The infosec investment landscape: Which tech gets the most bucks?

How many cybersecurity vendors are active at the moment? What are they offering? How is their business doing? These are just some of the questions that Richard Stiennon, Chief Research Analyst at IT-Harvest, is trying to answer on a daily basis. The former Gartner Research VP and industry executive is one of the industry’s most prominent analysts and creator of the Analyst Dashboard, a web app that reveals data on 2,850 cybersecurity vendors.

In this Help Net Security interview, he talks about the infosec investment landscape as well as the challenges related to gathering all this data.

You’ve been in this industry for a long time and you’ve seen countless vendors come and go. How has the dynamic of investments in cybersecurity startups changed over the years?

It’s a tangled web. Over the years the cybersecurity investment ecosystem has grown in parallel with the industry itself, which, in turn, grows with technology adoption and in response to attacks against that technology. In the beginning, cybersecurity investment was a tuck-in to the dot-com boom. Companies like Check Point, Symantec, and Network Associates (later Mcafee, then Intel Security, then McAfee, now Trellix) started to grow and attract the attention of a handful of venture capitalists.

As the cybersecurity industry matures and their blow-out financial success like Fortinet, Palo Alto Networks, Okta, Crowdstrike, and Zscaler, more investors are getting in the game. I track 3,200 of them in the Analyst Dashboard, a tool we built to research the entire industry. If you include individuals, there are more investors than cybersecurity companies!

Two interesting developments: there are now VC firms that focus solely on cybersecurity. We track 18 active cybersecurity companies funded by ForgePoint Capital. YL Ventures has made 23 investments with 11 successful exits. 1011 Ventures has made 36 with eight great sales and two IPOs.

The other shift over the years is the interest in cybersecurity from Private Equity investors. If VCs are like savvy gamblers at a horse track, PE investors are like financial engineers. They analyze a market a find where they can inject their capital to get the best returns. They have been responsible for some the largest buyouts and roll-ups in our industry.

What are investors most interested in these days? What technologies are particularly hot at the moment?

Money is pouring into security analytics. These are companies that have tools to assist security teams in tracking down and warding off attackers already in their networks: SIEM, XDR, even AI. That space has taken in $2.6 billion in the first half of 2022.

Meanwhile, identity and access management is seeing a surge of investments; $1.5 billion so far this year. You would think we would have figured out Identity after three decades but there are 385 vendors in this space and they are growing at 24% a year.

Although the investments are lower, the highest number of newly funded companies is in governance, risk management, and compliance (GRC). Twenty-nine in the first half. This is on pace to beat last year’s 49 new investments in GRC. If you think about it, compliance and risk management are bookkeeping tasks so the technology investment is lower but the demand is high thanks to increased regulations.

Large IT companies are talking about an upcoming economic downturn, do you expect investments in infosec vendors to fade later this year?

Not at all. Yes, the public markets have been hammered since January 1st, but I do not see a dramatic decline in spending in cybersecurity. The big vendors feel it because they have huge projects worth millions of dollars that their customers can delay a couple of quarters. Most of them remember the downturn in 2009 and are preparing for something similar.

In Q1 it looked like 2022 would see more total investments than 2021’s record $24 billion. But Q2 saw a fall off so we are going to end the year with about $20 billion invested. That is similar to 2020 which was a record at the time.

You deal with a huge number of companies and products, what is the most challenging part of your work as a research analyst? How do you keep track of everything?

We have been building tools and processes to give a bottom-up picture of the entire industry. I want to discover and track every single vendor of cybersecurity products in the world. While we add about 500 a year, there are at least 200 failures and 200 acquisitions.

My research teams here in the US and India populate the database with each vendor’s details (head count, location, investments, key people, awards, and events) on the first day of every month, but the hardest thing is categorization.

Vendors refuse to self-categorize. They all apply “advanced machine learning and artificial intelligence to solve the most pressing cybersecurity challenges facing the enterprise.” Luckily, while their landing pages are littered with buzzwords like zero trust, passwordless, and cloud, their product pages are harder to obfuscate. It might take some digging, but eventually you figure out if they are NDR, authentication, threat intelligence (not digital risk protection! What does that even mean?). They always fit in one of the 17 categories I track.