This year has proven to be a tough one for cybersecurity companies. While Q2 saw a slight increase in funding for cybersecurity startups, that is really just a testament to how much funding dried up in the first two quarters. The first quarter of 2023 saw $2.7 billion in funding, which was a whopping 58% drop over Q1 2022. The second quarter was even worse, clocking in at $1.8 billion to 2022's $4.1 billion. Despite a slight improvement in Q3 - $1.9 billion - funding is still down 30% from this time last year.
There are other signs that there is trouble in the water. Earlier this month, network detection and response company IronNet ceased operations and is preparing to file Chapter 7 bankruptcy, and some expect more cybersecurity companies to follow it. According to layoffs.fyi, 53 security companies have announced layoffs since January 2023, including Malwarebytes, Fortinet, Dragos, and my own company, Cisco.
While layoffs are terrible, there are plenty of reasons to be hopeful. For one, it looks like cybersecurity spending is fairly resilient to inflation and fears of recession. Here is the Wall Street Journal:
Cyber budgets grew this year for the most part, but modestly, IANS found in a study with recruiting company Artico Search. After double-digit increases in 2020 and 2021, the average growth in cybersecurity budgets for 2023 was 6%, according to the survey of 550 security executives. As a portion of overall technology budgets, cyber accounted for 11.6%, the study found. Around 37% of respondents to the survey said their cyber budgets were flat or reduced, the survey found.
While this certainly isn't the boom years of 2020 and 2021, a six percent increase isn't so bad compared to many other sectors of technology. Still it begs the question: what does this mean for the industry as a whole? Since the beginning of my career, this industry has been a rocket ship, and many of us on the vendor side have become accustomed to intense growth and a flood of venture capital. Is it all over now?
Well, of course not! Cybersecurity is essentially a requirement for anyone doing business digitally, and that is still growing. The global ecommerce market is expected to grow by 8.9% to $6.3 trillion this year. Seventy percent of all US digital media time is spent in mobile apps. And ongoing conflicts in Europe and Israel have drawn attention to the security of our digital infrastructure. In President Biden's request for a $105 billion security aid package, "cybersecurity" is explicitly mentioned in requests for $631 million in funds.
For the the three years I spent at Auth0, I saw what it was like to be on rocket ship in the late 2010s economy. Growth over everything was the goal. And every year, we would get together on the beach in Mexico and announce another insane funding round to much fanfare. VCs were clamoring over each other to invest. And it worked out for them. Auth0 sold for $6.5 billion.
But that isn't where we are anymore. The firehose of cash has been turned off. "Growth at all costs" has become "Growth at low-to-medium costs" as companies are forced to acknowledge that profitability is also important. Now that interest rates are at a 22-year high and capital isn't so cheap or easy to come by, we have to start thinking about our costs. This puts pressure on cybersecurity vendors to monetize, which is driving a host of cost-cutting measures, and customers, who are looking for efficiencies to make their largely stagnant budgets go further.
On average, enterprise security teams have to manage 76 discrete cybersecurity tools. Remember how I said customers are looking for efficiencies? Well, there are a boatload of inefficiencies right here. It is inefficient from a technological standpoint. Can you imagine managing 76 different management portals and implementations? It is also inefficient from a business standpoint. Let's assume those 76 different tools are on three-year contracts. That means customers are dealing with a little over 2 contract renewals every month. Of course, some portion of those tools will likely be bundled in enterprise agreements, but the point still stands: an insane amount of our customers' effort is spent on managing and paying for tooling.
In a survey last year, Gartner found that 75% of organizations are looking to consolidate security vendors, up from 29% in 2020. You can also see this trend in the types of security products that are emerging. Product categories like security service edge (SSE) and extended detection and response (XDR) are created explicitly to combine related technologies into a single practice. Gartner is championing both of them, and the market is responding well. It's no coincidence that I am working on a SSE product now :)
Consolidation isn't just happening in the security industry. It's happening in everything from the creator economy to ad tech to wealth management. This is simply what happens after a valuation boom when funding becomes more expensive. Companies that focused on growth now need to prove that they have actually gained traction and can monetize that traction. If they can't, they need to sell and become a differentiator for some other product that does turn a profit, massively cut costs, or go out of business. Of the three, the first option is the most attractive to shareholders.
More startup founders are having trouble finding funding. Valuations are slowing down. Customers want consolidated tooling. This should be driving a massive increase in acquisitions, right? Unfortunately, there are other factors at play that are slowing down M&A activity.
Interest rate increases: While the Fed is expected to hold interest rates steady in their announcement today, it is still at a 22-year high and they are keeping potential future hikes on the table. This makes borrowing too expensive for many deals that might otherwise proceed.
Inflation: Inflation increased 0.4% to 3.7% in September 2023, which is a far cry from the height of 9.1% in June 2022 but still off significantly from the 2% target. High inflation over the past 12 months has slowed down M&A activity.
Bank failures: The collapse of Silicon Valley Bank, Signature Bank, First Republic, and Credit Suisse has made banks more risk averse and may bring increased scrutiny from regulators. Silicon Valley Bank in particular carried $34 billion in loans to borrowers who used the money buy or carry their own securities. In other words, Silicon Valley Bank was an indirect source of funding for many tech companies.
Recession fears: Consumer confidence in the economy slipped further this month, despite many economists belief that recession risks have declined substantially.
Despite these risks, we are starting to see some signs of life in cybersecurity M&A. At the top of the list is Cisco's acquisition of Splunk for $28 billion in cash. Cisco has been going big in security for many years now, but this deal is the largest in its history. It's four times the size of it's second largest acquisition - Cerent in 1999. It's last security acquisition that topped $1 billion was when it bought Duo Security for $2.3 billion in 2018, which, incidentally, was big enough that it convinced me to go work for an identity and access management company for the next 3 years.
We're seeing other acquisitions in the SSE space -- Checkpoint acquiring Perimeter 81 and HPE buying Axis Security. There are also a few cloud security acquisitions, and identity remains popular as that market continues to consolidate. Check out this article for a summary of all the cybersecurity acquisitions in 2023.
It's dumb to make predictions and I shouldn't do it. But there are a few lessons to take home. Cybersecurity startups need to prove they have traction, and then they need to prove they can either monetize it or that they can be someone else's competitive differentiator. There is very little room for undifferentiated products anymore, and the market is going to continue to tighten around products that do not provide enough value to justify managing yet another contract and management portal.
The good news is there is money in the customer's wallet if you do provide that value. But as more companies develop a security consolidation plan, expect to receive some hard questions about why they should continue using your product instead of the next security super-app like SSE and XDR.