The SEC gives cyber risk a seat at the grown-ups’ table. Oh, and AI.
Introduction
We are honored to meet many phenomenal cybersecurity founding teams throughout the year. In the fall, we hosted the DataTribe Challenge, inviting pre-seed founders to compete for recognition and potentially an investment by DataTribe. As a result of the Challenge, we have a surge in the already large volume of opportunities we review in the fall. This flow of cybersecurity opportunities provides clues as to what founders believe will be a big deal in the coming years. And given that these founders put their time, reputations, and money on the line, it is a pure data signal.
This report explores the top themes we saw this year and throughout the 2023 Challenge. We add to our perspective with forward-looking predictions from members of the DataTribe CISO Network and CEOs of our portfolio companies: all experts, all with different lenses on the vast domain that is cybersecurity.
Undoubtedly, 2023 was the year of AI in cybersecurity (and in everything else). Forty percent of the submissions to the DataTribe Challenge were AI-centered. That’s a massive increase and points toward a future in the next five years where AI-powered defenses will become the mainstream default.
Another interesting observation jumps out from the analysis. One theme that is on the minds of CISOs much more than cyber founders this year is the implications of new SEC rules. The new rules promote cyber risk to the level of other key investment risks that require disclosure. This is a significant development. As you’ll see below, the new SEC rules loom large for CISOs leading into 2024 — potentially changing how CISOs think about their roles. Of course, given the central role of CISOs in the cyber ecosystem, this is worth paying attention to as we look ahead to 2024.
Top 10 Trends We See Heading Into 2024
Below are the most prominent themes we saw throughout the Challenge this year. Each of these is a wave in the vast cybersecurity sea. Some waves are bigger than others, and some move faster. The cyber waters are choppy. Many of these waves are playing out over multiple years and are trends we have followed for a while. Some are newer. As we all set forth into 2024, these are the areas where we are seeing new company formation in cybersecurity.
10. Quantum Computing Implications: Tricky for startups, on the agenda for enterprises. It’s not a matter of if but when. Quantum computing is coming and eventually will have implications for modern cryptography and other mathematically intensive computer applications. Given the uncertain timing surrounding quantum computing, it presents a tricky investment profile for venture investors to pursue. However, for large enterprises that need to make long-term plans for five- and ten-year periods, quantum is on the agenda, and founders are seeking the opportunity.
9. Security for Serverless Architectures: New architectures beget new attack surfaces demanding new defenses. New digital innovations and new architectural approaches create new attack surfaces, which, in turn, drive the need for new security approaches. As serverless architectures create a thicket of API calls and new service mesh architectures, new security challenges are emerging. This year, we saw founders diving into the new challenges a new system architecture presents.
8. Operational Technology (OT) Security: Fortifying critical infrastructure continues to drive opportunity. We have long leaned into OT security, having invested early in Dragos and Xona. It is a huge market, and defending critical infrastructure (such as the Aliquippa Municipal Water Authority’s water treatment plant in late November) remains a society-level imperative. Founders continue to see new product opportunities in helping to defend large industrial environments that are increasingly digital but have different technology requirements than customary IT environments.
7. Autonomous Defenses: Self-driving malware demands self-driving defense. With increasing sophistication in AI, for a while, there has been the vision of malware agents that infiltrate a network and can operate autonomously without the need to communicate back to a command-and-control server. The other edge of this sword is to use the same principles to create defenses. This year, in the Challenge, we saw founders using AI to develop autonomous defenses that continuously learn and mount defensive strategies without practitioners’ guidance.
6. Data Security and Governance: Focus on the “cheese” that adversaries are usually after. Data security has been a major area of innovation for a long time. In the wake of significant privacy regulations like Europe’s General Data Protection Regulation (GDPR) in 2018, there has been an acceleration that has created new categories such as Data Security Posture Management and Privacy Enhancing Technologies. The convergence of increasing interest in data for AI applications and heightened regulatory compliance regarding privacy is propelling this market. In the submissions to the 2023 Challenge, we continue to see significant founder interest in pursuing opportunities in data security and governance.
5. AppSec 2.0 – We are far from software that is secure by design, driving a continued opportunity to innovate. There is a growing movement behind the idea that digital products need to be built more securely in the first place, that is, secure-by-design. It’s more than “shifting left.” Rather, it’s a realization that the entire software development lifecycle needs to be re-oriented to elevate security to the same level as user experience, performance, and reliability in the minds of product development teams. Founders are seeing opportunities in this movement. We are seeing an increased emphasis on helping teams to identify not just vulnerabilities in libraries they use but also how impactful each particular vulnerability will be depending on the context of how that specific system uses the library. There is a movement afoot to fuse static and dynamic application testing principles to deliver better results and greater efficiency. Of course, the rapid proliferation of AI is fostering interest in tooling to test AI models.
