DataTribe Insights - Q4 2022 - Changing Seasons
The DataTribe Team
Introduction
The 4th quarter of 2022 marks a turning point for cybersecurity: the end of the pandemic-fueled boom that has so greatly impacted the rest of tech in 2022 started touching the relatively impervious cybersecurity sector as well. In the face of a highly uncertain 2023 economic outlook, investors are tightening their purse strings and buyers are prioritizing efficiency for their security purchase decisions. While the Federal Reserve Board is beginning to see the early effects of its 2022 shift in monetary policy, future increases in the federal funds rate are expected and 70% of economists surveyed by Bloomberg expect the U.S. to enter a recession in 2023. Accordingly, venture capital investment activity is down across all stages, and CISOs are being asked to do more with their existing budgets.
However, it’s not all bad news, with cybersecurity seed investing being a bright spot in the Q4 deal activity. While still down from Q4 2021, which recorded abnormally high volume, Q4 2022 more closely aligns with historical investing norms. There are abundant opportunities for innovation in cybersecurity as new technology breakthroughs, such as the near-human capabilities of ChatGPT, introduce new and largely unaddressed security risks.
Against the broader economic picture, cybersecurity remains comparatively strong. Security is no less vital a function than in years past, but startups and established security vendors alike must now contend with a more discerning buyer. Without a clear and demonstrable value proposition, and sufficient capital to weather the storm, many startups, security included, will succumb to the change in market dynamics.
In this quarter’s report, we highlight the shifting investment landscape, share future insights gained from the finalists of the 2022 DataTribe Challenge, uncover new security risks associated with recent advances in artificial intelligence, reflect on an evolution in the security services market, and explore trends in cybersecurity talent migrations in the wake of recent layoffs in the technology sector.
Q4 Cybersecurity Deal Activity
U.S. venture activity in cybersecurity continues to come down from its highs during 2021. Seed, Series A, and Series B deal volume in U.S. cybersecurity is down 40% year-over-year from 88 to 53 investments (Figure 1) as macroeconomic headwinds persist. The decline in growth stage (Series C, D, and E – Figure 2) was more severe, down 86% YoY (year-over-year), from 22 deals in Q4 2021 to only 3 deals in Q4 2022, marking the slowest growth stage investment pace in the last decade. Does this mark an end to broad investor interest in cybersecurity? Hardly.
Despite the broad contraction in cybersecurity investing activity, seed stage cybersecurity investing remains healthy. Even with a YoY decline of 24% (42 Q4 ’22 vs. 55 Q4 ’21), Oct-Dec 2022 was the second most active Q4 and the 7th most active of any quarter in the last decade. Simply put, U.S. cybersecurity investing volume was abnormally high in 2021. Within the context of the last decade, Q4 2022 cybersecurity seed volume is much more closely aligned with recent norms.
Seed valuations provide further evidence of the market’s long-term optimism for cybersecurity innovation – optimism that we share. Median cybersecurity valuations at seed ticked up to an all-time high of $15.75M in the quarter, despite the shadow of declining valuations elsewhere. Although the shape of a cybersecurity seed round may be changing more likely is that the higher valuations, in conjunction with larger round sizes (reference the Q3 2022 Insights report) serve to extend the cash runway in anticipation of a difficult fundraising environment for the foreseeable future. Regardless, investors providing seed capital at these valuations are anticipating above average customer traction (i.e. revenue) milestones and/or a recovery in Series A and later valuation multiples by the time these companies are ready for their next round of financing.
The presented data should also be considered in context of where the security industry stands today relative to recent history. As an industry, security practitioners will contend that cybersecurity is essential and non-discretionary. Its current growth and relevance coincides with humanity’s rapidly accelerating adoption of digital technology over the preceding decades. Today, nearly every aspect of daily life depends on some form of digital technology – seen or unseen. Both enterprise and consumer technology devices are increasingly connected to the internet (consider the millions of video doorbells sold each year). They are also more affordable than ever, increasing adoption and the number of potential targets for bad actors – and a corresponding growth in the demand for security.
