The new year will bring waves of consolidation and innovation to the cybersecurity market as investors decide which startups will provide the strongest defenses to businesses in need of them.
Global spending on security products and services will close out the year in excess of $114 billion, marking a 12.4% increase from 2017, Gartner research indicates. Next year, the security market is expected to grow 8.7% and hit $124 billion as security leaders aim to use technology to help organizations become more competitive, addressing a broad landscape of risks and varying corporate needs.
As we look to 2019, investors are weighing these risks and needs as they allocate funds toward the companies and technologies holding the most promise for next year. But before we think about the year ahead, let's first recap the year we're leaving behind.
A Look Back: 2018 in Hindsight
According to Hank Thomas, CEO and partner at Strategic Cyber Ventures (SCV), 2018 "was really about people playing catch-up with the attack surface that had gotten out of control."
The top questions companies were asking this past year: "Where is my data?" "What is my most important data?" "Where does my network begin and end?" "What do I need to protect?" "What does my rapidly expanding attack surface look like, and how do I protect it?"
Security was top-of-mind for private equity firms, which spent 2018 building out their infosec portfolios. Thoma Bravo, for example, in May took a majority stake in LogRhythm, a security information and event management (SIEM) company. It later bought security firm Imperva for $2.1 billion in October, which was followed by a $950 million acquisition of Veracode the next month.
The trend affected both large and early-stage companies as private equity players were willing to consider startups in their B or C funding rounds and bring them into the fold, explains Jeff Pollard, Forrester vice president and principal analyst serving security and risk professionals.
"It definitely appears the private equity firms … they've figured out a way to make money off cybersecurity," he explains. While their end game is still "a bit up in the air," he also expects the trend of private equity cybersecurity investment to continue into 2019.
This year also saw security startups exit as bigger firms snapped them up. Automation and analytics were hot technologies for giants including Microsoft and Amazon, neither of which are traditional security firms but are interested in integrating analytics into their feature sets. Other traditional firms invested to address weak spots like identity, says Pollard: Cisco's purchase of Duo Security for $2.35 billion was one of the giant's largest security deals to date.
Investors will be watching as larger firms aim to shore up defenses. Cloud security, for example, is a top priority for Palo Alto Networks, which in March acquired Evident.io for $300 million to strengthen the cloud. Later this year, it doubled its efforts with a $173 million purchase of RedLock.
Future Funding: What's Coming in 2019
Thinking about next year, Pollard expects "a wave of innovation and consolidation" as startups founded to build specific solutions see their technologies integrated into broader platforms.
"Whenever you have a flurry of startup activity, what you find is a lot of vendors trying to solve very similar problems," he explains. What happens in the enterprise is these capabilities make more sense as features of bigger products. The endpoint space, for example, has a wealth of advanced technology and has experienced much consolidation as firms aim to offer a suite instead of a single tool.
Which technologies are investors thinking about in 2019? Unlike in years past, artificial intelligence (AI) and machine learning will not set startups apart, Pollard says. In 2018 we saw "a bit of a swerve," and much of the allure of AI and machine learning disappeared as both became expected features in other technologies. They're not nice-to-have, but must-have, additions.
"It's not that machine learning and artificial intelligence will go away – it's just a default expectation," he explains. "You're not going to be funded because you do cool artificial intelligence and machine learning for security. The people who make more sophisticated use of that and show how it makes a solution will be the organizations that can power forward."
SCV's Thomas foresees the rise of different up-and-coming security products that aren't specifically built for security but have many applications in the space. Computer vision technology, a form of AI, is one example and has varying use cases, from facial recognition to collaboration tools. It can also be used to identify "deep fake" videos that can be used to spread disinformation.
This is an area SCV has been closely considering, Thomas says. Deep fake videos are realistic videos that circulate online and can prompt corporations to ask security teams to react. He describes it as similar to fake news but in the form of an incident that could affect a major organization's security posture. A hacker group that wanted to add a layer of obfuscation and hide their activity could use a deep fake video to distract security teams from their work.
Threats are "potentially catastrophic" and could have major security implications, Thomas adds. SCV has been looking at tech that can confirm with high probability whether content is fake and untangle the "spiderweb of disinformation" online. Corporate America might have to get into the business of identifying fake news as it pertains to network threat activity, he explains.
"A Fortune 100 company could save a lot of money on a threat that's not real," Thomas says. "It's going to be important they have a capability to confirm or deny these threats if it's gonna be in the public domain."
He also expects identity and access management (IAM) will reach a new level in 2019, with different forms of multifactor authentication. The single sign-on password "is mostly dead" in the business world, Thomas continues, and new forms of authentication will surface. A number of companies have started to use computer vision for facial recognition on-premise, he adds.
Pollard anticipates investment in tools designed to bridge the gap between security and business teams. New solutions will emerge to provide security leaders with metrics, dashboards, and visualizations so they can better present security-related data to stakeholders and help enterprise employees view security in a different way. He also expects a growth in services, which he says used to be less attractive to investors but have since seen positive growth.
"It definitely looks like security budgets, and people buying security technologies, are definitely going up," he says. "That's also leading to the investment side going up as well."
New Solutions for New (and Old) Problems
As security budgets rise, so will investments, Thomas says. Many companies still don't know what they need to defend, and their networks are expanding as a result of new trends such as the Internet of Things. Reality will set in during the upcoming year, he adds.
"They have been forced to expand in areas they didn't want to go into, [and] now they're forced to defend more territory than they ever planned on defending," Thomas explains.
Still, the security industry continues to deal with the same problems it dealt with a decade ago, says Pollard, and big security players haven't sufficiently done their jobs to solve them.
"We need innovation," he admits. The market needs new people and talent, he continues, and there is both ample funding and investor interest to bring new ideas to fruition. "If you have an idea for security, start it," Pollard emphasizes. "There's an appetite for this."