4. Passwordless Authentication: The immovable object meets the unstoppable force. Passwords have long been considered a security technology in desperate need of improvement. The fact that we all have so many passwords that it gave birth to an entire password manager product category is a testament to the problem and the deep entrenchment. This year, like the past few years, we saw startups in the Challenge proposing new ways of identity management and authentication that do not depend on passwords. One of the Challenge Finalists this year, Dapple Security, proposes a compelling idea: never store private keys. Regenerate them on the fly every time you need to authenticate. In this way, there is no private data for adversaries to steal. Moving away from passwords requires behavior change on the part of users and a broadly accepted standard to migrate to — both from the perspective of UX and technology. These barriers to change make passwords such an “immovable object.” However, the trend away from passwords is an “unstoppable force.”
3. Bills of materials (BOMs): Knowing the ingredients inside the product is becoming table stakes. In May 2021, the Biden Cybersecurity Executive Order called on software vendors to start supplying software bills of materials (SBOM), essentially a list of the software libraries they embed in their products. The intention is to provide software customers more transparency to manage the risk associated with vulnerabilities that may emerge in software libraries, which may be components within the products they use. In October of this year, CISA published hardware bills of material standards, hoping they could corral hardware vendors into publishing component-level BOMs. The market is responding to these regulatory nudges, and entrepreneurs are busy working on products to help product makers and customers produce and use bills of materials for both software and hardware products. One Finalist in our Challenge this year, Ceritas, seeks to become the world’s leading hardware bill of materials data provider. The Challenge Winner, Vigilant Ops, provides a platform that enables the entire SBOM process, from integrating into CI/CD pipelines so product makers can automate the production of SBOMs to provide a system of record for software buyers to manage SBOMs and component vulnerabilities.
2. AI SOC Analyst: Delivering on the full vision of SOAR. As discussed below, founders are exploring various approaches to applying AI to cybersecurity problems. However, one use case stood out above the others: the AI SOC analyst. The general idea is to use AI to automate many of the daily routine tasks that SOC analysts deal with. Given the plethora of data buffeting SOCs, the need to tease patterns out of all that data, the fact that many day-to-day tasks are routine, and the perennial shortage of cybersecurity talent, AI is an excellent fit for SOC automation. In this year’s Challenge, we saw enough founders pursuing this concept, not to mention products such as Microsoft’s Security Copilot, that it is clear this will be a vibrant, high-contended corner of the cybersecurity market within the next two years. Within the next five years, we will likely see AI having a material productivity impact within SOCs, and the AI SOC analyst will be a major new product category that will become a standard component of tech stacks.
1. AI: Go data, got AI. 2023 was the year of AI. The earthquake was the release of ChatGPT in November of 2022. The shockwaves from that temblor produce a tsunami that is currently traveling across the cybersecurity sea. Of all our 2023 Challenge applicants, 40% proposed AI-enabled products. A useful way to consider the application of AI is to follow the data. Where there is data to be analyzed, there is likely a good starting point for an AI-based applicant. This year, we saw founders applying AI to just about all types of cyber data:
- Network Data: To create agents that can autonomously threat hunt throughout your network.
- AppSec Scans: To help development teams distill the signal from the noise so they can invest their development resources into the bugs that make the highest impact. Also, to create AppSec tools that will go ahead and implement the code fixes for developers as the tools find issues.
- SOC Alerts and SEIM Data: To create the AI SOC Analyst (see #2 above)
- Malware: To create predictive systems that can counter the more complex challenge of detecting mass-produced, one-of-a-kind, AI-produced malware that can defeat signature-based detections.
One of the big trends we are seeing is governance and risk management as it applies to AI. Ampsight, one of this year’s Challenge Finalists, focuses on this area. A new product category is evolving that facilitates the process between data science teams developing new AI capabilities and compliance and risk teams seeking to ensure the new capabilities do not go off the rails. Given the comparatively rapid emergence of regulatory oversight of AI (compared to data privacy and social media), AI governance, risk, and compliance will become critical for enterprises seeking to embrace AI’s benefits fully.
