We were intrigued by news reports recently that thousands of Swedes are exchanging privacy for convenience by having microchips the size of a grain of rice embedded under their skin so they can do a variety of things – from accessing buildings and sharing LinkedIn details at networking events to dispensing with train tickets. Chip providers are reportedly running low on chips, having trouble keeping up with demand. What’s a GDPR regulator to do when his constituents are so cavalier with their personally identifiable information (PII)?

As to why subcutaneous microchips have taken root in Sweden, one theory advanced that Swedes are less concerned about data privacy than people in other countries, thanks to a high level of trust for Swedish companies, banks, large organizations and government institutions. Alas, the rest of us (that is, 99.99% of the world) haven’t arrived at such a sublime state. If anything, confidence in anything we read or hear is increasingly hard to come by.

All of which bodes well for yet another banner year for the cybersecurity industry. While 2018 was a very strong investment year for the sector — by October, private equity firms had already completed more cybersecurity deals in the U.S. and Europe in 2018 than in any other recent full year [1] – 2019 is looking to be another seminal year for cybersecurity investors as several key market leaders are teeing up their IPO.

Despite a recent pullback in the public equity markets, technology firms are increasingly ramping up efforts to tap the stock market while interest rates remain low and valuations of private companies are relatively high. (The operative word here is “relatively”. Notwithstanding the alarming gyrations in the final quarter of 2018, as of this writing valuations are not much below February levels). This is a departure from recent practice. Technology companies, particularly those with uncertain paths to profitability, had been spending more time in the private realm over the past decade, mostly because they can. With investors such as Softbank’s $100 billion Vision Fund able to write shockingly large checks, raising cash privately represented an attractive alternative to going public, with all its attendant disclosure and scrutiny.

Cloudflare, which last raised capital at the end of 2014 and is backed by Baidu, Fidelity, Microsoft and Qualcomm, among others, is preparing for an IPO that is rumored to value it at more than $3.5 billion. Similarly, CrowdStrike, which has raised close to $500 million in private equity, is readying an IPO that could value it at more than $3 billion. Other mature companies that raised large sums in the early years of the decade will likely explore the public markets, if only to conjure up an acquisition by a strategic acquirer.

Look for newly public companies to use their stock as currency for acquisitions. Also look for more add-on acquisitions to PE platform companies. PE firms like to use add-ons to lower their aggregate acquisition multiples, enhancing the potential to benefit from multiple expansion once the combined, now larger company goes public or is itself acquired.

Industry Tailwinds

The only sector, in our opinion, that requires our attention and capital on a level with cybersecurity is infrastructure, where the US is distressingly underinvested. The difference between the two in terms of investment opportunities lies in human nature, i.e., our propensity to wait until enough bad things start to happen. For cybersecurity, the collapse of our metaphorical bridges and tunnels began years ago, and despite our best efforts, is gathering speed.

A few of the tailwinds that will continue to sustain the industry are:

  • Privacy – After a year of awful public relations for the advertising-based online giants, 2019 may well be the breakout year for online privacy rights. As described in The Security Ledger, six months after GDPR went into effect, the true impact of the EU law is beginning to be felt around the world. [2] For the first time, complaints are being lodged and fines levied against non-compliant firms. Companion legislation is being planned or implemented everywhere from California to Colorado, India and Brazil.
  • Fiduciary accountability – Institutional investors are as highly attuned as ever to the reputational and financial risks to their portfolios resulting from security breaches and are holding their companies to account. Digital agency Edelman released results from its Trust Barometer Special Report: Institutional Investors survey of more than 500 chief investment officers, portfolio managers, and buy-side analysts in five countries and found that 98% of them think public companies are urgently obligated to address one or more societal issues, with cybersecurity listed as a top priority.
  • Transition to the cloud – The efficiencies provided by cloud computing are compelling businesses to relinquish their resistance to storing or handling data outside their four walls. Chelsea Stoner of Battery Ventures believes we are still in the second or third inning of this shift, noting that “there is still so much older software out there and new cloud companies coming up all the time”. [3]
  • Zero trust – Transitioning to the cloud is a major driver behind the adoption of Zero Trust, the belief that an organization should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. Accomplishing that level of verification requires deploying multifactor authentication, identity and access management, orchestration, analytics, encryption, scoring and file system permissions. [4] Such increased vigilance around identifying and analyzing every single user – employees, partners and customers – can be likened to the identification friend or foe system (IFF) used by air traffic control to conserve resources and engage with threats and contributes to Gartner’s forecast of $124B in security spending in 2019, an increase of approximately 9% over 2018.

Investor Attention

Observers of venture investing are well aware of the propensity for faddishness among VCs.  An investment in a company made by a major firm sets off a flurry of investment in similar companies, which often leads to overinvestment in that category followed by diminishing returns. Eventually the door closes on that subsector and VCs move on to greener pastures. Investors tell us that currently the bloom is off the rose for companies focusing on endpoint security, orchestration and deception/decoy.

Because of the ever mutating and evolving threat landscape, along with a continually expanding attack surface, the pace of change in cybersecurity is faster than perhaps any other technology sector. This presents new areas for investment at same time it closes the door on others.

Finally, if we accept the premise that breaches are virtually impossible to prevent, we need to develop solutions that mitigate the damage once inside the fortress. Technologies that are enjoying investor interest are:

  • Breach response, repair, recovery and remediation
  • Encryption
  • Solutions with a vertical focus (e.g. healthcare, government)
  • IoT defense
  • Security for social media
  • Cloud security

Conclusion

To paraphrase a popular Silicon Valley catchphrase, cybersecurity is eating the world. Much as technology has pervaded “old line” industries and legacy companies reposition themselves as tech companies (e.g., Goldman Sachs, GE), cybersecurity has gone mainstream. In today’s world, no company can avoid deploying solutions that protect against digital disaster.

We are painfully aware that our data is out there in the ether, but the convenience and efficiency of an online world is simply too compelling to sacrifice. As our friends in Sweden have demonstrated, that can extend as far as altering our physical being.

Footnotes

[1] Dowd, Kevin. “PE’s US cybersecurity push resumes in 2018 after last year’s lull.” November 5, 2018. Pitchbook. https://pitchbook.com/news/articles/pes-cybersecurity-push-resumes-in-2018-after-last-years-lull

[2] Is 2019 Privacy Rights’ Break Out Year?” December 11, 2018. The Security Ledger. https://securityledger.com/2018/12/is-2019-privacy-rights-break-out-year

[3] Marinova, Polina. “Battery Ventures’ Chelsea Stoner on Growth Investing In the Time of SoftBank.” December 20, 2018. Fortune Term Sheet. http://fortune.com/2018/12/20/battery-ventures-chelsea-stoner/

[4] Pratt, Mary. “What is Zero Trust? A model for more effective security.” CSO Magazine. January 16, 2018. https://www.csoonline.com/article/3247848/network-security/what-is-zero-trust-a-model-for-more-effective-security.html