DataTribe Insights - Q2 2023 - Every Cyber Maverick Will Have Their Very Own Cyber Goose
The DataTribe Team
The Rundown
It was quite an interesting quarter as the gloom wasn’t as gloomy as many feared, but headwinds and disruption continue to test business models and entrepreneurial agility. Key findings and discussions from the Q2 2023 DataTribe Insights Report include:
- Seeds for Growth: Deal volume for early-stage cyber companies started to rebound in Q2. With 47 deals, Q2 increased from the depths of Q1 by nearly 50 percent. The data shows significantly fewer early-stage deals than in 2022 but at healthy valuations. A flight to quality in venture capital persists. The performance bar that will attract venture capital remains exceptionally high.
- End of Runway May Be Closer Than It Appears: We are approaching the end of the runway for startups that sat on the fundraising sidelines for the past 18-24 months. We could see a lot of bumpy landings coming down the pike. This will be more acute for cash-burning later-stage companies. There were only four growth-stage cybersecurity deals in Q223, on par with Q123. Year-over-year, deal volume is down 75% (16 to 4) at this stage.
- AI Pixie Dust Doesn’t Drive Value, AI Productivity Will: In the first half of 2023, AI companies raised $25B, slightly down from $29B in H1 2022. AI was down just 14% YoY in the same period, while global venture capital declined 50%. But, companies need to show that AI is more than a buzzword. How can companies best position their AI capabilities in a manner that attracts customers and investors without overblowing expectations?
The potential productivity increase delivered by generative AI is massive. Hopefully, it will help relieve the labor shortage confronting security organizations. The security copilot is a big step forward and has the potential to reshape how cybersecurity teams function.
- Secure by Design, Innovative at Heart: We are at the very early stages of a sea change in software development. The Biden Administration is pushing to get software vendors to stand by their products more in the way that a car manufacturer stands by theirs. Most large software companies do business with the government. As they improve their secure software development standards for their government customers, they will likely propagate those improvements to the non-government parts of their businesses.
This has the potential to have as fundamental an impact on the software development lifecycle process as user-centered design and agile development principles have had over the past decades. We are cheering on the effort to spur developers to make software secure by design. However, it’s imperative that in doing so, we don’t layer on so many compliance burdens that it snuffs out innovation or makes it impossible for startups to fuel healthy creative destruction.
Security should strengthen innovation, not stifle it. Secure by design principles must be effective and flexible to ensure security AND ingenuity can coexist symbiotically.
Introduction
In Q2, the economy showed signs of inflation cooling, continued strong labor markets, and other positive trends. The twelve-month change in the Consumer Price Index (CPI) was 4% in May, down from 4.9% in April. Annual inflation has continued a downward trend off its high of 9% in June 2022. At the same time, labor markets have remained tight. Unemployment in June 2023 remained at 3.6%, a 50-year low. The inflation beast hasn’t yet been fully tamed, but it’s plausible that the Fed’s interest rate policy may guide us to a soft landing.
In Q2, the U.S. stock market went up, with tech names leading the way. Perhaps investor animal spirits are making an appearance as feelings that a soft landing may be possible. More robust stock market performance may bring an opening for IPOs. The market hasn’t seen a software IPO since the end of 2021, an 18-month software IPO drought. Remember SentinelOne raising $1.2B cash in June 2021? To put the 18 months in perspective, the last few software IPO dry spells lasted about six months. A backlog of companies with the right metrics awaits the window to crack open to tap public capital markets.
Overall, VC funding remains down though early-stage cyber investments are improving over the lows of Q1 but still not back to 12 months ago. Startups with strong, growing revenue metrics likely will get funding. Otherwise, they will need to find other ways to survive.
One bright spot (maybe too bright) for venture this past quarter is everything AI. In the first half of 2023, AI companies raised $25B, slightly down from $29B in H1 2022. AI was down just 14% YoY in the same period, while global venture capital declined 50%. Of course, some of that investment went into cybersecurity-focused AI. Though AI has been around since the mid-20th century, it wasn’t until ChatGPT that AI captured the market’s mainstream imagination. It seems every cyber startup is flirting with AI as part of its strategy. Are these companies creating genuinely innovative, reimagined solutions? Or are they just adding AI pixie dust to everything cyber, causing mass confusion? It’s likely a little of both.
One of the more interesting announcements in Q2 was the release of the Microsoft Security Copilot. This AI-powered tool can help security teams with many common security tasks. It can help to identify and respond to threats, train security analysts, improve security awareness, and automate security tasks. Watching the Security Copilot automatically accomplish more advanced tasks, such as reverse engineering malware, is pretty amazing. It holds promise for radical productivity gains among cybersecurity practitioners, potentially alleviating some of the cyber workforce shortage.
