Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:00 PM
Connect Directly

Spending Spree: What's on Security Investors' Minds for 2019

Cybersecurity threats, technology, and investment trends that are poised to dictate venture capital funding in 2019.

The new year will bring waves of consolidation and innovation to the cybersecurity market as investors decide which startups will provide the strongest defenses to businesses in need of them.

Global spending on security products and services will close out the year in excess of $114 billion, marking a 12.4% increase from 2017, Gartner research indicates. Next year, the security market is expected to grow 8.7% and hit $124 billion as security leaders aim to use technology to help organizations become more competitive, addressing a broad landscape of risks and varying corporate needs.

As we look to 2019, investors are weighing these risks and needs as they allocate funds toward the companies and technologies holding the most promise for next year. But before we think about the year ahead, let's first recap the year we're leaving behind.

A Look Back: 2018 in Hindsight
According to Hank Thomas, CEO and partner at Strategic Cyber Ventures (SCV), 2018 "was really about people playing catch-up with the attack surface that had gotten out of control." 

The top questions companies were asking this past year: "Where is my data?" "What is my most important data?" "Where does my network begin and end?" "What do I need to protect?" "What does my rapidly expanding attack surface look like, and how do I protect it?"

Security was top-of-mind for private equity firms, which spent 2018 building out their infosec portfolios. Thoma Bravo, for example, in May took a majority stake in LogRhythm, a security information and event management (SIEM) company. It later bought security firm Imperva for $2.1 billion in October, which was followed by a $950 million acquisition of Veracode the next month.

The trend affected both large and early-stage companies as private equity players were willing to consider startups in their B or C funding rounds and bring them into the fold, explains Jeff Pollard, Forrester vice president and principal analyst serving security and risk professionals.

"It definitely appears the private equity firms … they've figured out a way to make money off cybersecurity," he explains. While their end game is still "a bit up in the air," he also expects the trend of private equity cybersecurity investment to continue into 2019.

This year also saw security startups exit as bigger firms snapped them up. Automation and analytics were hot technologies for giants including Microsoft and Amazon, neither of which are traditional security firms but are interested in integrating analytics into their feature sets. Other traditional firms invested to address weak spots like identity, says Pollard: Cisco's purchase of Duo Security for $2.35 billion was one of the giant's largest security deals to date.

Investors will be watching as larger firms aim to shore up defenses. Cloud security, for example, is a top priority for Palo Alto Networks, which in March acquired Evident.io for $300 million  to strengthen the cloud. Later this year, it doubled its efforts with a $173 million purchase of RedLock.

Future Funding: What's Coming in 2019
Thinking about next year, Pollard expects "a wave of innovation and consolidation" as startups founded to build specific solutions see their technologies integrated into broader platforms.

"Whenever you have a flurry of startup activity, what you find is a lot of vendors trying to solve very similar problems," he explains. What happens in the enterprise is these capabilities make more sense as features of bigger products. The endpoint space, for example, has a wealth of advanced technology and has experienced much consolidation as firms aim to offer a suite instead of a single tool.

Which technologies are investors thinking about in 2019? Unlike in years past, artificial intelligence (AI) and machine learning will not set startups apart, Pollard says. In 2018 we saw "a bit of a swerve," and much of the allure of AI and machine learning disappeared as both became expected features in other technologies. They're not nice-to-have, but must-have, additions.

"It's not that machine learning and artificial intelligence will go away – it's just a default expectation," he explains. "You're not going to be funded because you do cool artificial intelligence and machine learning for security. The people who make more sophisticated use of that and show how it makes a solution will be the organizations that can power forward."

SCV's Thomas foresees the rise of different up-and-coming security products that aren't specifically built for security but have many applications in the space. Computer vision technology, a form of AI, is one example and has varying use cases, from facial recognition to collaboration tools. It can also be used to identify "deep fake" videos that can be used to spread disinformation.

This is an area SCV has been closely considering, Thomas says. Deep fake videos are realistic videos that circulate online and can prompt corporations to ask security teams to react. He describes it as similar to fake news but in the form of an incident that could affect a major organization's security posture. A hacker group that wanted to add a layer of obfuscation and hide their activity could use a deep fake video to distract security teams from their work.

Threats are "potentially catastrophic" and could have major security implications, Thomas adds. SCV has been looking at tech that can confirm with high probability whether content is fake and untangle the "spiderweb of disinformation" online. Corporate America might have to get into the business of identifying fake news as it pertains to network threat activity, he explains.

"A Fortune 100 company could save a lot of money on a threat that's not real," Thomas says. "It's going to be important they have a capability to confirm or deny these threats if it's gonna be in the public domain."

He also expects identity and access management (IAM) will reach a new level in 2019, with different forms of multifactor authentication. The single sign-on password "is mostly dead" in the business world, Thomas continues, and new forms of authentication will surface. A number of companies have started to use computer vision for facial recognition on-premise, he adds.

Pollard anticipates investment in tools designed to bridge the gap between security and business teams. New solutions will emerge to provide security leaders with metrics, dashboards, and visualizations so they can better present security-related data to stakeholders and help enterprise employees view security in a different way. He also expects a growth in services, which he says used to be less attractive to investors but have since seen positive growth.

"It definitely looks like security budgets, and people buying security technologies, are definitely going up," he says. "That's also leading to the investment side going up as well."

New Solutions for New (and Old) Problems
As security budgets rise, so will investments, Thomas says. Many companies still don't know what they need to defend, and their networks are expanding as a result of new trends such as the Internet of Things. Reality will set in during the upcoming year, he adds.

"They have been forced to expand in areas they didn't want to go into, [and] now they're forced to defend more territory than they ever planned on defending," Thomas explains.

Still, the security industry continues to deal with the same problems it dealt with a decade ago, says Pollard, and big security players haven't sufficiently done their jobs to solve them.

"We need innovation," he admits. The market needs new people and talent, he continues, and there is both ample funding and investor interest to bring new ideas to fruition. "If you have an idea for security, start it," Pollard emphasizes. "There's an appetite for this."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
1/17/2019 | 1:12:47 AM
What is new?
A brand new year calls for a brand new series of potential cyber threats. What can we expect and what can we truly do from our end to prevent contracting any risks? It is a whole new challenge which we need to invest our precious time at in order to always be at guard against potential risks to attacks.
User Rank: Apprentice
1/8/2019 | 3:10:17 AM
Spend on what you need
I think that a lot of companies are realising that they will eventually end up spending more money than the amount they would have saved on security if they didn't do a proper job installing some proper system to begin with. It's an expensive price to pay if you don't make sure you've done a proper job in the beginning!
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e.g., disable access to the database after the attack stops) via history requests. This occurs because of a SELECT COUNT statement that requires a full index scan, with an accompanying large amount of server resources if there are m...
PUBLISHED: 2021-05-10
Cross Site Scripting (XSS) in Hotels_Server v1.0 allows remote attackers to execute arbitrary code by injecting crafted commands the data fields in the component "/controller/publishHotel.php".
PUBLISHED: 2021-05-10
An exploitable SQL injection vulnerability exists in ‘manageServiceStocks.jsp’ page of OpenClinic GA 5.173.3. A specially crafted HTTP request can lead to SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
PUBLISHED: 2021-05-10
An out-of-bounds write vulnerability exists in the import_stl.cc:import_stl() functionality of Openscad openscad-2020.12-RC2. A specially crafted STL file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
PUBLISHED: 2021-05-10
OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vu...