- Neventa Capital
Latest Insights on Cyber-Security
Cybersecurity refers to the measures taken to keep electronic information private and safe from damage or theft. It is also used to make sure these devices and data are not misused. Cybersecurity applies to both software and hardware, as well as information on the Internet, and can be used to protect everything from personal information to complex government systems (FRANKENFIELD, 2020).
Businesses are moving toward an era where individuals, enterprises, and governments collect, process, and store unprecedented amounts of data. The technology revolution also creates various new endpoints in this infrastructure – applications and software applied in different industries for various processes and tasks, big data, cloud, smartphones, and servers. This innovation in technology infrastructure improves efficiency and reduces costs, but at the same time, it makes business, government, and personal privacy far more vulnerable than before. For enterprises, the annual global cost of cybercrime is expected to exceed $6 trillion by 2021, according to Cybersecurity Ventures (Coats, 2019). US technology company Garmin has become the latest victim of a cyberattack that resulted in a shutdown of its services and thus loss of sales. The company was hit by a ransomware attack and was asked to pay $10m ransom to free its systems from cyberattacks. The accident could have been prevented if Garmin’s security system could predict and report potential risk based on advanced analytics from historical data. For the government, industry experts estimate that the U.S. government faced costs of over $13.7 billion in 2018 as a result of cyberattacks. In 2019, government IT expenditure amounted to $88 billion, and by 2021, this figure is expected to surpass $92 billion (Clement, 2020).
The increase in investments in the cybersecurity vertical leads to more public attention, and the government intervenes by imposing new regulations or security standards. On 27 June 2019, the European Cybersecurity Act entered into force, setting the new mandate of The European Network and Information Security Agency (ENISA), the EU Agency for Cybersecurity, and establishing the European cybersecurity certification framework. To achieve this goal, Europe has granted a permanent mandate to the EU Agency for Cybersecurity (Commission, 2019).
The cybersecurity vertical, as one of the most promising verticals, was valued at $121.3 billion in 2019 and will grow to $160.0 billion by 2023 at a 7.2% CAGR in a coronavirus-induced recession scenario. Some segments may face decreased spending in 2020, though other segments are likely to maintain growth, including network security, endpoint security, and data security (Burke, 2020).
Investments in this space keep active despite COVID-19. In the first half of 2020, we have seen over $3.7b invested across 486 deals. Looking at Figures 1 & 2 below, we can see that over the past years there’s a trend forming of higher deal values but fewer deals on the whole. Among these deals, the United States is leading this sector by 280 deals, followed by the United Kingdom (53 deals), Israel (35 deals), China (28 deals), Germany (13 deals), Canada (12 deals), Australia (9 deals), Ireland (9 deals), Spain (9 deals), and others. The top three investors in this space are Accel, Insight Partners, and Palo Alto Networks.
From figure 3 & 4, we can see that following the investment wave from 2017 to 2019, there is also an exit trend starting from 2018, with the deals counts and deal value. In the first two quarters of 2020, there is a higher deal value but fewer deals with exit activities, although not all deal sizes were disclosed. This trend is especially shown in deals in the US and Europe.
Some of the biggest companies (and unicorns) in this space are Tanium ($9 billion valuation), Netskope ($2.8b valuation), OneTrust ($2.7b valuation), Auth0 ($1.9b valuation), and Sumo Logic ($1.2b valuation), and Snyk ($1b valuation).
We have identified 6 spaces within the space of Cyber-Security which we explore more in detail below:
Network security is the practice of preventing and protecting against unauthorized intrusion into corporate networks. It focuses on how those devices interact, and on the connective tissue between them (Fruhlinger, 2018). Components of network infrastructure that can be vulnerable to attack include servers, on-premise, and remote wireless networks, cloud environments, firewalls, routers, and switches. The network security market was valued at $5.2 billion in 2019 and will grow at a 12.8% CAGR to an $8.4 billion market by 2023, after accounting for the impact of COVID-19 (Burke, 2020). We expect this space to gain extra growth because of COVID-19. First, remote work largely increased the amount and frequency of network access and thus drives the importance of network security. Second, a new surface for attackers to target is created by the developing could infrastructure, to which enterprises are switching their resources from VPN for higher speed in large-scale. Some key start-ups to watch in this space are Netskope ($2.8b valuation), Illumio ($1.7b valuation), DarkTrace ($1.6b valuation), Vectra ($420m valuation), and Zerofox ($280m valuation). The below tables show the recent notable mega- and emerging deals. In this space, we see most deals happened, with a big range of deal value from Netspkope’s $340m Series G to Lacework’s $42m Series C.
Figure 5. Notable mega-deals
Figure 6. Notable emerging-deals
Application security includes technologies and services that address the vulnerabilities of software programs. Common vulnerabilities include data requests within applications, injection of malicious scripts into existing code, and contamination of log file entries and HTTP headers (Burke, 2020). The application security market size is valued at $4 billion in 2020 and will grow to $6.2 billion by 2023 at a 15.7% CAGR after accounting for the impact of COVID-19 (Burke, 2020).
