This article was co-authored by TFX Industry Advisory Board members Randy Caldejon, Peter Phillips and Mike Privette.
Last year saw a massive total of $21.8 billion in venture capital invested in cybersecurity startup companies globally, according to Crunchbase. In addition, the fourth quarter of 2021 set a new record with an all-time high of $7.8 billion invested into an array of security providers, surpassing the previous record of $5.3 billion, which was just set in the second quarter of 2021. While this industry growth was accelerated by the increase in ransomware attacks and other threats during the pandemic, it had already been on an upward trajectory in the years before.
Along with this potential for growth, the threat landscape will continue to become increasingly challenging and complex, specifically with the impact of the Internet of Things (IoT) and the proliferation of connected devices to enterprise networks. Migrating data from one location to another could have even more risk associated with it, with both the private sector and government organizations having the potential to experience vulnerabilities.
To truly succeed and make an impact in an industry poised for rapid innovation and growth, startups must understand the needs of their customers to offer products that alleviate concern and do not add unnecessary complication. They must go beyond utilizing buzz words, such as “Quantum-powered” and “Artificial Intelligence,” and clearly articulate their technical advancements. Moreover, companies must prioritize attracting the right talent to address the industry’s already significant talent shortage.
Continue reading for our thoughts and opinions on where we see the industry moving, assessment of innovation gaps, how startups can orient to solve these needs, and where key investments will be for the venture capital industry.
Cybersecurity and Cloud Investments
Of the unprecedented amount of venture capital poured into cybersecurity companies during the last year, cloud computing was a key player in driving investments. According to a Research and Markets report, the global cloud security market was estimated at $34.8 billion in 2021 and is expected to reach $67.6 billion by 2026, growing at a CAGR of 14.2%. Although the mass shift to remote work during Covid-19 accelerated the transition to cloud network infrastructures, the overall trend of enterprises migrating to the cloud had already been initiated before and will continue to do so. Newer companies will predictably choose to store data entirely in the cloud from inception to realize cost, speed and scale benefits. We have also seen that larger legacy firms are also following suit for similar reasons, but are at various stages of maturity in the transformation. 
One result of the rapid transition to cloud infrastructures has been less organized and complicated ecosystems for enterprises to manage. While companies had deliberately planned cloud migrations prior to the pandemic, the rushed transition during 2020 and 2021 has produced a mixture of multi-cloud and on-premise/cloud hybrid systems. For traditional in-house security teams that are long-used to managing on-premise assets with on-premise tools, there is a forced shift of mindset underway as they come to understand that the cloud migration journey is an eventuality, and many are behind on the transition.
As cyber threat landscapes continuously evolve and new attack surfaces are exploited, next generation cloud security is primed for continued innovation and growth. We are just beginning to see this disruptive innovation in cloud security.
Opportunities Ahead for Cybersecurity Startups
The vast majority of products and services on the market today are clearly cloud-first, and vendors are much farther ahead in their acceptance and understanding of managing security in the cloud than many of their legacy enterprise customers. This will present an opportunity for startups to strategically orient to address needs for these customers with this cloud-first mentality from the beginning.
“The startups with the most success will be the ones that are able to simplify and expedite the on-premise to cloud transformation, while increasing the customer’s degree of comfort and adoption with this fundamental shift,” said Peter Phillips, an Industry Advisory Board member at TFX Capital.
There will continue to be a need for expertise in the basics, such as configuration and vulnerability management in a cloud environment, as this could help ease the fears of security teams concerned about managing their security on someone else’s network.
Cybersecurity Talent Development
In an industry that is already suffering from talent shortages globally, the available candidates are increasingly becoming difficult to gauge and assess when it comes to credentials and skillsets. This is due in part to the abundance of AWS certifications that dominate market share. When assessing potential employees, companies might have a tendency to select candidates to interview based on resumes containing a checklist of certain AWS certifications, only to find out later in the recruiting process that many candidates cannot perform certain tasks or answer critical security questions in interviews, only regurgitate AWS service offerings.
Legacy security teams in particular must adjust, and there is an immediate need for tools and talent to accelerate the transition in a way that convinces customers that cyber risk will be effectively mitigated.
The (ISC)² Cybersecurity Workforce Study is conducted annually to assess the size of the current cybersecurity workforce as well as the existing talent shortage. The 2021 study found that despite an influx of professionals into the cybersecurity workforce, global demand for professionals in the industry continues to outpace supply. It also examined trends of development within the existing workforce. The top five anticipated areas of investment in professional development highlight a blend of technical skills, such as artificial intelligence/machine learning (AI/ML) and threat intelligence, along with a mix of complementary skills including risk analysis, security governance and compliance.
