Benny Lakunishok, cofounder and CEO, Zero Networks.
In 2023, the cybersecurity industry will likely consolidate as fewer startups will be founded and many current companies will struggle to exist and potentially disappear. Many well-established, later-stage companies are already feeling the pain. Snyk and Cybereason, for example, both had very public layoffs. However, this does not mean the cyber sector will contract; it will continue to grow with an even temper but much less hype. We’re already seeing it. “The recently ended third quarter saw only $2.6 billion go to startups in cyber, the lowest total since the same quarter in 2020, which saw $1.6 billion invested,” according to Crunchbase.
With less publicity, many hyper-valued companies (you know who you are) will likely experience down rounds. According to DataTribe, the average valuation for seed-stage companies in cybersecurity fell by a third to $12 million during Q2 compared to $18 million in Q1. In particular, I predict that cloud security, while vital, will be seen as a feature versus a true stand-alone capability or company.
As a result, many companies may put themselves up for sale. For example, Cybereason recently scrapped IPO plans and is seeking a buyer. Since Cybereason is large and commands headlines, it justifiably got a lot of attention. But the exact same dynamic is taking place among smaller, less famous cybersecurity firms as well.
The market’s consolidation will likely mean customers will want to buy software bundles. By purchasing packaged cybersecurity software, customers can solve a broader set of needs and simplify operations, while providing a single place for service and support. And this trend only accelerates the security vendor consolidation trend that a Gartner survey identified a year ago.
As usual, the manpower shortage will continue—as well as the need to prioritize. According to an ISC2 report, “The global cybersecurity workforce shortage widened by 26.2% to 3.42 million.” This means that cyber teams will simply spend money on tools and technologies that make them more efficient.
Does this mean more money for automation? Not necessarily. Despite the marketing buzz, the reality remains that few things in security can be automated.
The threat landscape will continue to remain complex with a strong focus on continuing ransomware automation. As the saying goes, nothing succeeds like success. As Microsoft has detailed, ransomware as a service is now a full-fledged industry.
Finally, get ready for another big one—something akin to Log4j. Every year, we see a cyberattack group find a super vulnerability and get a lot of attention. This is not going to change.
What does this mean for CEOs, CIOs and CISOs?
• Don’t skimp on security and retain a strong budget, but be sure to spend pragmatically. Ask yourself what most attackers are doing that you can solve easily. For example, have you turned on MFA everywhere?
• Don’t forget basic security hygiene. Be sure to close external weaknesses before someone else finds them.
• Modernize security by looking at innovative security bundles versus old-school ones that still position the firewall as the center of the security universe.