Cybersecurity investments surge in 2021 as VCs go all in
Venture capital firms have flooded the cybersecurity market this year with investment dollars for young startups and established vendors alike. What's behind this surge?
Venture capitalists are investing heavily in cybersecurity as low series rounds receive record-setting funding, and analysts say the trend will only continue.
From tripling valuations to large amounts of seed money, investments have been pouring into cybersecurity this year. While investor interest has been growing steadily over the years, the number of deals, on top of the large financial sums, made in 2021 so far is significant. Many factors contributed to the uptick, including impacts from the pandemic and a slew of devastating attacks, such as the SolarWinds and Kaseya breaches, that highlighted the growing need to prioritize security.
Earlier this month, Boston-based endpoint security vendor Cybereason secured $275 million in Series F funding led by Liberty Strategic Capital to expand into extended detection and response (XDR). In January, cloud and DevOps security startup Lacework pulled in $525 million in Series D funding. And last month, Israel-based passwordless authentication vendor Transmit Security raised what it referred to as "record-breaking funding" with $543 million. According to a blog post by Transmit Security, "the investment comes in as the highest ever series A round of funding in cybersecurity history."
Another industry high was achieved this year when SentinelOne Inc. raised $1.2 billion in one of cybersecurity's largest IPOs to date. Last year, the endpoint security vendor received a total of $467 million in Series E and F funding.
VCs make up for lost time
Cynthia Brumfield, an infosec analyst and writer at DCT Associates, has been tracking venture capitalist infosec spending since 2018, including average deal sizes and the number of deals. According to her research, spending in the first two quarters of 2021 soared to $9.3 billion -- more than last year's total. Investing had slowed down quite a bit in 2020, she said, to one of the lowest quarter levels in Q1 but leapt off in Q3, and from that point on it continued to increase.
According to her research, venture spending in infosec for the entire year of 2020 barely reached $7 billion. A Crunchbase cybersecurity venture funding report showed global investments in 2020 reached $7.8 billion, setting a year record for cybersecurity investing. According to the Crunchbase report, 2021 is on pace to smash that record, which it appears is already happening in the first two quarters.
Part of the reason, Brumfield said, is that the pandemic was initially a disincentive for venture capitalists to invest in cybersecurity. "I think number one, the investor hesitancy has subsided overall in the market and number two, it became clear that cybersecurity was a hot sector that was likely to have a good return and money began really pouring in to the level we saw during Q1 and Q2," she said. "It doesn't look like it's slowing down to me at all."
According to Hank Thomas, CEO at venture capital firm Strategic Cyber Ventures, the investment ecosystem is flush with cash right now. He argued the pandemic and cybersecurity are the hottest topics in the world. Similarly, Brumfield theorized that a lot of cybersecurity executives who have a ton of money on their hands are putting it back into the sector.
Jai Das, president and co-founder of venture capital firm Sapphire Ventures, said there are a few trends converging now that are driving the demand for cybersecurity companies. That includes a push to remote work which has stuck post-pandemic.
"As software and technology permeates every corner of our work and home life, it increases the avenues in which hackers can attack us, so the need for cybersecurity products and investments in them will only keep increasing. That's why we're seeing so much opportunity in cybersecurity," Das said in an email to SearchSecurity.
Now, investors are anticipating which market segments require attention. Following the pandemic, Das said companies are using more SaaS applications, as well as more applications being deployed in public clouds.
"As a result, the need for cloud security and zero trust network access (ZTNA) solutions have skyrocketed," Das said. "It has also become apparent that there are a lot of security vulnerabilities because of the way that programmers are writing code. So, solutions that check for security while the software code is still being written, and also integrates well with the continuous integration/continuous delivery (CI/CD) pipeline (the new way of writing, building and deploying software) are also at the top of investor's minds."
Cloud security is a market segment Brumfield also found to be popular during her research. While her analysis is not yet complete, she said cloud security will probably be one of the top markets into which investors are putting their money. Additionally, she said industrial control security (ICS) security has received more VC funding this year than in the past.
Brumfield said user authentication is also a hot market, but cautioned that zero trust could become an overused buzz term. "Do some of these companies, when they announced their deals, sort of throw in the phrase zero trust?" she said. "They probably do, but it's not how they ultimately identify what their focus area is."
Jon Oltsik, senior principal analyst at Enterprise Strategy Group, a division of TechTarget, said the pandemic has had an indirect impact on VC investments because it accelerated the use of cloud computing, forced employees to work from home and exacerbated the risk around remote access. "A $100 million round isn't unusual now. It used to be unheard of."
Bigger adversaries, bigger investments
The pandemic wasn't the only unexpected calamity to shake up cybersecurity investments. Just as 2021 has seen record-setting investments, it also saw record-setting attacks. Critical infrastructures like the U.S. Colonial Pipeline were impacted and another supply chain attack occurred, this time against Kaseya. Das said the Kaseya ransomware attacks happened in a very similar way to the SolarWinds hacks, so those trying to defend against such threats are always looking to buy new tools and products to help do their jobs better.
"Cybersecurity never goes out of fashion from an investor's perspective," Das said.
Cybersecurity technology and companies are two things venture investors are scrambling to get exposure to, said Thomas. "They know that cybersecurity is like the war on crime -- it will never be completely solved if we continue to use the internet as currently configured, only mitigated," Thomas said.
Because the cybercrime market itself is growing, Wam Voster, senior director analyst at Gartner, said the stakes are rising. "There's a lot of money to be made."
How high can they go?
While average deal sizes, according to Brumfield's research, have not increased this year (a record high was set in Q3 of 2019) the number of deals peaked in Q2 of 2021. Oltisk said that VC investment has been growing in years, but the only aspect that's really changed is the volume.
"The size of the rounds have changed. VCs are looking for category-changing companies like CrowdStrike, Zscaler, Niara (acquired by VMware), etc. Since everything is in play and if there's potential to sell platforms rather than products, they believe payoffs can be much bigger than in the past," Oltsik said in an email to SearchSecurity.
Other deals included significant investments in cybersecurity startups, which Sapphire Ventures is seeing raise upwards of $300 million in funding rounds.
Because many are just out of the startup phase, a VC can bring enormous amounts of money in to further develop the product and extend the mark, which Voster said is good for both them and the industry. But there is also a drawback.
"They need to give up some decision rights as to what their product and company can say and do in order to secure a venture capitalist, which means that the product is heading for more mainstream since there's more money to be made," Voster said.
And it's not just young startups that are benefiting from the financing tsunami. Shaun Gordon, founder and managing partner at AGI Partners LLC and CEO at incident response vendor BreachQuest, said he has seen generalist investors express thematic interest in cybersecurity opportunities across the various stages of the fundraising lifecycle, from early venture stage to late venture stage, and inclusive of private equity, hedge funds and the public markets.
"Unsurprisingly, this investor demand is pervasive and transcends venture capital," Gordon said.
According to Das, most hedge funds and public market investors are investing in late-stage private companies. And the rising tide may be the new normal.
"The companies can tap these traditional IPO buyers for pre-IPO rounds without having to go through an IPO," Das said. "We don't see these large financings for private cybersecurity companies abating anytime soon."