rebounding as expected once vaccines became widely available.
On the cyber side, the threat of ransomware was still lingering but beginning to normalize. Following Russia’s invasion of Ukraine in February 2022, there was a measured reduction in incident response cases (some suspect this was in response to Russian criminal syndicates focusing elsewhere). But ransomware rebounded, reaching an all-time high in (known) ransomware payments in 2023; pointing to a conditioning that many have determined to be the current “normal.”
As enterprises began to assess the situation, it was expected that a recession would hit at some point in 2023. Business optimization began, including layoffs and reduced budgets. Cybersecurity was not immune.
What's the New Normal?
The gold rush of cybersecurity meant that many organizations were left with 100+ tools, nearly as many vendors, and staff that were seeing above-market compensation packages; yet high-profile breaches continued. Meanwhile, boards were quickly increasing their cybersecurity knowledge and asking the hard questions. The situation was unsustainable.
At the same time, many enterprise budget and personnel decisions for the security team were being balanced against reduced economic outlooks. As commonly heard over the past 18 months, the decision to acquire a new tool moved from the CISO to the CFO. This increased scrutiny extended the buying process; often calling into question if a purchase could even be made.
For cybersecurity startups that raised rounds at high valuations in 2021, a strategic decision had to be made: do you reduce burn to extend runway at the cost of growth, or do you stay true to the plan to hit your milestones and raise the next round? There’s no right answer here, and it is highly dependent on risk tolerances of the board.
The prevailing trend in the first part of 2024 is around platform consolidation. With a few clear winners in cybersecurity, many large enterprises looked to optimize their tech stack to as few vendors as possible for a number of reasons:
- A CISO is working more projects with less staff, reducing their availability to hear about new technologies with unproven vendors
- With reduced staffs, there are less hours in the day to evaluate and integrate a new tool
- CFOs want to work with fewer vendors, to streamline the purchasing process
With that said, there’s still great opportunity for innovative, early stage tech to have an outsized impact on the defense of an enterprise. The threats are continuing to evolve, the vulnerabilities are still there, and breaches are continuing to increase.
How Can a Seed-Stage Company Win in 2024?
Going back to first principles of startup, it comes down to finding a problem that many customers have, and building the tech in a scalable way to solve that problem. Doing this well means talking to as many people as possible, to ensure you’re designing a product strategy that addresses a large enough market segment. Investing time at this stage is more valuable than writing any code, lest you become a hammer looking for a nail.
Next, you’ll want to think about how you build it right. Iterative feedback is crucial here, best delivered through a handful of design partnerships. The exchange of value should be clear; building tech and making adjustments for the feedback of what a customer would pay for if it were complete. Negotiating other points of value, like testimonials and reference calls, can be instrumental when it’s time to raise capital.
Once the product has an inkling of filling a need, you’ll next want to think about how to get it in the hands of as many customers as possible. Critical questions around the model (direct sales, channels, partnerships) and growth strategies (marketing-led, product-led) will help you build your go to market (GTM) plan. And this is where you can start to plan for the business, building out your pro forma (these never survive first contact, but rather are a tool to communicate how you see the business scaling).
Finding sales talent is extremely difficult in this market. Many of the best Account Executives (AEs) are working at the top platforms and seeing great compensation, so it’s hard to convince someone to take a less certain path to join your startup. As a founder, you’ll lead most of the early sales; building repeatable processes and measurable traction will help you “sell the sellers” (and is a key sign of your leadership to assemble a top notch team).
The time to build is now. Build your plan, measure your progress, know when to make pivots (both small and large), find the right partners, seek critical feedback, and keep pushing. There’s still plenty of innovation left in cybersecurity.
Comments