In their new book, Big Breaches: Cybersecurity Lessons for Everyone, authors Moudy ElBayadi and Neil Daswani note that more than $45 billion has been invested in cybersecurity companies over the last 15 years. Yet more than 9,000 breaches have been reported over that time, and the scope of attacks has only increased.
What that means is that the market for investment in security solutions is scaling at a rapid rate. The ecosystem of solution providers has become increasingly diverse, and the ways in which these products are inserted within companies continues to evolve.
We believe there’s a compelling argument for investing in platforms that can help enterprises prevent exploits, remediate attacks, and enhance their security posture. Here are some of the security investment trends shaping our thinking.
“Any business trying to compete in today’s marketplace needs some kind of digital strategy. We need to move cybersecurity from being a classic IT problem to a broader business one (we call that shift from the ‘server room’ to the ‘board room’). What does it mean for the executive management team to get engaged around security topics? What does it mean for the board to help security teams do what needs to be done to protect their companies brands, assets and reputation ?”
– Moudy ElBayadi, SVP & CTO, Shutterfly
Four Top Trends Driving Adoption
We see four key trends driving the increased adoption of security platforms.
1. Transition to Cloud Native Apps
What was once a leading-edge trend has become standardized. Containerization and Kubernetes have helped to accelerate the move from monolithic applications to lightweight microservices that communicate via APIs, increasing their portability, flexibility, and scalability. At the same time, though, they’ve also increased the security attack surface by an order of magnitude. A single external firewall is no longer enough. Enterprises need to track data movement and network communications across APIs from a service and security perspective.
2. ‘Shift-left’ to Developers
The rise of cloud native and DevOps methodologies like CICD have accelerated the shift left to development, increasing the potential for code vulnerabilities, infrastructure misconfigurations, and poor practices. These rapid development cycles have pushed more responsibility for app security on development teams and put more pressure on security teams working with developers. Whether you think about it as SecDevOps or DevSecOps, the problem remains.
3. Movement towards the Edge
Cloud native hasn’t just pushed applications across the cloud, it’s also moved them to the edge. Mobile, 5G, and IoT all play a huge part in this. We’ve seen multiple examples of vulnerable edge devices, as well as the need for more intelligent security across an organization’s entire infrastructure. With more distributed work teams and flexible models, it also means organizations need to be concerned about security in private and public clouds, apps, personal devices, and every step of the network in between.
4. The Growth of AI and ML
These overuse of these buzzwords within both IT and security over the last few years has made some people skeptical about them. But we believe machine learning can be an effective force multiplier in helping security teams analyze and prioritize threats, particularly as attack surfaces continue to grow and teams have limited personnel to address these threats.
New Go-To-Market Models
These trends have also impacted how security products find their way into organizations. We’re all familiar with the top-down model, where applications are sold at the executive level and then pushed down into the organization. We’ve also seen how product adoption can start at the lowest level and percolate upwards. But what’s becoming more popular is what we call the ‘middle-out’ or ‘sandwich’ model, where product insertion happens at the mid-level management level, then spreads in both directions, with the upsell happening at the CISO or executive level.
The reality is that every business cannot be created bottom up. And there will continue to be top-down sales. But middle-out is becoming more and more interesting among our portfolio companies as a way to focus on product usage, and then upsell to executives once they gain traction within the organization. This means that sales efforts need to be more product led, and companies have to engage more closely with security personnel as well as developers and product managers if they wish to be successful.
Security professionals need to focus on telling stories and to back up those stories with metrics, so their boards can understand what needs to happen to put their companies and the world on a path to recovery.
Our Investment Approach
There are six primary areas where Mayfield has focused its security portfolio:
1. Secure App Life Cycle
The discussion around SecDevOps vs DevSecOps indicates a clear need for building a chain of security trust across the entire development cycle. There are two insertion points here: at the security team that’s trying to provide a more secure environment, and at developers trying to educate coders into adopting more secure practices. But the budget comes from the security team.
2. Identity and Access Management
This category encompasses both the digital and the physical. The proliferation of cloud native apps and distributed users drives a need for stronger access control from app to app and from user to app. And as we eventually return to our workplaces, organizations need to optimize access to both buildings and the devices inside them. They need the ability to audit compliance with policies and build intelligence into the process.
3. Infra-as-Code Security
This is really about how we automate infrastructure provisioning across public and private clouds. There are a number of companies focused on identifying misconfigurations as well as malicious changes, then automating their remediation.
4. Incident Management
When things go wrong, how do you determine the root cause and bring the right people together to fix those issues? There are a number of companies taking a bottoms-up approach here, going directly to the IT or security people responsible for managing that.
5. API security
The rise of cloud native has increased API communications, so there are now more companies providing solutions for public and private API security and management.
6. Data Protection
As we discussed in our recent CISO roundtable [add link here], risk management is going to play an increasingly large part in security roles going forward. There are several companies that focus on using machine learning to intelligently identify and protect against data loss, as well as strengthening a company’s overall security posture.
That’s the quick summary of how we see security investment trends going forward in 2021. But we are always interested in your point of view on these and other topics.