In this quarter’s installment of DataTribe Insights, we dig into the latest venture market trends, discuss the power of intelligent defenses, especially with Microsoft Security Copilot, explore the need for better, security-focused software development tools, and look at the secure-by-design requirements that the Biden administration is advancing.
Q2 State of the Market
“VC’s Long Road to Recovery” reads a Pitchbook email newsletter subject line. “Cyber Leak? Cybersecurity Funding Falls 63% in Q2” is the title of another report published by Crunchbase. Yes, they are a bit sensational, but also true. Also true is that the news isn’t all bad, particularly in early-stage cybersecurity (Seed, Series A, and Series B). While Q2 activity is down year-over-year, deal volume has recovered slightly (47 deals) from the decade-low observed in the first quarter (32 deals). Cyber seed stage valuations also remain relatively high.
First, Let’s unpack the pessimistic headlines in our news feeds. Despite strong recent public technology market performance, high inflation and the prospect of continued increases in interest rates have created significant macroeconomic uncertainty. Over the past year, this uncertainty has driven a pullback through the entire system from LPs, venture funds, and customers.
The bottom line, 2023 is a challenging fundraising environment for startups. The data continue to show significantly fewer early-stage deals getting done but at healthy valuations. Said differently, a flight to quality in venture capital persists. As discussed in last quarter’s report, the performance bar that will attract venture capital remains exceptionally high.
The macroeconomic uncertainty is also putting pressure on enterprise procurement budgets. Cybersecurity budgets have fared better than other enterprise budgets. Still, the CISOs we work with are all working to do more with less and are focusing on ways to consolidate their security tech stack. This translates to a challenging sales environment for startups slowing top-line growth rates. It’s hard to raise capital if you’re not hitting your numbers. We will likely see more failures from companies that aren’t already on a path to profitability.
Later stage growth capital (Series C and beyond) has effectively fallen off a cliff, especially in cybersecurity. There were only four growth-stage cybersecurity deals in Q223, on par with Q123. Year-over-year, deal volume is down 75% (16 to 4) at this stage. However, Q222 marks the second-highest volume of all time, surpassed only by Q221 (23 deals). Context is important. When market health is viewed solely through the lens of deployed capital, some may conclude the innovation economy is struggling. What is happening is that mega-deals fueled by the frothy public markets of ’20 and ’21 have stalled. Innovation is alive and well.
Deal volume at the early stage (Seed, Series A, and Series B) of cybersecurity was up 47% (31 to 47 deals) over Q1 2023. These levels are similar to pre-pandemic cybersecurity deal activity, particularly at Seed. Median pre-money valuations for Seed ($13.5M) and Series A ($45.0M) investments have contracted slightly from their all-time highs of $15.8M and $48.7M, respectively, observed in 2022. This softening of valuations is overdue and healthy. While challenges are likely to persist at the later stage of the segment, a new generation of leading innovators is in the early stages of their growth curve.
One concluding note: It’s common for venture-backed startups to raise 18-24 months of runway to achieve growth milestones that lead to the next round of funding. It was about 18 months ago that the ebullient late 2021 markets slowed. Many companies that raised capital in late 2021 at the top of the market will likely reach the end of their runway soon. We anticipate the next couple of quarters will be bumpy for many of these startups seeking additional funding.
The Copilot: Harnessing the Power of Generative AIO for Cybersecurity
There is a whole lot of data that flies around in cybersecurity. As XDR companies suck in and analyze telemetry from everything digital, many of them have built up some of the highest-volume data operations in the world. With all that data, security teams are looking for behaviors, patterns, and anomalies. They are looking for risks they didn’t know existed. When you pull back from all this, it’s hard not to conclude that cybersecurity is a great fit for AI. Let the machines tease out the threats and sift through the noise to find the signal.
Given how well AI fits the shape of the cybersecurity problem, there has been a major ML/AI push in cybersecurity for a long time. A few years back at RSA, it was a joke that AI was everywhere. Oh, how innocent we were. As ChatGPT has thrust large language models (LLMs) and generative AI into the mainstream, the cybersecurity world has found an entirely new gear for the AI-ification of products.
At the forefront of this generative AI revolution is Microsoft, which has invested a staggering $10 billion in OpenAI, propelling Copilot products into the limelight. The idea of a Copilot is appealing. It’s an ever-present, knowledgeable partner you have to ask questions, collaborate with, and assist you — all through a simple chat interface. If there’s any job where it’d be handy to have an all-knowing assistant ready to help you, there’s probably an opportunity to create a Copilot. Microsoft has integrated Copilots into its flagship offerings, like Office and GitHub, for business users and software developers. It’s natural that security practitioners should have their very own Copilot, and Microsoft delivered that to them in Q2.
