This post on security investment trends comes from Alberto Yépez, managing director of venture capital firm Trident Capital Cybersecurity.

Cybersecurity is an incredibly important investment arena for venture capitalists.

There are two things to note: Experts estimate cyberattacks result in a $100 billion annual loss in the U.S. economy. And while cybersecurity spending is growing, it remains a small fraction of overall IT spending. The resulting supply/demand imbalance creates huge investment potential. 

The venture community didn’t always look at things this way.

As recently as 2010, the mindset of most investors was that cybersecurity did not justify significant venture capital. Headlines about cyberattacks were relatively scarce then and those that surfaced attracted minimal attention. Cybersecurity startups had a tough time raising more than $50 million, a small sum given the hefty R&D required. Regulation lagged the level of threats, enabling companies to defer cyberinvestments.

Perhaps most significant, five years ago IT had not fully embraced the cloud, the industrial Internet, and mobility. Companies were deemed safe so long as they had simplistic, old school solutions such as firewalls and antivirus software. 

Fast forward to today, where hundreds of major companies have been attacked, including Sony, Home Depot and Target. Computer systems have no boundaries and share vast amounts of data in increasingly disparate and vulnerable networks. On the investment front, U.S.-based venture-backed companies providing cybersecurity technology or services raised $1.77 billion in 2014, topping the previous high of $1.62 billion in dot com boom year 2000, according to Dow Jones VentureSource. Since 2010, $7.3 billion has been invested in 1,208 cyberstartups, according to CB Insights. 

Public companies have also been attracting lots of dollars. Among the 10 largest public offerings of U.S.-based, venture-backed cybersecurity companies, the oldest of which was 2009 and most of which occurred in 2012 or later, seven have fared handsomely. Two of them–Palo Alto Networks and Proofpoint–have more than quadrupled in value.

It’s really a brave new world today in cybersecurity. 

What types of cyberstartups–companies that can go public and also flourish–do I like? They focus on one of these six categories:

• Behavioral Data Analytics: Applications that utilize complex behavioral models and data analytics that detect anomalous activity at the entity level in a network.
• Secure payments and fraud. Commercial fraud is a staggering cybersecurity challenge. Poor cybersecurity defenses have allowed criminal organizations to acquire intellectual property, stolen goods and personally identifiable information–such as credit card numbers, addresses and Social Security numbers – for sale on the black market. As it stands today, most payment processors, issuers, networks and retailers are unable to prevent fraudulent activities. Nobody knows better than they do that this must change.
• Securing the Internet of Things (IoT): The first wave of IoT devices has reached the market – from smart cars to Wi-Fi-enabled light bulbs – with few security features, creating substantial opportunity to fix security vulnerabilities.
• IT infrastructure protection: Gartner predicts 30 percent of enterprise protection products will be purchased this year as part of a suite because it is increasingly burdensome to implement standalone security solutions. Many other aspects of the network will need similar all-encompassing solutions.  
• Next generation identity platforms: Current identity platforms primarily focus on the user and his digital persona to manage access to applications, resources and data. The IoT has introduced new concepts for identity management because every device interacting with users has an identity, and users and devices can have complex relationships. These look similar to existing rule definitions and structured data-exchange descriptions in user identity management, asset management and mobile device management. Identity solutions will bifurcate, with identity management covering both relationships and access.
• Threat Intelligence: This includes both insider threat and external threat monitoring using analytics and various modeling techniques and behavioral models.

The upshot of all  this? Cybersecurity is still in its very formative stages and remains very challenging. In some ways, building a cyberdeterrent is more complicated than developing the capacity to retaliate against a nuclear strike. Given societal needs, however, there is no question it will realize its enormous growth potential.