During the annual TFX Showcase last fall, we had the opportunity to work with several innovative startups, including Haystack Solutions. With their suite of services, Haystack is working to address the talent shortage pain point in the industry throughout the enterprise landscape by building a cybersecurity aptitude assessment to help better identify prospective cyber talent. They recognize the great need to build our country’s cyber defense systems as efficiently as possible to remain a step ahead of today’s attackers, and because of this, talent analysis and development remain at their core. 
In addition to focusing on the need for an increased quantity of professionals in the industry, high level talent and continued development of this workforce is just as important. Companies will need to invest in the development of their employees whether it be increasing training offerings to existing employees, encouraging employees to build on their skill levels and responsibilities, or using third parties to fill manpower gaps.
Artificial Intelligence and Machine Learning (AI/ML)
When examining the trends around security operations centers (SOCs), hurdles remain the same. The overwhelming quantity of alerts and false positives, and the burden this places on a human analyst, continues to be a major issue. The drive to apply AI/ML technologies to these challenges is a clear trend in the marketplace, and an obvious need for customers. In this area of focus especially, startups must be able to offer solutions that simplify processes for a CSO and their team.
The AI/ML concepts in the latest security offerings are compelling for all customers, whether it be a large or small enterprise or a third party provider. Any cyber product or service that increases true detection rate, decreases response time, and reduces human interaction through AI/ML is commercially viable.
“The problem for startups will be proving their product actually delivers,” said Brandon Shelton, Managing Partner at TFX Capital. “Differentiation is critical, especially when every vendor pitch claims their product can deliver on similar needs.”
One key to differentiation for a startup pitching a large enterprise is to directly address what is being replaced in the stack. Another critical differentiation point is a pricing model that is tailored to customer desires. Whether by the number of terabytes or gigabytes of data, number of databases, or an annual enterprise license, it is critical that a model aligns to client preferences and not be in conflict with those preferences from the start.
Any new software solution must not only be effective but must also replace the bevy of tools likely already in the security technology stack, which will in turn make SOCs easier to manage. CISOs and SOC analysts can experience tool fatigue in addition to being overwhelmed with alerts, so a solution that streamlines the tech stack and integrates seamlessly in addition to performing will be of high interest for enterprise customers. Furthermore, SOC and NOC resources are extremely valuable as well as often overworked. Startups that can offer AI/ML products enabling more automation in threat investigations and allow SOC and NOC resources to focus on the most relevant threats will prove valuable in grabbing the attention of CISOs. Lastly, being able to demonstrate that a new product can also save a customer money is a differentiator given the constant battle fought by CTOs and CFOs to manage ballooning cybersecurity spending. To fully succeed in this marketplace, you must know your customer first.
Quantum Computing
Although quantum computing is still thought to be about a decade away from being truly viable, it is expected to make the ubiquitous RSA encryption algorithm obsolete. The most promising area of potential applicability may be in chemical engineering and pharmaceuticals. The promise of quantum’s capabilities has seemingly arrived years earlier than the actual hardware and software, but there is no denying that it is beginning to surface in the marketing of cyber products and services.
Within cybersecurity, quantum seeks to tackle the same problems as AI/ML, though at exponential speed and scale. Also similar to the goals of AI/ML, the fundamental question remains regarding what will be replaced in an enterprise’s stack. Large companies in particular tend to only want to pay for products that provide top notch solutions, track risks or stop threats better. If the advent of quantum products means large enterprises do not need SSL decryption anymore, that would lead to significant change. Removing the need for SSL decryption at scale could be a powerful selling point, and large corporations would buy a technology with such capability.
However, if a startup is to pitch a quantum offering as an add-on to existing offerings, for example Nextgen firewalls, that already contain intrusion detection and web application firewall features, it will not be able to differentiate itself to enterprise clients seeking to decrease, not increase, the current inventory of controls.
The Future Ahead
We believe the ‘winners’ in the years ahead in the cybersecurity industry will be those that streamline their offerings and reduce the need for add-on security products and not layering on new technologies to further complicate the stack without articulating in a meaningful way its benefits. Simplifying and alleviating costs for customers will be a key metric to gauge success and differentiate from competition.
There will continue to be competition to recruit high level cybersecurity professionals as there is more demand than there is top qualified talent. Companies that can attract, maintain, and develop the right cyber talent will be critical as the talent gap further impacts the industry. If the right products can be leveraged to ease the burden on companies and their resources, this can in turn help alleviate the cybersecurity talent gaps and shortages.