Anecdotally, most consumers also seem aware that cybersecurity is important, even if they don’t necessarily understand the fundamentals of good cybersecurity hygiene. Cybersecurity went from niche to mainstream during the pandemic, as seen in startup investing activity, but the number of companies receiving funding to build a new security tool for the Fortune 500 was unsustainable – the market has shifted. With rare exceptions, enterprise CISOs aren’t looking for another point solution or tool and the cybersecurity innovation landscape going forward, including venture-backed startups, will reflect this notion. This evolving maturity of the market combined with the current downturn will lead to a shift in cybersecurity innovation.
Any new enterprise security offering must satisfy at least two of the following: provide rapid value to the customer, have clear and indisputable differentiation, or make security operations easier. Rapid value creation is the most important characteristic in the current climate. Furthermore, founders should recognize that cybersecurity is complicated and that customer security goals vary widely. The largest banks need and have robust and very expensive security programs. By contrast, the local coffee shop just needs to ensure the admin password for its public Wi-Fi access point is not “password”. Though an extreme example, it illustrates the notion that security is a risk equation, not necessarily the pursuit of a perfect defense. “Know thy customer”, and continue to innovate.
Projecting forward, we expect a challenging fundraising landscape for much of 2023. The macroeconomic environment is still relatively unstable, and it will take time for the strongest startups in the market today to emerge from the pack, at which point investors will be eager to finance growth in best-of-breed innovators. In the interim, cybersecurity seed investors, including DataTribe, remain optimistic about the long-term opportunities in the sector and continue to invest in the best teams and solutions.
The 2022 DataTribe Challenge Finalists Reflect Key Cyber Trends
A highlight of Q4 was the 2022 DataTribe Challenge. The Challenge invites seed stage cybersecurity and data science founders to compete for a $20k prize and the possibility of receiving a seed investment of $2M. Each year, we’re impressed and humbled by the incredible submissions to the Challenge. This year, the three finalists each reflect interesting trends in cybersecurity.
WINNER: Balance Theory
Using Ideas from Collaboration and Social Platforms to Take Collective Defense to a New Level
Within cyber, even fierce business competitors will work together to thwart a common threat as per the ancient proverb, “The enemy of my enemy is my friend.” This dynamic is central to the vision of the 2022 Challenge winner, Balance Theory. Balance Theory is working on an ambitious mission to create a missing platform: a way for security practitioners to easily and securely collaborate within and between organizations. From informal information sharing to structured threat intel exchanges, collective defense is something that the cyber industry has been working on for decades with differing levels of success. When seen through the eyes of the Balance Theory team, it’s possible to see that there is so much more to be done in this area, and there is an entirely new level of collaboration and efficiency yet to come.
FINALIST: Web3Fied
Using Crypto Wallets for Identity
As the world has evolved to become digital, identity has grown into a mess. Email addresses and mobile phone numbers were never designed to act as personal identities, IoT devices and ephemeral processes that require identities proliferate, incumbent architectures and user behaviors are deeply entrenched, privacy concerns have increased the risk associated with storing identity data, and AI technologies are making identity ever-easier to spoof. Given the problems with identity and the enormous size of the identity market, we continue to see founders working on new approaches. One interesting trend is using crypto wallets as the technology backbone for a next-generation identity solution.
This year’s Challenge Finalist, Web3Fied, laid out an ambitious vision for a new approach to identity that combines KYC (know your customer), blockchain, and a crypto wallet. While this is a compelling approach, there are other novel ideas and determining which of the emerging identity architectures will usher in a new era is hard to say. The likely catalyst for a new era will extend beyond technology to include a combination of standards, regulatory nudges, and adoption by large tech leaders. Regardless of the future architecture, we are certain that in ten years, the way we manage digital identity will be very different and much improved.
