By Bob Ackerman | 12.5.2023
Cybersecurity is an existential threat to the global economy. The World Economic Forum’s (WEF) Global Risks Report places cybercrime and cyber insecurity in the top 10 global risks over the next two- and 10-year periods. Cybersecurity Ventures predicts that cybercrime would cost the world $8 trillion annually by the end of this year.
Power grids, water utilities and oil refineries are now active battlegrounds in cyberspace and pose a significant human risk. In 2022, 40% of all nation-state attacks that were detected by Microsoft targeted critical infrastructure, a 20% increase from the previous year. Ransomware attacks against industrial organizations have increased by 87%, as reported in Dragos’s 2022 ICS/OT Cybersecurity Year in Review. (Full disclosure: Dragos is a portfolio company of two of my other companies, AllegisCyber Capital and DataTribe.)
Cyber risk has been scaling since 2021 when cyber threats increased by 81% alongside remote work. Major cyberattacks like SolarWinds and Colonial Pipeline turned cyber into the hottest investment trend for momentum-chasing VC firms that year, and a record-shattering $128.3 billion was raised, per PitchBook.
Cyber investment is non-discretionary.
Cybersecurity budgets have to increase if CISOs are to counter today’s increasingly sophisticated cyber threats. Cybersecurity spending may be down nearly two-thirds from the 17% growth security budgets saw in 2021-22, but it still increased 6% from 2022-23, according to one 2023 Security Budget Benchmark Summary Report. More importantly, the cybersecurity portion of IT budgets continues to grow, reaching 11.6% in 2023 from 8.6% in 2020.
So then why is the cybersecurity startup market set to hit its lowest point of VC funding on a yearly basis since 2019, when it was at $8.8 billion, according to Crunchbase?
It’s not because cyber is no longer investible. The market is starting to normalize. The “venture” (VTs) that had been juicing noncritical, undifferentiated companies that overcrowded the market in 2020-21 have left to chase the next trend. Chasing momentum with the herd is a different ballgame than investing in solving tomorrow’s cybersecurity challenges. That’s where investment opportunities remain interesting.
Reacting to cyber threats means you’ve already lost.
Cyber is distinct from other deep technical fields because cyber has a persistent offense opponent—cyber threat actors. The offense is technically capable, well-funded and unconstrained in their behavior. They are dedicated to finding and creating exploits and vulnerabilities across all digital infrastructure. The increasingly sophisticated development of their offensive cyber capabilities is what drives innovation in the cybersecurity market.
This dynamic is completely unique to cyber and makes it critical for the defense to—at a minimum—match the rate of innovation from the offense. Responding only to the immediate threat in front of you is a reactive, unsustainable approach to cybersecurity. It’s a never-ending game of Whac-A-Mole; eventually, your arm will get tired and you’re going to miss the attack.
Looking through the lens of an offensive operator lets you anticipate how niche and novel cyberattacks being developed by nation-state groups will eventually manifest themselves into broader-based cyber threats in the market. As Wayne Gretzky is often quoted, “You need to skate to where the puck is going to be, not where it’s been.”
In cyber this means you have to anticipate where the offense is going to be so you can proactively deploy cyber defenses before the next threat vector comes online. Instead of playing Whac-A-Mole and defending against endless waves of critters, you unplug the machine and make sure none of them pop up. As Sun Tzu said in The Art of War, “The supreme art of war is to subdue the enemy without fighting.”
The key to winning in cyber defense is to understand and anticipate the offense.
My observation is that novel cyberattacks developed by well-resourced groups for offensive use will emerge as new threat vectors in the broad cyber market in a four-to-six-year time period.
These offensive innovations create blue ocean and market white space opportunities to build companies that provide novel defense applications against them. Entrepreneurs with offensive domain expertise are the ones best positioned to productize their expertise from a defensive perspective.
Take industrial cybersecurity—and specifically, a portfolio company of two of my companies—for example. In 2010, Stuxnet showed the potential of cyberattacks on ICS/OT systems. Five years later, Russian hackers cut off electricity to a quarter-million Ukrainians across multiple regions. Robert M. Lee, previously a U.S. Air Force cyber operator tasked to the NSA to identify and analyze national threats to industrial infrastructure, helped lead the incident response and investigation for that event.
Lee founded Dragos the next year to protect critical infrastructure. When the company was seed-funded by DataTribe in 2016 (Full disclosure: I'm a co-founder and investment board member of DataTribe), and even after my company led the company’s Series A in 2017, the universal response I received was that it was a losing position because there was no market for industrial cybersecurity. But today, Dragos is considered to be a market leader in the rapidly growing industrial cybersecurity market, a market estimated to reach $24.4 billion over the next five years.
As offense grows, the market searches for novel solutions.
New attack vectors will emerge as technology continues to advance in strides, especially in artificial intelligence (AI). The weaponization of data and AI creates entirely new threat vectors that the defense will have to figure out. AI tools for video and audio deep fakes and AI-enhanced phishing attacks are already being widely used by cybercriminals. These malicious uses were expected.
But how will we handle the next level of AI exploits? Take data poisoning, for example, where adversaries corrupt or manipulate machine learning data to alter AI outputs.
If we can’t trust our data, we have nothing. This opens a market for new data provenance technologies that can provide a chain of custody for data throughout the data life cycle, from its creation to any modifications, to ensure traceability and establish data trust and authenticity.
The threat landscape is massively expanding and cyber is playing a constant game of chase, with the cyber threat actors choosing the time and place of their cyberattacks while we race to catch up with them. An offense-to-defense approach to cybersecurity puts us in the position to anticipate their next move and beat them there.
The information provided here is not investment, tax or financial advice. You should consult with a licensed professional for advice concerning your specific situation.
See article here.