The Microsoft Security Copilot was one of the most interesting product announcements in a while. It is a cloud-based platform that seamlessly combines Defender, Sentinel, and Azure Active Directory Identity Protection, setting a new standard for incident response platforms. The impact of Security Copilot has not gone unnoticed by industry competitors, who are now striving to match the integration and functionality of Microsoft. This intense competition breeds innovation. Notably, key players like Google, CrowdStrike, IBM, Splunk, Palo Alto, ServiceNow, Rapid7, Darktrace, and Cylance (BlackBerry) have unleashed their own Copilot products, resulting in an electrifying atmosphere of excitement in cybersecurity.
So, what makes copilots so remarkable? It radically improves the speed and accuracy of cyber defenders responding to threats. Let’s explore some game-changing features:
- Improved Threat Intelligence and Analysis: Leveraging AI and machine learning, the Copilot platform correlates data from Microsoft Defender for Endpoint, Azure Sentinel, Azure Active Directory Identity Protection, and other sources to provide valuable insights into potential risks by identifying patterns, detecting anomalies, and proactively identifying emerging threats. As a result, organizations make more informed decisions and take proactive measures to effectively mitigate risks faster.
- Enhanced Incident Response Capabilities: Copilot platforms function as swift and astute cyber detectives. They rapidly triage and analyze security events, swiftly pinpointing the root cause of incidents and enabling prompt containment and remediation actions.
- Automation and Orchestration for Efficiency: Copilot solutions empower security teams to create custom playbooks that automate responses. The availability of pre-built playbooks for common security scenarios ensures consistent and quick incident responses.
- Collaborative Case Management: Copilot platforms are centralized case creation, tracking, and collaboration hubs. Team members can effortlessly share information, assign tasks, and communicate within the platform. Integration with popular collaboration tools like Slack and Microsoft Teams further bolsters team collaboration.
While security copilots are transforming the cybersecurity landscape, it is prudent to be aware of potential consequences like vendor lock-in, limited third-party Integrations, and complexities that introduce misconfigurations or inefficient workflows.
In a recent discussion of AI with one of the CISOs we work with, he quickly identified a six-figure project he could reduce to a quick ChatGPT query. The potential productivity increase delivered by generative AI is massive. Hopefully, it will help relieve the labor shortage confronting security organizations. The security copilot is a big step forward and has the potential to reshape how cybersecurity team’s function.
Forget Shifting Left, Just Build Better Developer Tools:
The application security community has championed a “shift left” strategy for years. This approach advocates for moving security checks, previously conducted at the end of the development process (the right end of a left-to-right process diagram), to earlier stages in the software development life cycle (SDLC). This concept is closely associated with the DevSecOps movement. However, it has one central flaw — a lack of context.
Software systems are inherently intricate and complex, often only well understood by their developers. Even the developers may sometimes only completely understand certain portions of the system. Meanwhile, security teams are tasked with assessing these highly complex systems for potential cyber risks — often relying on scanning for high-level code patterns as indicators of potential risks, treating the system as a black box with limited context.
Introducing these high-level, limited-context scanning tools earlier into the SDLC has a significant drawback, as it shifts the high-noise output of these tools right in the middle of the development process, leading to friction for developers. As a result, developers feel compelled to seek workarounds or disable these obstacles. This may help explain the current sad state of software security. A recent report revealed that 84% of businesses have vulnerabilities solely due to open-source libraries used in their software.
Developers require tools to identify software security weaknesses with the same context that functional testing platforms provide. Achieving this goal, however, requires moving away from the broad-scan philosophy of traditional security tools. Instead, developers need tools that can pinpoint issues directly related to the exact method calls they are working on, conveniently available in their integrated development environment (IDE) or incorporated into the continuous integration (CI) process.
Snyk and Sonar are two companies that have achieved significant success by offering developer-friendly solutions that present security-related code issues within the context of the IDE or build process. While this represents a positive step forward, there is still room for even more context-aware, developer-friendly platforms. As GitHub Copilot continues to mature, it is poised to guide developers in real-time, enabling them to write more secure code and avoid dangerous calls to poorly written or blatantly vulnerable methods in open-source libraries. However, AI-powered tools are not the only solution.
In Q2, we spoke with several early-stage startups that have developed platforms capable of tracking detailed call stack data from software processes that are running. These platforms establish the baseline operational patterns of the code and can then identify anomalous patterns occurring in production. However, these established baseline behaviors also offer valuable insights to developers. By leveraging this context, developers can prioritize popular code paths and identify any known vulnerabilities in open-source libraries or risky code patterns in these areas of their code. The more precise and contextual the feedback provided, the more likely developers are to utilize it, enabling them to make faster fixes, accelerate their progress, and enhance the security of their software.