FINALIST: NorthStar
Adding Business Context to Prioritize Vulnerabilities
Many companies seek to quantify cyber risk to simplify security decision-making and to better evaluate ROI. One area where this has proven helpful is in Risk-Based Vulnerability Management (RBVM). However, current RBVM practices miss an important input, business context. It’s very helpful to prioritize vulnerabilities by their severity (CVSS score) and by how actively they are being exploited (threat intel). However, while very helpful, CVSS scores and threat intel provide only a generic picture of a vulnerability in the abstract. Those inputs don’t help security teams know how critical a vulnerability is in their particular IT environment, and whether the vulnerability is in a business-critical system or not. That’s where an important missing input, business context, comes into play. Capturing business context efficiently and comprehensively has proven to be laborious. So, the adoption of using business context in cyber risk modeling has been limited to date. This year, Challenge Finalist NorthStar demonstrated a way of automating the capture of business context, and thus enabling a more complete risk picture to prioritize vulnerabilities. With automation, we anticipate this business context-aware approach to Risk-Based Vulnerability Management will become de facto.
ChatGPT Has Excited the Inner Sci-Fi Fan in Everyone...
. . .This includes security professionals (admittedly, most in this group need little excuse to get excited about sci-fi). ChatGPT launched in November 2022, and most who tried it were in awe at how capable it was at having a human-like conversation and providing long, eloquent answers to even the wildest questions – even if the answers were not always correct.
Reports of security concerns and warnings of a ChatGPT-driven dystopian sci-fi future immediately started popping up. The concerns can roughly be grouped into two buckets: concern about a new powerful AI tool being abused and concern that problems occur when artificial intelligence (AI) capabilities start to be similar to humans or, at least in certain situations, indistinguishable from humans.
As a powerful new tool, ChatGPT has been touted as both the next step in web search and a technology that can broadly accelerate human productivity for all sorts of tasks. For example, it could be used to help developers more quickly write more stable and secure software. But pendulums swing two ways, so what if it is used to write malware and other malicious software?
Currently, the online version of ChatGPT has guardrails that block it from writing about certain undesirable topics, including answers to questions that blatantly ask it to write malicious code. But as models like ChatGPT become more ubiquitous, there is nothing stopping people from removing these guardrails or circumventing those that are already in place. Security researchers have demonstrated how to manipulate the guardrails of the online version to help write malware. By breaking the nefarious objective into steps and then asking ChatGPT to write software to perform each of the steps, it was possible to then take several responses and combine them to perform the malicious goal.
The fear is that technology like ChatGPT will democratize cybercrime. Commentary like this, however, seems to be somewhat hyperbolic. Yes, as with any new technology, it can be used for both good and bad. Yes, cybersecurity is a continuous cat-and-mouse game. So, when new technology is available to bad actors, they may have an increased edge while defense playbooks are being modified. Hopefully, the good guys will be able to leverage this new technology just as effectively to accelerate their defense building at a similar rate as the bad actors.
The second bucket of concerns is what happens when AI starts to be indistinguishable from humans. Although we have a way to go until AI is generally operating at human levels, the technology continues to inch closer to human capability in narrow applications. ChatGPT’s ability to converse at human levels about any topic on the internet (which is nearly all-encompassing) is a radical breakthrough. It is also a more immediate cybersecurity concern.
Most cybersecurity issues come down to two weak links: exploitable software bugs and gullible humans. Currently, tricking humans is a volume game. Try enough varied cons on enough people, and you will eventually trick one into doing something that gives you some data or access that you should not have. The challenge is that when a social engineering technique becomes well-known, it becomes much less effective – people will learn and know what to look for. Thus, messaging must be frequently re-written, resulting in a lot of work for bad actors, particularly if it is highly targeted.
