cyber-insights-2023:-venture-capital

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

SecurityWeek Cyber Insights 2023 | Venture Capital – We are in a period of huge turmoil. Cybercrime is increasing and becoming more destructive, driven by better organized criminals and geopolitically active nation states. And many commentators believe there is a strong likelihood of a global recession before the end of 2023.

Here we have one simple question: how will these political/economic conditions affect venture funding for cybersecurity firms during 2023?

Background

The bad news in any economic downturn is that business suffers, profits dip, staff are laid off, and budgets are cut. The better news for cybersecurity vendors is that they are somewhat insulated from these effects. Cybercrime is more likely to increase than decrease during a recession, and business must retain a strong cybersecurity posture if they wish to survive. The demand for strong and proven security controls will continue.

At the same time, the availability of capital for investment in new and growing cybersecurity firms remains constant and high, and is largely unaffected by short term economic downturns. This available capital is known in the venture capital industry as ‘dry powder’ (capital that is available and ready for use).

None of this means that all cybersecurity vendors will survive the downturn, nor that all will remain profitable. At the very least, profits are likely to dip as business is forced to do more with less resources. Dry powder isn’t money to burn, and the venture capital industry will adapt its priorities for new and further investment to the current realities.

One area that will stand proud despite economic headwinds is the cloud. “Cloud software is the deflationary force enabling productivity in a high inflation environment. Cloud-native is not an option, it’s a necessity,” wrote Battery Ventures in its State of the OpenCloud 2022 report published in November 2022.

Dry powder

Dry powder is raised from the VC industries’ limited partners (LPs). These might be pension funds, endowments, family offices, sovereign wealth funds, and corporations. “Most funds operate on a ten-year lifecycle, with funds typically being deployed over the first four or five years of a fund’s life,” explains Sidra Ahmed, investment principal at Munich Re Ventures – explaining the continued availability of investment funds despite current economic conditions.

According to Pitchbook data, there was approximately $290 billion of cumulative dry powder committed to venture capital as of the first half of 2022. It is these funds that are called on when venture capitalists invest in companies. It must be said, of course, that VC’s dry powder isn’t committed solely to cybersecurity firms although cybersecurity remains a favored investment area.

Different VC organizations tend to specialize in different areas. For example, “YL Ventures raised its $400 million fifth fund at the beginning of 2022, dedicated exclusively to investing in Israeli cybersecurity startups,” explains Yoav Leitersdorf, managing partner at YL Ventures. “This fund has been used to invest in only a small number of companies to date, all of which are still in stealth, in line with our very disciplined strategy of investing strategically in a select number of exceptional startups.”

VC organizations try to use all the funds they get from their LPs – but not at any cost. They still need to demonstrate value to the LPs. Bad investments will lead to difficulties in raising new funds, while not using the funds raised is like a business unit not using its whole annual budget – it might lead to a lower budget next year.

The difficulty for cybersecurity firms in raising investment funds in 2023 will not be because the funds don’t exist, but because the VC firms will be taking more concern over where the funds are invested.

Effect of an economic downturn

“The pace of investing is certainly going to change,” comments Ahmed. “With more uncertainty around budgets and sales cycles, investors will spend more time assessing deals that are able to withstand a time of austerity – companies with critical productions and solutions will be prioritized. There will be a lot more scrutiny of deals, valuations, and co-investors. Investors will also be focused on supporting their own portfolios.”

Jake Heller, Partner & Head of Tech Growth, Americas at KKR

Jake Heller, partner at KKR and head of tech growth equity Americas, believes the impact is unlikely to be felt evenly. “We have already seen the pullback in public markets affecting fundraising for some growth and early-stage companies,” he said. “In general, we expect the tightening of funding conditions to continue into 2023; however, we believe that capital will continue to be available to entrepreneurs and management teams who are able to effectively manage costs and allocate capital to growth opportunities with high potential for returns.”

Translated to the market, this all implies that startups don’t necessarily have sales targets that they can miss and can possibly ride out a recession before they need to show sustained profits; mid-growth companies seeking growth funding are likely to suffer with lower-than-expected profits and be less attractive to VCs; while established firms preparing for an IPO will likely need to survive the recession before proceeding. 

“Market conditions had a dramatic impact on 2022 funding rounds, and we aren’t out of the woods yet,” says Leitersdorf. “The fallout is trickling from the top down. IPOs dropped this year from thousands to just over 100, the lowest number since 2016. There was a near stall in growth stages and a significant slowdown in Series C and D rounds, a steep decline in Series B rounds and a struggle to raise significant Series A rounds.”

In short, money is still available for attractive startups (seed and possibly A rounds), will require deeper consideration for growth equity (B, C and D rounds), and is much more difficult for pre-IPO companies (E rounds and above). In the last case, venture firms are looking closely at M&As to consolidate and strengthen their existing investments – but in all cases (apart from startups) venture firms will concentrate on further investments in their existing portfolios. 

Outlook for startups

Leitersdorf remains upbeat on the prospects for investment in cybersecurity startups in 2023. “In today’s threat landscape, cybersecurity risks have become business risks. Organizations cannot afford to be lenient with threats to their assets, and executives now understand that security has a direct impact on their company’s reputation, business continuity and revenue,” he explains. 