Whoa, let's not get crazy now. You actually want me to sign a document that says I adhere to secure software development principles?
On April 27th, CISA published a draft Secure Software Development Attestation Form to the public for a 60-day comment period. The idea of the attestation form is for vendors that sell software to the federal government to formally sign a representation that they complied with a prescribed set of secure software development processes. Big picture, it’s an effort to fortify the federal government’s software supply chain and level up the security rigor around the development process for the software that the government depends on. This effort is aligned with the Executive Order, Improving the Nation’s Cybersecurity (July 2022) and the Office of Management and Budget’s (OMB’s) subsequent memorandum, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (September 2022).
It’s worthwhile checking out the actual draft form (https://www.cisa.gov/sites/default/files/2023-04/secure-software-self-attestation_common-form_508.pdf). The form was developed in close coordination with OMB and was heavily based on the NIST Security Software Development Framework (SSDF, https://csrc.nist.gov/Projects/ssdf). By the way, the NIST SSDF itself is relatively new. The SSDF was developed in 2021 in response to a directive in the May 2021 Executive Order on cybersecurity through a collaborative effort taking input from government, academic, and commercial stakeholders.
To anyone who has lived in the fast and loose world of tech and agile software development, the practices the draft form requires will seem burdensome at best and incompatible with innovation at worst. Casually discussing this new attestation form with an experienced CTO we know triggered him into an animated venting session about regulatory overreach. We expect this will be the type of reaction from most folks who live in the trenches of building and delivering software products.
Here’s an example of a representation that vendors will need to sign off on: “The software producer maintains provenance data for internal and third-party code incorporated into the software.” It is likely that most senior executives at companies that will need to sign the attestation have no idea if the best practices required are being done. Even most engineering leaders closest to the product teams likely aren’t sure of all the security precautions their developers are taking. Leaders will likely bridle at the idea of signing their name on the proposed attestation. We suspect that outside of highly regulated industries (like software in medical devices, for example), most companies will need significant internal audits and invest substantially to fill process gaps. And that’s precisely what OMB and CISA want.
It is early in the journey of these practices becoming a reality. In some ways, the envisioned attestation process is akin to Sarbanes-Oxley or CMMC (Cybersecurity Maturity Model Certification, a security standard being rolled out to confirm the IT security of the Defense Industrial Base). In both cases, the additional regulations were a win for consultants and auditors who specialize in helping companies comply. Just as Sarbanes-Oxley made it significantly more expensive for companies to list on public markets, driving secure software development will make the software more expensive to produce. Those costs will be pushed onto customers at some level. Higher prices will also increase the bar for creating new companies, which could entrench incumbents and mute innovation.
If the rollout of this attestation process is anything like the rollout of CMMC, there will be a gnashing of teeth. Per the OMB memorandum, “critical software” vendors are to start signing attestations in June 2023, and other software vendors will begin in September 2023. In June 2023, the deadlines were pushed out to three months after the publication of the final CISA form for critical software and six months after the publication for other vendors covered by OMB’s security requirements. So, it’s imminent that vendors will need to deal with this. Like CMMC, many vendors will request waivers allowed under the proposed regime so long as there is a plan to mitigate and remediate the deficiencies. There inevitably will be lawsuits to blunt or slow the process. The attestation and standards will likely be modified to create 2.0 and 3.0 versions. Eventually, after much digestion (and indigestion) over a period of years, we will arrive at a place where software vendors selling to the government will deliver more secure products.
As we look at this, we sense that we are at the very early stages of a sea change in how software is built. For years, AppSec has been a major area within cybersecurity. DevSecOps has been an increasing focus with cloud computing and the emergence of infrastructure as code. However, the Biden Administration is pushing for something deeper. They are driving for software vendors to stand by their products as a car manufacturer stands by theirs. Just as GDPR had an impact far outside of Europe, effectively exporting privacy standards worldwide, these federal government standards will spur change outside the federal space. Most large software companies do business with the government. As they improve their secure software development standards for their government customers, they will likely propagate those improvements to the non-government parts of their businesses.
This is huge. It has the potential to have as fundamental an impact on the software development lifecycle process as user-centered design and agile development principles have had over the past decades.
We are cheering on the effort to spur developers to make software secure by design. However, it’s imperative that in doing so, we don’t layer on so many compliance burdens that it snuffs out innovation or makes it impossible for startups to fuel healthy creative destruction. We need to figure out how to be both nimble and secure.
