With the sector on pace for continued growth, cybersecurity investor Robert R. Ackerman notes what areas are saturated and what specialties his firm is looking at.

To the surprise of no one who works for a cybersecurity company or in the security department of a corporation or government entity, 2019 was yet another banner year for cybersecurity. It’s expected to grow at even a faster clip during the next few years.

How could it be any other way?

There is the relentless rise in cybercrime, the revived ransomware epidemic, the refocusing of malware from PCs and laptops to smartphones and other mobile devices, and the deployment of billions of under-protected IoT devices. And, too, there is a veritable army of hackers-for-hire.

According to IT research firm Gartner, the global cybersecurity market swelled to $124 billion last year, up from $116.5 billion in 2018. This is an increase of 6.4 percent, more than triple the growth of the US economy. Additionally, the number of data breaches increased 54 percent in 2019, and global cybercrime reached $450 billion annually.

This all points to why cybersecurity is such a great market for investment:

  • it’s a huge and rapidly growing market;
  • investment on the part of the customers is non-discretionary;
  • effectiveness is driven by cutting-edge innovation;
  • successful innovation has a path to liquidity through IPO or M&A market; and
  • exit prices are at a premium to enterprise software multiples

Winners and losers in cyber

But not all cybersecurity investors will reap the ensuing rewards. Virtually every venture capital firm today has cybersecurity as an area of investment interest, but too many continue to invest in undifferentiated cyber companies, such as those focused on various endpoint security solutions to protect the corporate network when accessed via remote devices.

Threat intelligence is another strikingly saturated area, one with more than 100 head-to-head competitors, most of which try to distinguish themselves with marginal incremental differentiation. Frankly, 10 percent to 20 percent differentiation is not going to carry the day in competitive cybersecurity market. The winners/survivors in these segments are going to be the consolidators and the consolidated. The others will likely suffer the fate of overcapitalization with insufficient differentiation.

My partners and I sidestep such arenas and instead invest in companies developing technologies one to two generations ahead of the herd, technologies that are often based on expertise that originate within select federal agencies or laboratories where tens of billions of dollars have been invested for decades.

In particular, we have a strong bias towards expertise that originates in offensive cyber playbooks. This is where the cutting of edge of cyber expertise is developed and refined and where the roots of future cyber threats often find their technical foundations. It was these same insights that led to the creation of DataTribe, the Maryland-based cybersecurity and data science foundry that I co-founded with Mike Janke in 2016 to leverage expertise from the intelligence community to create disruptive cybersecurity start-ups.

What technologies matter today? Advanced encryption, IoT security, industrial control systems, continuous controls monitoring and data provenance. We also invest in technology that relies on cyber space sensors and behavioral indicators, among other things, to identify threats and intercept them at an unusually early stage, well before any damage is inflicted.

I predict the biggest adopters for cybersecurity will be corporations and government entities, but which companies and governments will step forward aggressively remains to be seen. If past is prolog, financial services is likely to take the lead in adopting disruptive innovation. Industrial markets are likely to become much more active in their adoption of cyber technologies, driven by increasing complex networked environments and the costs and consequences of a cyber failure.

Nation-states, too, could easily become some of the major adopters as major world events underscore mounting geopolitical tensions. Among other things, the US’ next president will be pressured to do a much better job protecting the electoral process against foreign interference. Tokyo, meanwhile, will be hosting the Olympics.

Meanwhile, on the private sector front, renewable energy is anticipated to outcompete fossil fuel, and renewable energy sources need to be more secure. Further out, another big adopter could be fully autonomous cars. Already, interference with critical sensors or unauthorized manipulation of today’s in-vehicle apps and entertainment systems is top of mind for automotive companies and regulators.

But is cybersecurity overcapitalized?

What do I say when someone asks me if too many investment dollars are landing in cybersecurity? My answer, is yes and no. The “me-too” stuff mentioned earlier is overcapitalized. Really cutting-edge, differentiated stuff is undercapitalized. The key to success in the cybersecurity market is to understand the difference between the two and to be able to identify the future security gaps (based on offensive insights in our case) and to develop technology strategies to close those gaps.

It short, in a globalized digital economy, anything with a microprocessor and a communications link, is vulnerable. It’s no surprise that cybersecurity has become the fastest-growing specialty within IT and the biggest job producer. And there is no reason this won’t continue.

Small wonder that smart cyber investors are an extremely happy bunch.

Robert R. Ackerman Jr. is the founder and managing director of AllegisCyber, a venture capital firm specializing in cybersecurity, and the co-founder and executive at DataTribe, a cybersecurity startup foundry located in Maryland which focuses on launching start-ups based on cyber domain expertise out of the intelligence community and national laboratories.

Published in the Venture Capital Journal