“Therefore, security will continue to be top-of-mind, as long as attacks continue to grow and evolve, demanding new and equally sophisticated security solutions. We see that investors are still eager to invest in the most promising startups in our industry with the greatest potential to lead their categories in the future. Capital will continue to flow to this necessary sector, as new and more challenging problem spaces continue to emerge.”

DataTribe, which describes itself as a cyber startup foundry (both an incubator and VC firm), is more circumspect. Funding will be harder, but potentially higher. John Funge, MD, explains, “Looking ahead, 2023 will be a slog for startups raising money. It will take longer for startups to complete next rounds as venture firms are both focusing more attention on their current portfolio as well as being more selective in new investments.”

He believes there will be fewer deals. “There will be a ‘flight to quality’ and the bar for attracting funding will be higher. Top startups that are hitting performance metrics will get funded at valuations not too far off historical. However, startups with a few words that previously would have gotten funded may find it hard to get funded at all — versus getting funded on less attractive terms.”

But he adds, “Historically, some of the most successful technology companies started during downturns. We don’t see it being any different this time around. It will be a tricky period to be a pre-IPO company, but likely an excellent time to be starting a new venture.”

Outlook for growth funding

Growth funding will become more difficult in 2023, and potentially more necessary. “We’ve already seen growth rounds plummeting in 2022, and this trend will most likely continue into 2023,” explains Leitersdorf. “Capital is available, but it will become increasingly expensive, and investors will prefer to use it in order to fuel innovative, early-stage startups that will require less capital at lower valuations.” 

A particular problem for growth companies is in part historical. “The valuations of many growth-stage startups were significantly inflated in 2021 and were not based on sustainable growth metrics, revenue, or performance,” he continued. “Many of these growth-stage startups will be forced to raise funding in 2023 after scaling rapidly and burning through their capital in 2022. We, therefore, foresee an increase in growth rounds next year, most probably with unfavorable terms for founders, employees, and existing investors.”

But, adds Ahmed. “There is still a lot of capital available. Investors will be holding companies to their performance so we might see more down rounds into 2023.”

Bob Ackerman
Bob Ackerman, founder of AllegisCyber

Bob Ackerman, founder of AllegisCyber and member of the board at DataTribe, agrees with this sentiment. “Undifferentiated and sub-critical mass cyber companies without truly compelling solutions are likely to be challenged as they go to the VC community for capital,” he said. “Investors will be materially more discriminating in the deployment of capital.”

Outlook for M&A consolidation

M&A activity has increased rapidly over the last few years. This trend will continue, driven by a number of different factors: desire among security users to consolidate their existing disparate security controls; a rush to the nearest exit point among startups; declining valuations making attractive targets; and a safe haven for further VC investments.

“The cybersecurity market is approaching bloated status,” comments Hank Thomas, CEO at Strategic Cyber Ventures. “There are too many vendors chasing the same dollars with similar technology. People in charge of purchasing decisions, often CISOs, are looking for more integrated security platforms and less point solution tools. PE firms and other later-stage investors are looking to bring in bigger players to serve as anchors for rollups and bolt on acquisitions.”

Will Lin, Venture Partner at Forgepoint Capital

Will Lin, venture partner at Forgepoint Capital, agrees. “I believe that we’ll see security M&A significantly pick up in 2023. The main reason being that so many security companies have been created in the past couple of years. When so many of these companies, full of amazing talent, come up to the crossroads of M&A or raising their next round, I believe the market dynamics will re-shuffle in a way where M&A will be considered the best next step.”

Security vendors are seeking to support their users by consolidating point products from different vendors into integrated solutions from single vendors. “The rapid expansion of new security products has led to many organizations purchasing the ‘latest and greatest’ without having a strong integration plan in place,” explains Dave Gerry, CEO at Bugcrowd. “Without a clear deployment and integration plan, even the best security product will go underutilized. For the past few years, the industry has seen an incredible amount of M&A consolidation.”

This process will continue through 2023. “Security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack,” he continued. “This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.”

Ackerman agrees with this sentiment. “Investors will be materially more discriminating in the deployment of capital with a significant pick up in M&A activity as the market looks to consolidate point products into broader security platforms,” he suggests.

The second driver for M&A activity comes from the transition from early stage to growth requirements. Early stage is still attractive to investors — growth stage is more difficult. As startups burn through their early financing, they will find it more difficult to secure further growth funding — and may find an early exit an attractive option, bumping into the consolidation driver. 

This process may be actively promoted by the VC industry. “A new wave of innovation is needed in the security industry. Things have become stale,” explains Thomas. “VC investment will still drive innovation since larger companies often lose the ability to innovate, especially in security. As a result, we will see large entities acquiring VC backed companies earlier as established PE backed platform companies make tuck in and bolt-on acquisitions to remain relevant.”

Leitersdorf expands on this possibility. “Large security vendors such as Microsoft, SentinelOne, Akamai, CrowdStrike, IBM, CyberArk and Okta are strengthening their corporate development divisions and doubling down on in-house investment funds (CVCs), looking for strong talent and tech,” he said. “These venture arms of large security vendors will most likely become increasingly active in both investments and M&A deals in the coming years and make the option of acquisition more attractive for struggling startups.”

