Oren Yunger is an investor at
GGV Capital, focused on enterprise IT infrastructure, development tools and cybersecurity. He was previously chief information security officer at a SaaS company and a public financial institution.
The global cybersecurity market is booming: Cybersecurity-related spending is on track to surpass $133 billion in 2022, and the market has grown more than 30x in 13 years. But it’s not all unicorns and rainbows. Some industry watchers have claimed that the cybersecurity market is a bubble about to burst. To understand the debate, it’s important to look beyond traditional supply and demand metrics.
On the one hand, the demand for cybersecurity solutions is huge. Organizations are increasingly investing in cybersecurity, as evidenced by a recent report by Gartner Group showing security spending is outpacing IT spending. Security departments are expanding in size and budget, and, at the helm, security decision-makers are gaining respect more than ever before. With ever-dynamic cybersecurity risks and regulations, it is clear to most C-suite leaders that there’s more to be protected and more on the line.
Security is taking on a new shape within organizations. Generally, security buyers are investing in various categories in order to protect their organizations. Moreover, security is often integrated into new business initiatives and used as a competitive advantage. Across the different approaches to security, the resounding sentiment is clear — no one wants to be breached. However, this preparation for a cyber doomsday might be disproportionate to how breaches affect the bottom line.
Well-publicized security incidents in recent years resulted in little long-term effect on the bottom line. Equifax has regained its full market cap less than two years following the “incident of the century,” and Sony, a $70 billion-plus giant, incurred “catastrophic” damages of less than $100 million after proprietary, sensitive and even embarrassing data was stolen. It seems that companies deal with their worst-case breach scenarios without enduring severe financial losses that were once believed to devastate companies. So, are security departments just crying wolf? If so, could the demand for solutions decrease?
On the other hand, let’s think about the supply: The landscape of cybersecurity solutions and services is strikingly saturated. Still, this busy frontier continues to attract founders and investors alike, with 300+ new startups launching every year and VCs investing in cybersecurity at a record high of $5.3 billion in 2018. Further, many cybersecurity startups are able to raise large rounds of funding, with exceedingly high valuations, despite having little market traction. But even when funding is pouring in, it is not easy for the cybersecurity business to survive, let alone successfully exit. Dave DeWalt, the former CEO of FireEye, said it well: “We are in this situation where there are just too many vendors and too few can be sustained.”
The answer does not lie in where cybersecurity is today, but where it is going next.
With overvaluation of startups, market saturation and the seemingly less-than-catastrophic impact of breaches, it’s no wonder why some are worried about the cybersecurity industry. I, for one, don’t think the bubble will pop anytime soon.
Unique factors make cybersecurity a formidable market. To highlight a few: Government and defense investing serve as anchors that continually fuel growth. For example, the U.S. 2019 President’s Budget includes $15 billion for cybersecurity-related activities, and France has committed to 4,000 cyber headcount by 2025. This type of demand is not going anywhere anytime soon.
Besides, increased compliance and regulatory requirements such as the EU’s General Data Protection Regulation (GDPR) calls for action from companies and propels awareness and sales even further. On top of that, the industry is dynamic and keeps reinventing itself. New categories emerge in spaces like Zero Trust and IoT security to address threats that are growing in scope and sophistication. The future-forward mindset in the industry is so strong that sci-fi writers are employed to predict cyber threat scenarios as well as inject innovation into cyber defense.
While these factors contribute to the strength of the industry, they are not the primary elements that will prevent the cybersecurity bubble from bursting. The answer does not lie in where cybersecurity is today, but where it is going next. In the foreseeable future, cybersecurity will face unique threats that will fuel its growth even further:
- Customer impact: High magnitude attacks geared toward B2C companies could lead to massive customer churn and bottom-line damage. Once consumers feel the effects, they will fear working with companies they don’t trust. The awareness level of consumers to cybersecurity and privacy is already raising the bar for companies to beef up their security efforts. As a result of higher customer expectations and intensified regulation, many companies will further invest in security and the market will keep expanding, respectively.
- Economic impact: In its Global Risk Report 2018, the World Economic Forum (WEF) listed cyber threat as one of the most critical risks threatening the world economy. In the near-term, companies will likely incur paralyzing attacks that will shut down daily operations, causing unprecedented loss of revenue eclipsing the breaches we’ve witnessed thus far. These crippling cyberattacks will lead to direct growth in cybersecurity spend.
- Civil-life impact: Attacks on developed countries could interrupt electricity, water supply and more, causing massive civil-life disorder. In addition, the rise of IoT and autonomous machinery in our day-to-day will not only expand the attack surface, but also threaten lives. The safety of people will pressure political bodies into creating regulatory requirements to bolster security for embedded technologies and scrutinizing how smart devices are secured.
It is true that the security market is highly fragmented, some companies are overvalued and not every new security tool will be a big success. But as our world becomes more software-driven, cybercrime will inevitably intensify, leading to new matter entering the security bubble. This will propel security into a significantly larger market at an even greater rate, visible by investors, leadership teams and company boards. Instead of bursting, the cybersecurity market will only keep developing and growing.