10 Predictions to Kick Off the New Year in Security — Starting Now with RSA

In the world of Cybersecurity, most experts would say that their year begins with the RSA Conference. As a Cybersecrurity investor, I agree. After all, more than 45,000 attendees will flock to San Francisco starting tomorrow (April 16th) to talk all things security.

To kick off our New Year, we at Shasta, will be hosting a Cocktails Reception on April 17 at 5pm. This unique opportunity will allow executives to meet stellar security startups and network with security industry luminaries, Chief Information Officers (CIOs), and Chief Information Security Officers (CISOs). If you’d like to join the festivities, please contact me to request an invite.

Here are my 10 Cybersecurity predictions for the upcoming year.

1) Data Privacy And Regulation Will Dominate Conversations

Data privacy and regulation has always been a talking point, but this summer it will take center stage. Conversations will converge around more concrete actions to protect data. Several tailwinds have led to this movement. The recent Facebook and Cambridge Analytica scandal is nudging data privacy and regulation into the spotlight. Although the European Union’s Global Data Protection Regulation (GDPR) will go live in Europe on May 25, we in the US have just started discussing the framework around data protection. This will lead to future regulation– not within the next year, but we’re on that path.

2) Breaches Are Inventible, CISOs Will Shift Focus to Crisis Management

As hacking scandals continue to riddle worldwide headlines, norms are gradually shifting. Hiding breaches from customers and shareholders is no longer acceptable. Now, companies will implement crisis management plans. Companies, with their PR departments, will start to design plans to communicate a breach with a pre-determined set of actions. Over the next year, we’ll see some companies manage crisis with transparency and openness.

First step in Crisis Management, however, is single pane of glass and visibility into a company’s security operations. Consequently, Security Orchestration, Automation and Response (SOAR) will become an increasingly important category. Companies can’t just rely on great tools and people to prevent breaches. A structured approach is necessary to deal with threats. To prepare for potential investigations, companies will need to log and document their threat response. Ideally, software will do the heavy lifting. Last month, we saw Splunk acquire Phantom for approximately $350 million. Other companies include Siemplify, Demisto, Swimlane and Cybersponse. No two companies here are the same. As an example, Siemplify’s solution has an incredible workbench and ability for security analysts to create and execute playbooks to respond to threats, in addition to integration with other security vendors for threat intelligence and response.

3) AI Will Drive the Cybersecurity Arms Race

We’re in a modern-day arms race where the battleground is the cyber front. CISOs need to stay ahead of modern technologies, like AI and machine learning, used by attackers to penetrate the corporate and government cyber defenses.

Bad actors are often well financed and even backed by nation states. To effectively defend against these threats, our defense tools need to evolve. Decade old technologies need to be augmented or replaced.

The use of data science and AI by both attackers and defenders are resulting in innovation and investment opportunities across the cybersecurity spectrum. AI is not an end in itself. It’s a means to an end and is core to technologies built for modern defense systems.

4) Application Security Will Get a Facelift

Earlier this year, I led an investment in an exciting bot security company, called Stealth Security. They provide Fortune 500 organizations with broad, real-time security coverage across web, mobile, and IoT platforms. Stealth Security’s unique advantage is that they detect and deceptively mitigate responses to bot attacks.

Most of the tools today are rules-based and are in dire need of an upgrade. This means that although it can sometimes protect against known attacks, it can’t prevent unknown attacks that are harnessing modern technology. Bots fall into this category. Bots are one of the most common way for attackers to penetrate an enterprise. We believe there is a huge opportunity to stop bot attacks. And, I’m excited that we are fortunate enough to be Stealth Security’s financial partners.

Let’s switch gears to another area of application security: code and application vulnerability assessment. Over the next 12 months, there will be significant noise about this category because of the 2017 Equifax breach. This breach was caused by vulnerability in open source Apache Struts code that Equifax was using in their application, and their inability to catch it.

As applications include more open source code, move workloads to the cloud, and deploy on serverless architectures, we’ll see CISOs prioritize vulnerability assessment. One company interesting company is Snyk, that helps companies use open source code, and helps continuously finds and fixes vulnerabilities in company’s dependencies.

5) Email Security is Cool Again

Email is still the most popular form of business communication. It’s also a hotbed for attacks.

Despite a plethora of incumbent email security solutions, a significant majority of companies can’t prevent fake emails. So, for those of us in the industry, it was always cool! But, now it’s starting to enter mainstream conversation.

As far as priorities go for CISOs, email security is within the top three, and the US Government recently issued a mandate requiring all federal agencies to secure their emails through DMARC. These developments indicate there will be increased spending to protect individuals and corporations.

To see if attackers can impersonate your company to send fake emails, visit Shasta’s portfolio company, Valimail’s free domain checker. Remember to check all your non-primary domains such as: .net, .org, and so on.

6) Post-Quantum Cryptography Will Enter the Conversation

Current cryptography methods are based on this premise: no current computing architecture is fast enough to break the underlying mathematics that defines the particular algorithms.

