Cybersecurity Investing In The Age of Perpetual Cyber Conflict: EQT Growth’s Perspective on Emerging Themes
Over the summer, the world’s largest sovereign wealth fund explained the biggest threats it faces today. For a $1.2 trillion fund that owes much of its value to oil, it would be fair to assume that recessions, volatile financial markets and a global energy crisis might be top of the list. You’d be wrong.
Nicolai Tangen, the chief executive of Norges Bank Investment Management, cited cybersecurity as his biggest fear. In an interview with the Financial Times, he explained that the number of significant hacking events had doubled in the past two to three years. Indeed, if it were measured economically as a country, then cybercrime would be the world’s third-largest economy after the U.S. and China.
It is clear that the need for cybersecurity defence across the whole lifecycle, from identification to recovery, has never been greater. In this post, we will lay out five emerging themes that we see as particularly relevant in an ever-changing threat landscape and will likely offer opportunities for growth investors like us in the not distant future.
Theme #1: Cloud — An Enduring Focus Area
While enterprises increasingly moving into cloud environments is not a new story, the pandemic has undoubtedly hastened this trend thanks to increased working from home: by 2023, Gartner estimates that 40% of enterprise workloads will be deployed in cloud infrastructure and platform services, up from 20% in 2020.
With more openings for attacks, security teams also have to contend with a nebulous cloud environment that makes it challenging to determine the extent of potential exposure and mitigate risks. On the exposure side, this can include the proliferation of “shadow IT” as individual teams purchase SaaS tools without broader sign-off, creating significant potential liabilities. On the mitigation side, the cloud shared responsibility model means CISOs are increasingly more dependent on cloud vendors to quickly flag and remediate vulnerabilities. This can be challenging for cloud providers who are not regularly interfacing with security teams.
These are just two examples. Burgeoning cloud environments present countless additional complexities. We believe that this will lead to more fragmentation in the vendor landscape and a higher number of tools will be required — as cloud becomes the default we expect that rather than cloud security being the primary classification category instead vendors will take a specific pain point within cloud and cover that, such as identity for cloud. Ultimately this will facilitate a best-of-breed approach and lead to stronger overall protection for these nebulous environments.
Theme #2: AppSec 2.0
As adoption of more foundational application security around code scanning matures, we see increased appetite for tools addressing more granular application security (AppSec) risks or offering more orchestration functionalities to support enhanced security coverage and better integration with developer teams. We see this theme as being particularly appropriate for larger enterprises with a substantial existing AppSec practice that have conquered most of the “easy wins” around testing and are now looking for more support with automation or to defend against emerging threats.
One area of this space we are particularly excited about is API security. Most traditional code testing tools are not fully fit-for-purpose here and as more enterprises embrace microservices, this creates a much higher level of potential risk. This increase in API traffic and uptake has been well-documented in the market, with Cloudflare noting in their traffic report earlier this year that API traffic is growing at roughly double the rate of conventional traffic on their network — not a surprise given that API growth is deeply entangled with the growth of cloud and web services more generally. We also see AppSec workflow / orchestration tools as providing significant value add, given ensuring the right coverage across a disparate enterprise application portfolio can be challenging, particularly when combined with the need to engage developer teams to deliver long-term resiliency.
Theme #3: Managing Identity As Perimeter & Zero Trust
Identity as perimeter and zero trust are not new themes but we have seen increased adoption and focus on these areas post-covid. As organisations move beyond the initial frameworks of these implementations (for example, reflecting zero trust in identity & access management policy via single sign-on tools) and regulators elevate standards in this space, we see strong potential for future growth. Specifically, we’re excited by companies improving visibility and policy management in order to further contextualise and enrich existing zero trust architectures.
A key issue driving this need is identity sprawl: research from OneIdentity has shown that versus 10 years ago, 84% of enterprises have seen at least a doubling in the number of entities managed with 25% seeing more than ten times the number of identities. Given this complex environment, merely having an enhanced authentication framework is not sufficient. It becomes even more important to understand relationships between identities and how they clearly relate to business requirements and policies.
Unlike some of the other themes identified in this post, we believe this is a topic equally applicable to large and small organisations. Indeed, in many ways SMEs are perhaps the best suited to easily adopt zero trust given they are often working within cloud platforms and leveraging browser-based tools such as G-Suite.
Theme #4: Physical Environment (OT / IoT) Necessitates Specialist Tools
According to Gartner, attacks on organisations in critical infrastructure sectors have increased dramatically: from less than 10 in 2013 to almost 400 in 2020. This theme of increased OT attacks is something we also expect to see mirrored in IoT over time — as IoT devices grow more sophisticated, so too will their manipulation potential and eventually they may need to be treated like conventional endpoints. We see the risk as being particularly acute in certain industries such as healthcare which have more exposure to this connected device theme.
In addition to elevated risks in this space, we also believe that the specific demands of the sector mean it has very different requirements to conventional security. For example, if a potential breach is discovered in an OT environment, resolving that might mean completely shutting down a factory for a period of time, with meaningful revenue impact. This creates a whole new business vs. security risk angle. Ultimately this means much granular risk impact analysis is required. Many companies operating in this space are also early in the maturity of their security programme and so may even lack a comprehensive asset inventory as a baseline, meaning incident response can also be challenging and complex.
Theme #5: Skills Shortages Remains a Pain Point
Per a recent World Economic Forum survey, 59% of respondents thought it would be challenging to respond to a cybersecurity incident owing to a shortage of skills within their team. The impact of skills shortages is pervasive and does not show any signs of abating.
We believe that this skills crisis (while obviously challenging for the industry) creates interesting opportunity pockets across the cybersecurity lifecycle. Whether it intensifies moves towards automation tools to reduce manual workflows or it leads to demand for cyber upskilling and bug-bounty tools, the implications of this crisis are vast as enterprises look to do more with less.
When it comes to automation, we see companies increasingly moving beyond more legacy security orchestration, automation and response (SOAR) tools that tend to focus on threat intelligence, detection and response elements of the lifecycle, towards thinking more holistically about other tasks that can benefit from this approach. This feeds into a more general theme in the market around reduction of alert fatigue: whether via offering improved aggregation or triage functionalities or enhancing automation to decrease the burden on security teams.
Ultimately, we believe the implications of skills shortages in cybersecurity will continue to reverberate for years to come, and so vendors who enable security teams to upskill or be most efficient with their time are likely to be well-positioned.
Summary: An Exciting Space for Growth Investors
At EQT Growth we want to find best-in-breed solutions with disruptive technologies, supported by some of the clear thematic trends discussed earlier in this article. We are excited about the broader cybersecurity space and in particular some of the emerging themes as the industry continues to grow and develop. To bring this to life a little more, you can also find below a selection of companies focused around these themes.
If you are a cybersecurity entrepreneur looking for growth stage capital, we would be thrilled to be in touch! And if you have thoughts on the themes discussed in this piece, we would love to hear what you think. Comment below or join the conversation on our LinkedIn and Twitter.