With the advances in AI demonstrated by ChatGPT, precise social engineering may be scalable. In theory, one bad actor could simultaneously research thousands of individuals online and start custom conversations with each of them, ushering in a new attack vector difficult to quickly develop defenses against. Training humans is slow work, and it may be nearly impossible for targeted people to identify social engineering red flags when interacting with AI that is intent on tricking them with human-like conversational ability. Unlike a single human, the AI model can communicate with thousands of people in parallel, providing massive efficiencies for bad actors.
AI goes beyond just being a tool to help humans with social engineering; it performs tasks analogous to humans. The types of tasks performed by ChatGPT and similar large network AI models are in the realm of human capabilities thought to be the last ones replicable by machines. In addition, AI models make mistakes like humans – this presents dangers beyond just dealing with a flood of automated social engineering attacks. Like young human minds, ChatGPT is particularly good at confidently providing well-formed answers that are misguided, flawed, or incorrect. It is similar to people who run across some information that may or may not be completely right and, without full context, form incorrect conclusions and become convinced they have something important to announce to the world as fact. Similarly, ChatGPT is continuously learning. It can form patterns in its neural network to better process inbound information, but that will take time and, like humans, never be perfect. This means that ChatGPT, like human social networks, will be great at generating and propagating misinformation — both accidentally and by being guided to do so by human bad actors.
To combat this, machine learning (ML) security, something we talked about in the 2021 Q4 Insights Report, will gain urgency. Attacks on ChatGPT and similar models will be at all stages of the ML life cycle. Humans can use ChatGPT as a tool to help generate misinformation. By loading this misinformation onto the internet, it will not only directly mislead humans, but ChatGPT itself could eventually also pick up the fallacy as new training data, interpreting it as fact and perpetuating an extensive cycle of misinformation. ChatGPT can be purposely mis-trained if bad actors actively provide it with disinformation, converting it into a powerful propaganda machine.
So, as big AI models amazingly continue to become more human-like, the philosophical AI ethics discussion of past years will turn into practical ML security efforts that address ways to keep these models, with near-human capabilities and near-human potential to create catastrophic mess, all under control. Welcome to 2023. (Disclaimer: ChatGPT was not used to write any of this article.)
Keep It Simple, Cyber
Large and small organizations have relied on external parties to manage their technology and security for decades. To date, these services have primarily been segregated between managed service providers (MSPs) handling the information technology (IT) and managed security service providers (MSSPs) handling security. Recently, there is an increasing number of MSPs entering the security management business to compete with MSSPs. The catalyst for this is simple – a $300B market opportunity. Furthermore, cyber-attacks continue to move down-market, where we see mid-market and even SMB victims of nefarious cyber events. These organizations are not only budget constrained, but often ill-equipped to identify, deploy, and manage a suite of security tools. Cybersecurity responsibilities are commonly added to already overloaded IT managers, driving them to need third party service providers offering easy on-stop shopping.
Through our work with portfolio company founders, we have also observed service providers moving toward simplification by adopting Microsoft security tools. The proliferation of tools in cybersecurity (over 400 exhibitors at RSAC 2022) continues to introduce complexity into an already complex domain. Microsoft, meanwhile, has been snapping up security companies to build out a robust, single-vendor security platform ($20B in 2022 revenue, up 33% YoY). In lieu of identifying and integrating with multiple tools, service providers are increasingly shifting to Microsoft for the breadth and depth of its security offerings, including: SIEM (Security Information Event Management), endpoint protection, cloud security, identity and access management (IAM), threat intelligence, and compatibility with many third-party solutions. Scale and flexibility are two key advantages of Microsoft’s security suite, but it is a logical choice for service providers given that much of the mid-market and SMB space, service providers’ clients, use Microsoft to power their businesses.
Microsoft’s security solutions are designed to work seamlessly with other security products and services, enabling easy integration with an existing best-of-breed security stack without having to worry about compatibility issues. In addition, because Microsoft security is built on a cloud-based architecture, security offerings can be provided as subscription-based services, naturally enabling organizations to scale.