This space is expected to grow together with the increase of both the amount and the types of applications – from internally used to external apps used on customers’ mobiles. Similar to network security, the rapid increase of cloud workload triggered new protection solutions, although the market size of which is limited now. Some start-ups to watch in this space are Snyk ($1b valuation), Contrast Security ($480m valuation), PerimeterX ($197m valuation), and vArmour ($74m valuation). The below tables show the recent notable mega- and emerging deals. There is a relatively lower amount of deals in this space. The biggest deal in this space is StackPath’s $216m Series B, with other deals ranging from $30m to $150m.
Figure 7. Notable mega-deals
Figure 8. Notable emerging-deals
Data Security is a process of protecting files, databases, and accounts on a network by adopting a set of controls, applications, and techniques that identify the relative importance of different datasets, their sensitivity, regulatory compliance requirements and then applying appropriate protections to secure those resources (BUCKBEE, 2020). As big data becomes the core analytics tool for business, there is a growing need for data security solutions to prevent security risks such as leaks, breaches, and theft which have dire consequences for organizations and individuals. Some subsegments in data security space include database monitoring & loss prevention, data protection & encryption, and data privacy & compliance. We expect this space to keep a stable growth trend, more independent of the COVID-19 impact, because of the consistent needs of organizations on database monitoring. The data security market was valued at $3.3 million in 2019 and will reach $4.4 billion in 2023, representing a 7.5% CAGR (Burke, 2020). Some start-ups to watch in this space are OneTrust ($2.7b valuation), Acronis ($1b valuation), Ionic ($700m valuation), and Privitar ($435m valuation). The below tables show the recent notable mega- and emerging deals. The deals in this space enjoy medium deal value ranging from $50m to $150m.
Figure 9. Notable mega-deals
Figure 10. Notable emerging-deals
Identity & Access Management:
Identity and access management (IAM) is a framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology managers can control user access to critical information within their organizations (Rouse, 2020). One subsegment in this space is Identity governance & administration (IGA) which manages access to information and applications such as single sign-on, password management, and access certification. Another subsegment is fraud prevention that detects and blocks fraudulent access requests. We expect this space to keep growing because enterprises need fraud prevention solutions for remote workforces, increasing e-commerce transactions, and SaaS applications stored with sensitive data. This space is forecasted to reach $25.8 billion by 2023, representing a 10.2% CAGR (Burke, 2020). Some start-ups to watch include Auth0 ($1.9b valuation), Pindrop ($900m valuation), SigNifyd ($485m valuation), and DataVisor ($390m valuation). The below tables show the recent notable mega- and emerging deals. Lots of deals happened in this space. The biggest deal here is 1Password’s $200m Series A, with other deals ranging from $50m to $170m.
Figure 11. Notable mega-deals
Figure 12. Notable emerging-deals
Endpoint security is the process of securing the various endpoints on a network, often defined as end-user devices such as mobile devices, laptops, desktop PCs, and servers. Endpoint security addresses the risks presented by devices connecting to an enterprise network (Lord, 2018). Subsegments in this space include endpoint protection platforms (EPP), endpoint detection & response platforms (EDR), email security, and mobile device management. This space is perceived as with great potential because the volume of phishing and malware attacks increase as hackers adopt automation technology. According to Absolute’s 2019 Endpoint Security Trends Report which studied 6 million enterprise devices, agents, and apps, 42% of all endpoints are unprotected at any given time, and 2% of endpoint agents fail per week (Columbus, 2019). We value the endpoint security market at the end of 2020 to $10.4 billion, and to reach $16.9 billion in 2023 at a 17.6% CAGR (Burke, 2020). Some start-ups to watch in this space are Tanium ($9b valuation), Lookout ($1.6b valuation), SentinelOne ($1.1b valuation), Cybereason ($1b valuation), and Venafi ($600m valuation). The below tables show the recent notable mega- and emerging deals. The biggest deal happened in this period raising $200m, with other deals ranging from $50m to $150m.