2024 Predictions from the DataTribe CISO Network and Portfolio Company CEOs
SolarWinds and its Impact on CISOs
“The SEC fraud charges against SolarWinds and their CISO, Tim Brown, will have a chilling effect on hiring CISOs in the future. At the very least, most CISOs will insist on compensation packages that include D&O liability insurance and golden parachute firing clauses. At the most, companies will start to include CISOs as part of their executive officer team alongside the CEO, the CFO, and the CTO. You won’t see these things immediately (2024), but the climate has changed. This is what CISOs are talking about now.” – Rick Howard, CSO N2K Networks & Chief Analyst, CyberWire
Private Attacks for Corporate Treasure
“As corporate controls continue to improve, but the data on personal cell phone numbers and personal email addresses increases in their wide availability, cybercriminals will gravitate to the weakest part of the lives of key people at key companies they seek to target. Whether it is persons who might be sys admins, have special knowledge, or are key personnel . . . the private email and cells are the new attack surface.” – Chris Pierson, Founder & CEO, BlackCloak
Vulnerability Detection in New SEC World
“Anticipating an increase in companies disclosing cyber security incidents, in compliance with the SEC’s cyber disclosure rules, providing additional transparency while driving an increase in third party incidents which cyber security teams will need to evaluate and respond to. SEC requirements drive continued emphasis on improving cyber risk management and governance processes, as well as assessing and mitigating risk associated with third-party incidents. 2023 is on track to log the highest number of reported zero-day critical vulnerabilities in recent history, so products and services which improve vulnerability detection and remediation and asset hardening will continue to be of interest.” – CISO, A Large Energy Company
SEC Disclosures and AI
“1. The SEC materiality rule is going to have an enormous impact on how public companies treat incidents. The picture of breaches is going to be very different as companies are forced to either report or commit securities fraud. And as an added bonus there are ransomware groups that are using the notices as a way of leveraging payouts (Article).
“2. AI – It’s almost like a cop-out answer because of all the hype, but I think we will start to see products with specialized models starting to have an impact late next year. I’ve seen the MS Security Co-Pilot. It’s very much an MVP. But it won’t take them long to flesh out the integrations and start adding automation. Add in all of the startups that will be drawn to the space, and the vendor landscape starts to look interesting for areas like SOC and compliance.” – Mishka McCowan, VP of Cyber Threat Management, PowerSchool
Security AND Compliance
“Convergence of security and compliance using automation. Security analytics are doing more compliance, and compliance (RegTech) is moving up the stack. We’ll continue to see platform convergence as well as innovation with automation, especially AI.” – Christian Sorenson, Founder & CEO, SightGain
AI for Cyber
“CISOs will learn to love artificial intelligence by adopting a forward-looking and optimistic view of the intersection of AI and cybersecurity.” – Jeff Brown, CISO, State of Connecticut
Managing AI Risk
“In 2024, organizations will recognize the need for Secure AI — and take meaningful steps to mitigate the risks associated with AI/ML capabilities. This year proved we are firmly in the AI era. Driven by data, the impact these technologies have on our lives, businesses, and society at large will only continue to grow. But, we also affirmed that the benefits of AI capabilities are not without pitfalls. Over the past few months, we’ve seen global leaders, including the White House, CISA, and NCSC, release action-oriented directives aimed at recognizing and mitigating AI risk. Many of these guiding documents pointed toward adopting technology-powered solutions such as Privacy Enhancing Technologies (PETs). While PETs have been proven to unlock value for cross-silo data collaboration applications such as encrypted search, 2024 is the year the focus will extend to their applicability in the AI. When used for encrypted model training and evaluation, the Secure AI capabilities enabled by PETs allow users to unlock value from cross-silo data sources without increasing organizational risk, compromising sensitive data, or sacrificing our values — all factors that will be key to ensuring we can responsibly capitalize on the benefits of AI in the New Year” – Ellison Anne Williams, Founder & CEO, Enveil
AI Governance
“Due to a breach/incident (or breaches/incidents) related to the use of AI and ML, organizations will focus resources towards governance and building security into machine learning pipelines and life cycles.” – Diana Kelley, CISO, Protect AI
The China Threat
“China will continue to use cyber attacks against U.S. government and commercial entities as a tool to enhance national economic competitiveness.” – Bob Weiss, Principal Security Engineer, WarCollar Industries
AI for Defense
“AI remains a double-edged sword. Artificial Intelligence (AI) and machine learning are unlocking new innovations at breakneck speed. But they also provide cyber adversaries new ways to open and infiltrate a business’s network. 2024 will see the largest spike in AI-driven cyber threats to date. Organizations large and small will need to figure out how to democratize the use of AI for defense and deploy AI-driven security without the complexity traditionally associated with such an advanced technology.” – Stan Golubchik, CEO & Co-Founder, ContraForce
Passwordless Authentication
“The use of passwordless authentication will become mainstream among consumers and workforce alike.” – Vikrant Arora, CISO, Hospital for Special Surgery
