During a May interview, veteran cyber executive Dave DeWalt threw some big numbers my way.
The past year brought $20 billion in M&A, he said. There was $1.3 billion in IPO money raised, and $10.7 billion invested capital. During the first quarter of 2021 alone, cyber companies accounted for $18.9 billion in investments.
DeWalt saw this as encouraging—the latest and perhaps most pronounced example of what he called a “supercycle,” characterized by a “threat epiphany,” followed by an influx of customer spending and ultimately an investment spike. I generally agree that if there is any silver lining of the pandemic, the ransomware surge, the SolarWinds hack, the Microsoft Exchange vulnerabilities—really, the list goes on—it is this spike that we’re seeing in cyber investment.
But is all cyber investment created equal?
We have seen this before. In the past decade, we saw Russian cyberattacks cripple Eastern Europe, high-profile hacks of Sony and others bring commercial enterprises to their knees, and disinformation create chaos in elections. These, too, were reality checks that spurred major cybersecurity investments. And to DeWalt’s point, those investments contributed to some success stories. Roughly 200 cybersecurity startups landed venture funding in 2017 alone, according to a Cybersecurity Ventures M&A Report, with Tenable, Tanium, and Duo Security among those to receive significant infusions of cash.
But what else came out of those incidents? For one, we saw some of the biggest defense companies hop in, wrongly figuring that commercial cybersecurity aligned nicely with military system development. Boeing, General Dynamics, Northrop Grumman, and Lockheed all bought commercial cybersecurity companies or tried to stand up commercial cyber enterprises themselves, only to shed them within a few years when they realized that, no, a commercial business doesn’t fold too neatly into a government one. We also saw a plethora of cyber companies bought up by consulting firms or bigger tech companies, often for absurd valuations, only to be rolled into larger divisions. Founding teams of the startups would move on, and technology that showed so much promise withered within a corporate giant. Not always, mind you, but often enough.
Returning to now: venture dollars are flowing to startups at furious speeds. New tech businesses are emerging from stealth, securing millions in initial seed money, and more established startups are raising millions more to fund expansion. We’re also seeing private equity moving in on the market in a big way, shelling out billions for cyber giants like Forescout, Proofpoint, and Forcepoint (the latter bought from Raytheon—the last defense company to hold out hope for its commercial cyber play to bear fruit).
Crises beget demand, which begets a terrific business opportunity.
I don’t question that investment in innovation is essential. And certainly, the past year proved that the market has some work to do to keep up with an increasingly sophisticated threat landscape. But any surge in investments does bring the risk that innovation might be stifled as well. What was lost, for example, amid the company buy-ups from defense and consulting giants? Was the trajectory of some of those commercial companies slowed? Did tech development that held great promise stall entirely? What might the typical restructuring that comes with private equity ownership mean for companies getting bought up today, particularly their R&D efforts? Even venture investment, which at the core is all about innovation, brings expectations for some pretty fast returns and has a high failure rate. Are we confident the investments happening now are strategically tied to gaps in the market or do (some) investors maybe just want in? And where might we run the risk of oversaturation?Again, I do agree with DeWalt that the flow of cash into cybersecurity is a good thing. And investment always brings an element of risk. But like any gold rush scenario, we should also brace for some failures and hope that amid this rapid flow of dollars, the most promising technologies remain standing.