Figure 13. Notable mega-deals
Figure 14. Notable emerging-deals
Security Operations Center:
A security operations center (SOC) seeks to prevent cybersecurity threats and detect and respond to any incident on the computers, servers, and networks it oversees. SOC can monitor all systems on an ongoing basis, as employees work in shifts, rotating and logging activity around the clock (Carfagno, 2018). SOC’s can be broken down into tasks including establishing awareness of assets, proactive monitoring, managing logs and responses, ranking alerts, adjusting defenses, and checking compliance. SOC’s are becoming more and more critical for organizations to protect their data privacy and avoid losing money from loss of data breaches. Here are some data breaches cases and their consequences in history: Yahoo holds the record for the largest data breach of all time with 3 billion compromised accounts in 2013. Facebook had 540 million user records exposed on the Amazon cloud server in 2019. eBay was hacked, accessing 145 million records in 2014 (SOBERS, 2020). Security operations were already the largest space at $78.9 billion in 2019 and are expected to reach an $100.9 billion market by 2023 with a 6.3% CAGR (Burke, 2020). Some start-ups to watch in this space are Sumo Logic ($1.2b valuation), Coalition ($900m valuation), Exabeam ($820m valuation), BitSight ($725m valuation), BlueVoyant ($430m valuation), and Arctic Wolf ($285m valuation). The below tables show the recent notable mega- and emerging deals. Compared with other subsegments, the average deal size in this space is smaller and around $60m, which concentrates on Series C & D.
Figure 15. Notable mega-deals
Figure 16. Notable emerging-deals
In summary, the cybersecurity vertical is gaining more and more attention in the technology sector. Innovation such as cloud technology and the Internet of Things are fundamentally changing the way how enterprises, organizations, and individuals behave. The huge potential of the cybersecurity vertical demonstrated by diverse needs for security solutions coming from increasing volumes and various types of applications and endpoints, the explosion of big data, and the automation of business. We believe cybersecurity, as a monitor & protection solution, will penetrate into every industry and sector. Besides, the remote workplace and e-commerce due to the COVID-19 pandemic are catalyzing investment and development in this space in the long term. For investors, it is very important to understand this segment in detail in order to pick the right targets for the investment portfolio and hence gain a considerable return.
BUCKBEE, M. (2020, 3 29). Data Security: Definition, Explanation and Guide. Retrieved from Varonis: https://www.varonis.com/blog/data-security/
Burke, B. (2020). Information Security. Pitchbook.
Carfagno, D. (2018, 10 27). What Is a Security Operations Center, and Why Is It Important? Retrieved from CyberShark: https://www.blackstratus.com/what-is-a-security-operations-center-and-why-is-it-important/
Clement, J. (2020, 7 22). U.S. government and cyber crime - Statistics & Facts. Retrieved from Statista: https://www.statista.com/topics/3387/us-government-and-cyber-crime/
Coats, K. (2019, 8 16). The Cyber Threats Every Company Should Know About. Retrieved from Forbes: https://www.forbes.com/sites/forbestechcouncil/2019/08/16/the-cyber-threats-every-company-should-know-about/#96097b810c21
Columbus, L. (2019, 10 27). Improving Endpoint Security Needs To Be A Top Goal In 2020. Retrieved from Forbes: https://www.forbes.com/sites/louiscolumbus/2019/10/27/improving-endpoint-security-needs-to-be-a-top-goal-in-2020/#3246de0e5608
Commission, E. (2019, 6 26). The EU Cybersecurity Act brings a strong agency for cybersecurity and EU-wide rules on cybersecurity certification. Retrieved from European Commission: https://ec.europa.eu/digital-single-market/en/news/eu-cybersecurity-act-brings-strong-agency-cybersecurity-and-eu-wide-rules-cybersecurity
Communications, N. C. (N/A). Retrieved from https://www.navsea.navy.mil/Media/Images/igphoto/2001963531/
FRANKENFIELD, J. (2020, 5 11). Cybersecurity. Retrieved from Investopedia: https://www.investopedia.com/terms/c/cybersecurity.asp
Fruhlinger, J. (2018, 7 3). What is network security? Definition, methods, jobs & salaries. Retrieved from CSO: https://www.csoonline.com/article/3285651/what-is-network-security-definition-methods-jobs-and-salaries.html
Lord, N. (2018, 10 21). What is Endpoint Security? Data Protection 101. Retrieved from Digital Guardian: https://digitalguardian.com/blog/what-endpoint-security-data-protection-101
Pixel, M. (N/A). Retrieved from https://www.maxpixel.net/Cyber-Space-Hacking-Hacker-Cyber-Security-Hack-1944688
Rouse, M. (2020, 7). What is identity and access management? Guide to IAM. Retrieved from TechTarget: https://searchsecurity.techtarget.com/definition/identity-access-management-IAM-system
SOBERS, R. (2020, 3 29). 107 Must-Know Data Breach Statistics for 2020. Retrieved from Varonis: https://www.varonis.com/blog/data-breach-statistics/
Tola, K. (2019, 9 25). What Is Cybersecurity? Retrieved from Forbes: https://www.forbes.com/sites/forbestechcouncil/2019/09/25/what-is-cybersecurity/#7fbf6c4e3b63
Verizon. (2019). 2019 Data Breach Investigations Report. Verizon.
Webroot. (n.d.). Understanding Endpoints and Endpoint Security. Retrieved from Webroot: https://www.webroot.com/us/en/resources/glossary/what-is-endpoint-security