Momentum Cyber's look at the state of the sector.

In extraordinary times, large needs don't immediately equate to great demand, but demand can be expected to follow. Momentum Cyber late last week released its Cybersecurity Market Review for the first half of 2020. It tells what Momentum described to us as a "tale of two quarters," with considerable growth in the first quarter but pandemic-driven retrenchment in the second. 

The second quarter of 2020 saw a tremendous increase in organizations' attack surfaces, and that growth has sensitized businesses to security needs they might have previously overlooked or deferred. In any case, it represents considerable latent demand for cybersecurity services and solutions that should provide large opportunities for companies in the sector as their customers emerge from their present fiscal caution. Potential buyers are wary of dillutive acquisitions, and venture capitalists are spending more time with their distressed portfolio companies.

The first half of the year set records in cybersecurity mergers and acquisitions, with four billion-plus deals, but that’s due to the first quarter. The impact of COVID-19 in the second quarter saw M&A drop to a four-year low. Momentum sees the fall-off in the second quarter as representing a near-term as opposed to a secular trend, and their analysts have already discerned an increase in M&A activity during the current third quarter, and they look forward to a strong close of the year by the end of the fourth quarter. 

A look at financing activity shows $4.7 billion in capital raised during the first half of 2020, which represents a 2.3% year-over-year decrease in deal volume across 200 transactions. $3 billion was raised across twenty-seven raises of more than $50 million. And 82% of the first half's financing volume came from later stages, Series B and above.

Pent-up demand for cybersecurity during the pandemic?

If one were looking for a historical parallel, perhaps the early Twentieth Century provides one: the Roaring Twenties followed the Spanish Flu Pandemic of 1918-1919.

“The shift to a remote workforce has increased the attack surface and created a shift in priorities resulting in organizations adopting new policies and security solutions to address new threats,” Momentum explained to us. They’ve seen signs of areas where the sector can expect growth. “Through our channel checks and industry surveys (e.g., YL Ventures CISO Insights Q2 20) we’ve seen an increase in buying activity throughout the pandemic across a number of sectors including multi-factor authentication/IDaaS, virtual desktop security, endpoint security, digital risk management, Managed Security Services, and SASE.”  

The shift to remote work has increased attack surfaces, and, while investment in cybersecurity hasn't dried up, it's lagged. So in the short term at least a big challenge (a vastly expanded attack surface) hasn't translated to big results (significantly increased sales of cybersecurity products, solutions, and services). This seems a natural lag, as potential customers exercise fiscal caution. 

Similarly, there's been a shift in corporate priorities during the pandemic, and that represents opportunity. We asked Momentum if innovation simply needed time to catch up. “While innovation does need to catch-up in certain areas more broadly,” they said, “many of these sectors’ leaders have been driving innovation and the pandemic was the tipping point that has accelerated their growth.”

Notes on, and from, publicly traded cybersecurity companies.

Momentum found that cybersecurity stocks increased 5.4% during the first half of 2020. That slightly underperformed the NASDAQ's 10.6%, but outperformed the S&P 500, which declined by 4.8%. COVID-19 induced an initial drop during the second quarter, but Momentum already sees signs of a bounce back. A look at earning calls from the first half provides some insight into what some leading publicly traded companies are telling investors.

• Cloudflare thinks the stress the pandemic has placed on systems is driving work to improve platform efficiency and increase network speeds. This in turn has led organizations to move toward more cost-effective unified platforms. The pandemic has also exposed the weaknesses of on-premise network hardware solutions.
• Crowdstrike finds that the increased incidence of ransomware has moved small and medium businesses to look for security solutions with flexible pricing models that will enable them to quickly and affordably augment their security staff during high-volume attacks. And Crowdstrike thinks that future offerings will have to be able to show their ability to protect customers at home, in the office, and in the cloud.
• Okta agrees that unified approaches to security are attractive, especially given the friction a large number of legacy systems have introduced into the remote work environment. The company sees integration partnerships as giving enterprises a way of combining endpoint risk detection with user identity solutions.
• Palo Alto Networks thinks too many information security and DevOps organizations rush into the cloud without working out how to do securely. This will drive spending on cloud security, especially on technologies that can secure multi-cloud and hybrid-cloud environments. And remote work will reshape the nature of the WAN.
• Qualys, like the others, believes that organizations will have to cope with remote work by "rethinking" their security and business continuity plans. This will have strong implications for their supply chains. Companies will seek simultaneous cost reductions and increases in business flexibility.
• Zscaler believes adaptation is all as the pandemic accelerates digital transformation. Those who resisted this change are for the most part resisting no longer. The world has lost its perimeters, and zero trust is imperative. And, like its peers, Zscaler sees customers becoming more cost-conscious, looking for "best-of-breed platforms rather than best-of-breed point products."

