THANK YOU FOR SUBSCRIBING
I’ve been working in or investing in security for nearly three decades. Over the years, I’ve developed a mental model to evaluate the potential opportunity for a given market approach.
Generally, large changes in security markets are driven by one of three things: 1) changes to the underlying infrastructure, 2) changes to the threat environment, and 3) changes in regulation.
1. Infrastructure changes have the potential to drive entirely new (and potentially large) categories in security. An example would be the advent of client server computing, which followed the wide adoption of PCs and created a market for Network Security. Interestingly, the prior market incumbents, in this case Anti-Virus/Endpoint Security companies, are almost never the winners in these new markets (though not for lack of trying -- both McAfee and Symantec tried for years to coopt the Network Security markets, but ultimately failed.) This makes companies that are tackling new infrastructure problems attractive investments. Though it’s important to note that security markets tend to trail adoption of the primary infrastructure market, sometimes by years. Patience is important.
Today, there are several new categories in security being driven by changes in infrastructure. IoT Security and Cloud Native Security have both evolved based on changes in underlying compute architectures that occurred over the last ten years. There are already some scaled companies in these spaces but both categories still represent interesting later stage opportunities.
Two are as that will likely develop into new security categories are Machine Learning Security and Web3 Application Security. Machine learning applications have exploded in the past few years, but few solutions exist for securing the data and systems that implement machine learning. To be fair, there haven’t yet been widespread, widely public attacks on ML, but it seems inevitable that this is coming. Smart Contracts on which Web3 Applications are builtare still maturing, but it’s clear from the seemingly weekly major security events that a new category is likely to rise from this.
2. Changes in the threat model tend to drive faster changes in security markets, though are less likely to create new categories. What often happens is that the security community warns about a new threat for years, but the market adoption is slow because people think “it won’t happen to me” or they are just overwhelmed by the number of attack-specific solutions already in the market and only have so much time to dedicate to any given threat. Then comes along a fast moving, active threat and everyone needs to respond.
A current example of this is ransomware. It’s been around for years but has dramatically ticked up in occurrence since the beginning of the pandemic. Cyber insurance rates have shot up and the most vulnerable companies, those without the resources to have dedicated security teams, are feeling the crunch the most. Cyber insurance providers have a big opportunity to engage with their customers to reduce losses, and products that simplify / consolidate security for smaller enterprises can also contribute meaningfully to solving ransomware threats.
“Cyber insurance rates have shot up and the most vulnerable companies, those without the resources to have dedicated security teams, are feeling the crunch the most”
Sometimes infrastructure and threat environment changes are linked to one another. When this happens, it can significantly accelerate the development of a security category. An example would be that the advent of personal computing coincided with a new threat (viruses), creating a new market in security (originally called Anti-Virus, but now called Endpoint Security). As an investor, I look for situations where this might happen and I think both the ML Security and Web3 Application Security markets have this potential. I’ll acknowledge a bit of personal weltschmerz about this point though…those widespread attacks are likely to cause a lot of pain.
3.The third driver of new security categories is regulation. In many ways this resembles a threat model change in that some outside force compels organization to implement new security controls. Market changes due to regulation tend to happen slowly, likely because people don’t like to be told what to do so organizations do the minimum required by regulation or wait until they have a potential enforcement situation before acting. That said, Sarbanes-Oxley, HIPAA and PCI DSS all drove significant security markets. The most relevant regulatory driver today is privacy, which includes both HIPAA but also the European Union’s General Data Protection Regulation (GDPR) and similar regulation in other parts of the world. These regulations are driving large, data-driven enterprises to retool the way they handle customer data and customer consent around data usage, which is a relatively slow process, but a huge opportunity for software providers that can identify, label, and manage the privacy-oriented controls in complex environments. There’s also an interesting impact to Web3. Because of how Web3 is architected, control and consent over data can be given to users, which essentially obviates much of GDPR as consent becomes inherent. This isn’t exactly a security company use case, but it’s one that represents a potentially very big opportunity.
Last, while I’ve been doing this a while, if I’ve learning anything it’s that security market dynamics do change. The next big market might not follow the above framework at all. If you’re working on something in one of the areas above or something else that I’m not thinking about the right way, I’d love to hear from you to compare notes.