As tool consolidation progresses, traditional service offerings will become undifferentiated. These service offerings have progressed over time. Initially, managed service providers (MSPs) offered IT services. As cybersecurity grew, managed security services providers (MSSPs) became popular. Most recently, managed detection and response (MDR) providers have started becoming popular, providing enhanced service offerings beyond standard MSSPs. Many of the CISOs we speak with have retained MSSP and MDR providers to augment their internal security teams. Between the two, MDR is the preferred solution because it reduces the workload for internal security teams. Whereas an MSSP will monitor and notify customers of security incidents, an MDR will respond (cyberspeak for closing a breach or vulnerability) to a security event and provide the customer with a detailed report of the incident after the issue is resolved. As return on investment looms large in security purchase decisions, this distinction is critical, and will pave the way for further enhancements and consolidation of today’s highly fragmented space.
As security service providers (of all flavors) continue to enhance their offerings and consolidate their tools, particularly into Microsoft security products, the tool landscape will become easier to consume while the pursuit of efficiency will usher in a new wave of innovation.
The Rising Tide is in the Cloud
Cybersecurity has been one of the most prolific growth areas in technology over the last several years, particularly during the pandemic. SaaS (software-as-a-service) cybersecurity companies have been, and we expect will continue to be, particularly strong. The hiring rate (which equals the number of employees hired in a quarter divided by the number of employees at the beginning of that same quarter) of these companies exceeded that of the broader cybersecurity industry over the last 5 years, according to proprietary insights developed in partnership with Strider, a DataTribe portfolio company. To track hiring trends within the industry, a subset of cybersecurity companies (both SaaS-oriented and traditional) were selected and analyzed. The analysis revealed that, although employee departure rates were similar for both groups, hiring rates for emerging and established SaaS-oriented cybersecurity companies exceeded those of the broader cybersecurity industry. The future is in the cloud – and cybersecurity companies, particularly SaaS cybersecurity companies, continue to hire and build.
Intuitively, this makes sense. Through an investor lens, SaaS cybersecurity solutions tend to be high-margin and scalable, offering investors (and founders) opportunity to harness rapid growth potential for large exits, or at least high valuation multiples. Through an enterprise customer lens, SaaS solutions offer additional benefits: (1) scales with a customer’s existing tech stack; (2) outsources the maintenance of an increasingly complex enterprise technology stack; and (3) is an enabler of a zero-trust security program. Many of these solutions aim to improve the efficiency of an enterprise security operations center (SOC), thereby alleviating some of the pains from a cybersecurity talent shortage. Through an employee lens, well-funded high-growth companies offer substantial career growth opportunities, and SaaS cybersecurity companies, particularly during the pandemic boom, had an insatiable appetite for highly skilled and specialized talent.
Evaluating the flow of talent within cybersecurity highlights the complexity of the field and a bias for experience, particularly at startups. We have observed this same general pattern with our own founder interactions, both within and outside our portfolio. Cybersecurity SaaS companies exist at the intersection of cybersecurity, cloud technology, and general computing technology, and that reflects the talent these companies need – in that order.
- SaaS-focused cyber companies require a higher level of expertise and talent in cloud, cloud infrastructure, cloud security, and other cloud-adjacent subsectors compared to dedicated cybersecurity companies.
- When SaaS cyber companies grow and SaaS cyber startups transition from seed funding to exit strategies, they hire less from dedicated cyber companies and more from the general tech sector, including companies in IT services, telecommunications, and consumer electronics. This points to a trend of successful SaaS cybersecurity companies expanding and diversifying from a narrow, streamlined cyber product to broader or more varied product offerings.
- As the cybersecurity talent shortage and skills gap grows more acute, the rise of SaaS cyber products – and their hires from the cloud sector – will likely place an increased demand on talent at the intersection of cybersecurity and the cloud.