What cybersecurity companies are investors buying?

The report touches on some interesting trends in acquisitions and investment. Companies who are acquiring have been buying identity and access management firms, whereas investors, while also interested in identity and access management, are putting their money on risk and compliance and on data security. There seems to be little interest in mobile security. 

Momentum explained how they see this investment landscape:

“Enterprise demand for IAM solutions has remained strong, fueling M&A in the sector which has consistently fallen in the top five most active M&A sectors over the last few years. IAM is one of the more mature industries in Cybersecurity with many legacy vendors looking to upgrade their platforms with next-gen technologies to better address the secular shifts across cloud/digital transformation and a more distributed [or] remote workforce. Authentication, IDaaS, PAM and Consumer Identity have been the most active subsectors within IAM. 

“Significant tailwinds driving increased investment in Compliance and Data Security as companies continue to evaluate and adopt a range of technologies to protect sensitive data, meet compliance and continue to mature their practices for data security and privacy. GDPR, CCPA and local regulatory requirements are key drivers as many companies are struggling to address these requirements. 

“Lack of visibility, siloed view of risk, supply chain [and] third-party risk, lack of risk prioritization, and increasing risk-based discussions at the board-level driving demand for integrated risk-based management and vulnerability management solutions. We’ve seen investment activity across a number of subsectors addressing risk including security awareness and training, pen testing & breach simulation, Cyber insurance, enterprise risk scoring and ratings, and broader risk-based vulnerability management.

Why isn’t mobile among the attractive subsectors? It doesn’t appear to represent a distinctive threat vector. “Despite the proliferation of mobile and connected devices,” Momentum told us, “we have not seen mobile emerge as a significant threat vector and a result have seen limited M&A and investment activity in the sector.”

Internet-of-things security comes to prominence. 

A remote workforce has also brought the security, reliability, and availability of the Internet-of-things (IoT). The IoT has obvious applications for on-site safety, and organizations have noticed that. Momentum explained: “Organizations are leveraging the IoT stack and toolsets to ensure safety. For example, IoT tracking and vision-based solutions are being utilized to enforce physical distancing requirements and monitor body temperatures; built-in connectivity and software connections inside industrial control software enable remote access, monitoring and control; digital team boards are being leveraged to coordinate jobs, measure production levels and improve performance gaps across shifts.” Momentum is in substantial agreement with McKinsey on this trend.

Not so much work-life balance, but work-life integration: home and enterprise merge in telework. 

Remote work is driving a convergence of the consumer and business cybersecurity markets.

“The ‘Home’ has become the ‘New Enterprise’ with the vast majority of the remote workforce accessing corporate networks from less secure home networks and consumer routers and from personal (BYOD) devices rather than company-issued devices. In addition, social media have become a central point for users spreading disinformation and a channel for ransomware and credential theft. Phishing campaigns to both personal and work emails have increased exponentially and broad adoption of digital communication and collaboration channels outside of the network perimeter have significantly increased risk exposure. As a result, we’re seeing the increasing adoption of consumer security solutions to offer incremental security including MFA, password managers, enhanced security on home routers, encryption and MDM on mobile devices as well as broader adoption of consumer identity and digital risk management platforms

Winning trends, or opportunities for disruption, in cybersecurity.

The report sees movement toward zero-trust, cloud-based network security, and SASE (secure access service edge). Zero trust will place a premium on identity and context-based access for both users and applications. Enterprises will increasingly turn to microsegmentation and granular perimeter enforcement to reduce their attack surface. Cloud-based network security and SASE are natural accompaniments to cloud migration and remote work.

A final note. If you haven't seen Momentum's CYBERscape, a perspicuous view of what companies play in which subsectors of the cybersecurity market, take a look. It's a good place to get a commanding view of the cybersecurity space and its players.