Enterprise cybersecurity technology

research that connects the dots | Learn more


Famine to Feast and Back: Startups Adjust to Economic Realities

Cybersecurity is a hotbed of startup activity, and with good reason. Startups typically look for an IPO or acquisition, but right now IPOs are off the table.

As many readers will be aware, cybersecurity is Startup Central, or perhaps even Startup Heaven. Cyber is, after all, the only inherently adversarial segment of the IT industry, where a vendor's "competition" isn't just the half a dozen other companies that make something similar but the thousands of threat actors trying to circumvent their product for their own nefarious ends. This in turn creates an imperative to innovate that goes far beyond other sectors of IT, simply because the bad folks are busy innovating on their side.

To keep up with this "Need for the New and Different," established cyber vendors cannot rely on their internal resources, which are already tied up keeping large customer bases happy on their existing products. As such, it is a long and well-established practice for them to outsource innovation, and the accompanying development work it entails, to a hyperactive startup community, spread primarily across Silicon Valley, southern Massachusetts, and Israel (the Unit 8200 connection). Indeed, according to Omdia's Cybersecurity Funding Tracker (subscription required), reviewing startups founded since 2019, of the 557 vendors we looked at in the latest edition, 48% were US-based, with the next largest location being Israel, with 10% of the companies.

They adopt what might be called the Mao Zedong horticultural approach to fostering change, as outlined in a speech he made in Beijing in 1957:

"Letting a hundred flowers blossom and a hundred schools of thought contend is the policy for promoting progress in the arts and the sciences…"

Of course, in Mao's case that policy led to the disastrous excesses of the Cultural Revolution. In the world of cyber, on the other hand, it enables the Big Beasts at the top of the vendor food chain to observe multiple startups as they address a new tech challenge, then at the right time, pursuing the flower analogy, to pick the one that best suits their needs. A round of M&A then ensues.

Technology Land Grab

This approach to developing new technology frequently leads to what tech analysts and journalists refer to as a land grab, in which half a dozen or more startups disappear in quick succession into the belly of those larger vendors, with the latter urged on by their own research departments and Wall Street analysts. Just in the last two decades, we've had land grabs in:

  • data leak prevention (DLP) in the mid-2000s, when a month barely went past without a major player in cyber picking up a DLP startup that was often barely 3 years old, and
  • cloud access security brokers (CASBs) and cloud security posture management (CSPM) in the second half of the 2010s, when the same sort of process took place, with big names snapping up specialist minnows to fill out their cyber portfolios.

Expect more to follow. And if you're interested in where the next gold rush (excuse the mixed metaphor here) might take place, Omdia's Funding Tracker can provide some pointers, at least in terms of which sectors have received the most VC money of late: While network security is a hardy perennial, we find that data, cloud, and application security all come close behind (bearing in mind that the last two categories are also converging nowadays).

For the startups themselves, and more particularly for those that are VC-funded, there are effectively two exit routes, by which their investors get their money back. They either go for a flotation on the stock market (aka the IPO route), or they are acquired by a larger vendor (the M&A route).

The IPO route enables the original founders to retain control over their creation, not to mention appearing in photos ringing bells to start the day's trading when the IPO is on the NYSE. The M&A route, on the other hand, keeps them in "golden handcuffs" for a couple of years, working for the new owners and swapping the title of CEO for something like Head of Product Marketing at the larger entity. Not surprisingly, most of them move on as soon as it is legally possible and, nine times out of 10, found another startup.

Hard Road Through a War-Torn Landscape

While IPOing (IPO used as a verb here, a neologism that is common in cyber) clearly has its attractions, it is also a harder road, in that it depends directly on the market, and ultimately broader economic, conditions. If investors are bearish, as when the short-to-midterm prospects for the economy are gloomy, the IPO market tends to shrink, if not dry up for a while. That is the situation we find ourselves in now, which explains why a company like EDR vendor Cybereason was obliged to postpone plans for flotation in mid-2022, laying off around 10% of its staff as it did so. Cloud security vendor Lacework went even further, reducing its headcount by 20% around the same time.

With the ongoing war in Ukraine, a trade war brewing with China, and inflationary pressure coming out of the pandemic, the immediate future is decidedly uncertain, and Omdia does not expect the IPO market to switch back from famine to feast mode any time soon. As such, it is a buyers' market for cyber startups, in that there are multiple young companies with interesting technology and no route to IPO for the time being, making them natural acquisition targets for Big Beasts with a checkbook. Any number of them are definitely in the shop window right now.

Cheap Deals to Come?

Today's macroeconomic conditions are definitely showing an impact on investments in the cybersecurity industry. Most visible are the layoffs going on since last year in the tech world, which may in turn have affected the amount of investment in mergers and acquisitions. Looking at the past nine quarters starting with 1Q21, we saw 1Q23 was the first quarter to have negative year-over-year growth in investments. The 1Q23 number of deals was down to almost half of what we saw in 1Q22.

Post-pandemic M&A activities gained pace from the second half of 2021. From a number-of-deals perspective, the first quarter of 2022 was the highpoint. Meanwhile from a deal-size perspective, the second quarter of 2022 showed the highest recorded investment in the last three years, even excluding the largest single deal, namely Broadcom's $61 billion acquisition of VMware.

According to the Cybersecurity Mergers and Acquisitions Tracker (subscription required), there were 141, 187, and 249 M&A deals in 2020, 2021, and 2022, respectively. It will be interesting to see how 2023 plays out, as in 1Q23 we recorded only 53 deals, with $1.4 billion of investment, which is the lowest of the last two years. In other words, if prospective buyers were being more cautious with their money in the early part of this year, will that caution continue, or were they just holding back until later in the year, when deals may be cheaper?

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading
Nate Nelson, Contributing Writer, Dark Reading