As 2022 comes to a close, we look back on the constantly evolving cybersecurity market. In 2022, we saw the cyber VC market slow significantly with fundraising down by 50% compared to the prior year. So, what’s next for cybersecurity in 2023?
Below, the team here at AllegisCyber offer their thoughts on emerging trends and highlight what we can expect in cybersecurity in the year ahead.
Here’s to an innovative and exciting 2023!
Cyber companies will continue to meet or beat their plans.
Through the 3rd quarter of 2022, cyber security fundraising is off by 50% compared to the prior year. Notwithstanding the fact that cyber budgets are incredibly resilient and uncorrelated to the macro environment (up 12% year over year, 4 times the rate of IT spending), and that the majority of established cyber companies are meeting or beating their plans,
Indiscriminate cyber investing by the venture community in 2019 and 2020 has resulted in too many undifferentiated companies flooding the market in key sectors.
These segments of the market will see significant consolidation and attrition, leaving the competitive landscape more focused and healthier. The cream will rise to the top, and next-generation solutions targeting emerging new threats will continue to do well, sustain their valuations, and raise new capital.
2023 will represent a retrenchment for the venture capital community and the companies backed by venture firms.
The good news for the cyber security innovation economy is that cyber budgets are largely uncorrelated with broader market trends, with budgets projected to continue to grow at 8% to 12%, annually. There will continue to be strong demand for innovative cyber solutions as enterprises continually adapt to evolving cyber threats. Undifferentiated and sub-critical mass cyber companies without truly compelling solutions are likely to be challenged.
The cyber market will emerge from the market consolidation, stronger with the winners accelerating their growth.
VC community for capital Investors will be materially more discriminating in the deployment of capital with a significant pick up in M&A activity as the market looks to consolidate point products into broader security platforms. We should expect venture firms without deep domain expertise in cyber security to pull back from the market in the face of the consolidation and uncertainty over where the “puck is going."
The later the stage of a company’s development (and the higher the valuation) the more likely a company is to be adversely affected if it needs to raise new capital.
This segment of the market tends to index off public market comps. As public market comps compress, so will private market valuations. Depending on the duration of the correction, the trend will continue for earlier-stage companies. Very early-stage companies will be less affected by valuation compression (they are not that far off the ground), but the bar for getting funded will be that much higher. Incrementally better solutions are likely to go wanting. Highly disruptive ideas targeting very large markets with exceptional teams will be the ones that get initial funding. As the market returns to “normal,” the later-stage companies, having scale and depressed valuations, will be the first to recover as investors look to take advantage of “quality on sale.”
-Bob Ackerman, Managing Director and Founder of AllegisCyber
We should expect that in mid-to-late 2023, the best early-stage (SeedA/B) cyber companies will begin to command ARR multiples in line with pre-2021 norms.
The 2022 cyber VC market slowed significantly in 2H. Later-stage investments were most impacted, but Series B slowed by 40+%, and Seed and A investments took longer and closed at lower valuations than in 1H. We expect this trend to stabilize in 2023. Cyber budgets continue to grow and will outpace overall IT budgets by a wide margin. These new dollars will be spent primarily on emerging technologies and will benefit startups over incumbents.
Core markets will stabilize around technology winners.
From a technology perspective, we are at the beginning of a multi-year transition as cloud technologies mature and AI technologies begin to drive real-world innovation. For the past decade, cloud advancements have driven security innovation. SaaS adoption drove the creation of various cloud identities, CASB, and similar markets. PaaS has led to CSPM, micro-segmentation, NGWAF, and half a dozen markets built around new DevOps methodologies enabled by PaaS. A veritable botanical garden of cyber markets has emerged, mirroring the explosion in new technologies enabled by the cloud. This trend is continuing, but Further, cloud security innovation is becoming more specialized and potentially more niche.
Data and model providence, privacy consideration, deep fake detection, and model exploitation are all threat areas that will need to be addressed in the coming years, including new regulatory compliance challenges emerging.
As this wave grows, we expect a mirror wave of security startups to follow, and we're likely to see a generation-defining AI security firm founded in the next 1-3 years. AI is emerging as a fundamental technology building block. In many ways, the AI world looks like the cloud did in the mid-2000s. The technology, after long incubation, is advancing extraordinarily rapidly. Crucially, the tools to use AI in software development are becoming mature enough that "regular engineers" (vs. 100 specialists at the 5 biggest tech firms) are beginning to be able to leverage the technology. This is leading to an explosion of new types of products, and consequently, security challenges.”
-Michael Feiertag, Partner at AllegisCyber Capital
Email will continue to be one of the largest security concerns for security leaders within enterprises, both large and small in 2023.
Given the ubiquity of email, it’s not a surprise that it’s a leading weak point in enterprise security, with 22% of organizations experiencing data loss through email each year. Industries that are traditionally highly regulated, such as healthcare and finance, among others, are no strangers to the need to protect email communications, but the past few years have seen high-profile incidents put the impetus on other industries as well.
The solutions need to cover the encryption of messages and data either at rest or during transmission to other parties. At the same time, they need to be cost-effective. This is a massive challenge as in many cases it requires cooperation between internal teams, and partners as well as possible clients as well.
We will see more focus on protecting PII (Personal Identifying Information), S/MIME or Secure/Multipurpose.
Within email (and other channels like WhatsApp) phishing continues to be one of the largest threats, both in terms of network security (95% of attacks are the result of successful spear phishing) and financial loss (hackers have attempted to scam companies out of over $3B in the past three years). These spoofing attacks are fairly simple to execute and not simple to mitigate.
Internet Mail Extensions will not be enough. That doesn’t cover the other communications channels like WhatsApp, Slack, etc.). We will see more technologies emerge to address this vulnerability as well.”
Zero Trust will start to become more implemented within organizations.
This will include a security extension for the browser (not just for compliance). In addition, within the enterprise, we will see a trend toward centrally-managed and software-defined access security to control the movement of data in order to keep ransomware and other payloads from being laterally transferred. This will require technologies that allow organizations to segment users, devices, and even applications through an identity protocol without any disruption of business.”
-Spencer Tall Managing Director AllegisCyber Capital