One effect of a downturn in the economy is that company valuations are lowered. This is already happening, and is likely to get worse in 2023. On December 14, 2022, the Federal Reserve raised interest rates by half a point — and US stock markets fell. The intention was to put a curb on high inflation rates, but it simultaneously increases the likelihood of a recession in 2023.

If this happens, company valuations will go lower. This in turn will make companies with good products but reduced valuations an attractive target for larger companies with money — and of course VC firms. VC firms will likely be driven to use their dry powder on their own existing portfolios rather than look for different companies in which to invest.

The current market conditions look set to promote increasing M&A activity through 2023. “The current state of the global economy will also encourage hyperscalers to move toward an M&A cyber strategy,” summarizes Simon Chassar, CRO at Claroty. “Furthermore, start-ups will struggle as we see less investment from PE or VCs, therefore creating an opportunity for some of the larger cash-strong security control companies to gain market share at a relatively low price.” 

What VCs look for…

2023 will be a year when the VC firms have money to invest, but the economic conditions will force them to be careful where they invest it. Cybersecurity will remain an attractive sector, but the security vendors will need to work harder to get new funding. Two questions come to mind: which security sectors are most attractive to the investors, and how do they choose a specific vendor?

Favored cybersecurity sectors

Heller believes that continuing digital transformation will provide new opportunities. “We believe that digital transformation, which has been accelerated by the global pandemic, will continue to create significant opportunities and challenges across industries and geographies,” he said. “These broader trends span new methods of collaboration, workforce transformation, cloud migration, automation and testing, supply-chain disruption, and digital adoption.”

Sidra says her firm is focusing on data and the threats it faces. “With rapid cloud adoption, companies are struggling to understand where their data sits and how to put sufficient security and controls around it.” Furthermore, she adds, “The penalties regarding sensitive data being breached are increasing at an exponential rate globally, making it even more of a priority for companies to be sufficiently protected.”

And there are new and still evolving threats to data. “As more companies adopt machine learning and analytical models to make data-driven decisions,” she continued, “there is now a need to protect data (and the models we build on the data) from being compromised. There are also questions around the validity of data and how to discern true data and information from coordinated disinformation campaigns and narratives.”

Leitersdorf adds identity to data as an area attractive to investors. “Malicious cyber actors have focused their most egregious attacks on two specific vectors in the past two years – data and identity,” he says. Attackers have leveraged the gaps, misconfigurations and problems surrounding credentials, identity, and access provisions to steal data. This will continue.

“Therefore,” he continued, “we have been focusing our attention on innovative security solutions that strive to tackle these problems and ensure that organizational security postures are strengthened accordingly.”

Favored companies

While different VCs may be attracted to different cybersecurity sectors, they must still choose which individual companies to support. “A large part of the decision is based on the management team and our perception of its ability to execute on the vision effectively, and evolve that vision over time,” said Ahmed. “Other criteria include tech differentiation, product vision, competition, size of market and TAM [total addressable market], and path to exit.”

Leitersdorf takes an almost identical stance. “The technology must be remarkable, deep, and innovative – that’s a given. However, even the most groundbreaking idea and cutting-edge tech won’t develop into a top-tier startup without an exceptional team,” he explained. 

“We invest in strong teams that combine determination, talent, and an unrelenting passion for solving the most acute problem spaces in cybersecurity. The cybersecurity market is saturated with startups solving niche problems, and we’re looking for founders that stand out, go big and break the mold.”

The same goes for Heller. “Once we have found a sector we like, we generally look for companies that are market leaders or have a real competitive advantage. Cultural fit and alignment is also very important to us and in many cases, we have built relationships with the entrepreneurs and management teams we’re investing in over multiple years.”

The basic conclusion is that prospective vendors won’t get consideration without an excellent product in an expanding or vital sector. But where two attractive companies exist, the one with the stronger management team is more likely to succeed.

Summary

Acquiring venture capital in 2023 may be more difficult than it has been in recent years, but it remains viable and available. “In 2023, cyber will be softer but will remain a bright spot for investing,” explains Funge. “Compared to the nearly 24% year-on-year decline in deal activity across all verticals, cyber deal activity across all investment stages is down only 3%.”

What will change most is the decision-making process of the VC firms. They will still wish to invest, and probably at the same overall levels they have been investing. But fears of bad investments in a down economy will make them concentrate on areas that give them the greatest confidence. This may mean more money going to fewer companies. While B, C and D rounds might be left with difficult, declined, or down rounds. seed and startup A rounds might reach new heights. Any money left over will be focused into M&A.

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

Related: North Korean Hackers Created 70 Fake Bank, Venture Capital Firm Domains

Related: What’s Going on With Cybersecurity VC Investments?

Related: How VCs Choose Which Startups to Fund in Challenging Times

Related: YL Ventures Closes $400 Million Cybersecurity Investment Fund

The post Cyber Insights 2023: Venture Capital appeared first on SecurityWeek.

Recommended Posts