Let’s unpack this. For example, the RSA is a form of Asymmetric (public) key encryption. It creates a public key and a private key. Public key is used for encryption and private key for decryption. RSA multiplies two VERY large prime numbers, and only the holder of private key knows the specific prime numbers in order to decrypt. Security is guaranteed since current computers are unable to factor such large numbers and break the encryption. Quantum computers using Shor’s algorithm should break some public keys by 2022 and the majority within the next decade, according to Gartner.

With IBM and Microsoft announcing on-demand quantum-computing-as-a-service offerings, we’ll see an exponential increase in development to further the Quantum Computing revolution.

This is still fairly far off. The Gartner estimate above assumes a 128-bit RSA key. Today, most keys are 256-bit or 512-bit; or can be easily upgraded. Highly secure facilities use 2,048-bit keys. This means that we are still years away from such significant quantum code-breaking. Further, symmetric key cryptographies such as AES-256, 3DES, etc. can be even more secure in some instances.

So, while it’s not an immediate security risk, given the magnitude of risk, we’ll see companies starting to evaluate new technologies to protect themselves. The National Institute for Standards and Technology (NIST) took the first steps towards Post-Quantum Cryptography standardization this past year.

7) Physical Security and Cybersecurity Will Converge

The demand for connectivity continues to rise. Connected home devices, connected cars and autonomous vehicles are driving consumer demand. Similarly, industrial equipments (e.g. medical devices, oil rigs, mining drills, etc.) and critical infrastructure (e.g. power plants, transformers, etc.) are upgraded with intelligent sensors and broad-based connectivity. Consequently, we have increased the attack surface by a few orders of magnitude over the past few years.

Earlier this year, the Meltdown and Spectre attacks further highlights the inherent risks within embedded systems and the likelihood that we will see more of this type of attack.

At Shasta, we are proud investors in Mocana, which provides security for IoT devices and device-to-cloud communications.

8) We Need To Redefine “User” and “Identity” for Identity and Access Management (IAM) Tools

Today, the two most common types of users are privilege users and business users. Privilege users are individuals, such as IT professionals, who are granted access to multiple systems and admin-level access. Business users are everyone else.

Over the next 12 months, the lines between privilege and business users will blur. This is largely because things are shifting. Since more business users are now using SaaS applications and deploying cloud-based workloads, business users are starting to resemble privilege users. Existing IAM tools are not equipped to handle this change. Consequently, this will breed a new generation of start-ups that will help companies implement these changes. PlainID and OnionID are two companies that are doing exciting things in this space.

Currently, identities are tied to users. Now, the definition of identities will catch a wider net to encompass applications alongwith users. In other words, we will see identity and access management for databases, APIs and cloud systems, similar to how we have been accustomed to for users. This is a broad area with lots of opportunities, and I made an investment in Aquera, an exciting startup that helps companies build security-first integration platform. The beauty of the Aquera platform is that it requires zero programming and instantly integrates any application, database, directory or device to the application platform of choice including identity management, business process management and business analytics platforms.

9) Over The Next Year, Expect to See 6 to 8 Cybersecurity IPOs

We saw four successful IPOs in the last 12 months.

  • Okta (NASDAQ: OKTA; Market Cap — $4.3B)
  • Zscaler (NASDAQ: ZS; Market Cap — $3.3B)
  • Sailpoint (NYSE: SAIL; Market Cap — $1.9B)
  • Forescout (NASDAQ: FSCT; Market Cap — $1.3B)

Plus, Carbon Black and Avast recently announced their plans to go public. According to some estimates, there could be up to eight additional companies on the docket to go public, led by endpoint security vendors. This trend matters because it’ll lead to newer players with access to public capital and will further drive consolidation. In other words, there will be more M&A activity.

10) M&A Activity Will Rise

In 2017, we saw more than $20B in total M&A volume, according to Momentum Cyber. One of those was a Shasta portfolio company — Skycure, that Symantec acquired. They continue to excel within Symantec, thanks to Skycure co-founders Adi Sharabani and Yair Amit.

So far, in 2018, we have seen $2.5B of M&A activity. I expect this to accelerate towards the latter half of this year. There are the five main categories of acquirers I expect to see active over the next year:

  • Pure-play security vendors — Companies like Symantec, Palo Alto Networks, FireEye and Checkpoint will continue to grow through acquisitions. In addition, newly minted public companies and other fast-growing companies with large balance sheets will look at multiple $50–200M acquisitions to boost their portfolios.
  • Large Muti-platform technology vendors with growing security practices — in particular, Microsoft, Cisco and AWS will continue to see Cybersecurity as a strategic asset within a broad software portfolio.
  • Private Equity buyers building a platform approach — led by Thoma Bravo via Barracuda Networks; TPG via McAfee and Skyhigh; and Vista Equity via PingIdentity. Given the opportunity to add assets via a platform and a number of available vendors, we’ll see much more activity over the next 12 months.
  • MSSPs— MSSPs are non-traditional buyers, but have been increasingly active in looking at bringing software tools in-house.
  • Large non-security vendors— Large mega-cap corporates GE, BMW, GM, Boeing, Honeywell, Hitachi and others would dip their toes in security software, particularly for Industrial IoT security vendors, and we would see strong activity from them.

I’m ecstatic about our upcoming year in security and I can’t wait for it to get started on Monday.

What do you think about my predictions? Is there a specific point that you want me to explore deeper? If so, please leave a comment below.