Some firms are already seeing significant deals in this area. Cylance, the predictive threat intelligence company which uses AI to predict, identify and stop malware, secured a $100 million series D investment in June, while UK-based Darktrace, which relies on machine learning, continues to source new investment from backers including Autonomy.
Last year there were mega rounds for threat intelligence outfit CrowdStrike ($100 million series C), Illumio ($100 million Series C) and endpoint specialists Tanium ($117.5 million Series G). Cloud security provider Skyhigh Networks, identity management specialists Centrify and cloud experts Ionic Security also received significant funding.
Analysts say there has also been investment in IoT, endpoint security, cloud, authentication and deception technology.
“IoT security and cloud security are both significant opportunity areas,” adds Van Someren. ”Behavioural security, including gamification of good practice such as email hygiene, is also important.”
Van Someren’s last point is interesting because it alludes to the age-old problem of the human becoming the weakest link. Enterprises have tried (and largely failed) to address this in-house, but now start-ups see this as an opportunity to grab market share.
Neill Gernon, founder of innovation agency Atrovate and organizer of London’s Cyber Startup Summit, tells CSO that recent conversations at his summit between enterprise, academia, investors and start-ups have been on fixing the human factor. And, pointing to the success of Paladin-backed social engineering company PhishMe, he said that start-ups are starting to take note.
“Companies have identified that people are the weakest link, but that also reflects on the innovation ecosystem and start-ups. We’ve seen start-ups starting to prioritize the area of people as the main vulnerability.”
Too much choice, legislation and VC inexperience hinder investment
There may be plenty of security companies and start-ups for investors to look at, but some VCs and analysts believe that this can make investing harder. Finding that ‘diamond in the rough’ is not without difficulty, and there’s the debate too (perhaps for another time) if security products are interoperable enough.
“Cybersecurity is a highly fragmented market and so many companies make niche products. The problem is that they don’t talk to one another,” said Cunningham. “A corporate CISO is forced to stitch together a number of different products. That’s inefficient. Increasingly, large enterprises want to buy platforms that can do more than one thing and also work with other products.
Menlo Security’s managing director Venky Ganesan added in the interview with Third Certainty that VC inexperience is also to blame.
“There are a ton of folks who are now starting to invest in cybersecurity who don’t have prior experience. This has resulted in a “Game of Clones” when it comes to each security sector. “This is not sustainable because we now have eight to 10 companies in each space and CISOs are experiencing PowerPoint fatigue.”
Gold believes that VCs are, as a result, stepping back.
“If I was a VC I would be very careful before investing in any security company. New technology companies can be very unproven and siloed. They have 10 seat case studies, but they need 10,000. They can’t become the next RSA or Symantec because that doesn’t happen overnight.”
CBI’s Altman also highlights the challenges of skills shortage (“VCs may have trouble funding early-stage companies composed of qualified veteran teams”), longer time to achieve ROI and finding companies that are different and offering comprehensive solutions.
Start-ups prosper with right support
Gernon believes there is more awareness of cybersecurity start-ups, accelerator programs and the infrastructure needed to support them.
“It’s healthy to see at lower level there is now structured mechanisms to put in place to enable more innovation in cybersecurity, like [cybersecurity accelerator] Mach 37 in the United States, and in the UK likes of CyLon, the accelerator. That can only be a good thing.”
He also suggests that more start-ups could come from universities, where some (including Dublin’s Trinity College) are pushing for cyber to play a more prominent role in computer science courses.
Gold though warned: “It’s a very mixed bag which is why at the RSA show, there are hundreds of companies, and if you go back two years later, there are hundreds more.”
“It’s a very difficult market to prove yourself in,” he said of start-ups, saying security chiefs would naturally be skeptical if their software is going to work.
“You can’t play around with it like a new smartphone. Small guys find it’s hard to scale and to differentiate messaging in a crowded marketplace.”
The future’s bright for cyber-security market
CBI’s Altman suggests that some of the top VCs in cybersecurity are on pace to participate in fewer deals with not much less money invested compared to 2015.
“There will be a persistent need for better solutions as high-profile attacks continue. Start-ups will still be the go-to-players for innovative tech in the space but they will be more scrutinized by investors for their effectiveness.
“There will be less reliance on companies that build walls and block the bad guys from entering a network or system. Instead, attitudes will shift to account for the idea that everyone is hackable and likely already penetrated. So, valuable companies will be those that can leverage big data on threat intelligence, plus AI, and machine learning to help predict attacks, before they occur. Also, recent advancements in the field of quantum encryption mean that the few start-ups already operating in that field could also turn out to be highly valuable for securing sensitive communications.”
“In terms of investment -- VCs are going to be interested in emerging market segments like cybersecurity for IoT/ IIoT, and looking for differentiated tech as well as more unified platforms.”