As per GDPR, the penalties in case of a data breach can be up to €20 million or 4% of the company’s global annual turnover (of the previous financial year), whichever is higher. A data breach could lead to several below the surface losses for an enterprise in addition to the evident ones. This might make us think that data breaches (& other cyberattacks) are not all that common! But on the contrary, a simple Google search would throw up tens of pages of recent news and breach announcements. And the scariest thing is that these are just a (small) part of the incidents which were identified and reported. According to a recent IBM study, an average data breach cost a total of $3.92M with a cost per lost record of up to $150. The data breach of 2017 cost at least $575M to Equifax!!
- The full report can be found here. PowerPoint
We can’t reemphasize the business impact a cyber attack can have and the magnitude of impact that a missing layer (solution) from the security blanket can cause.
We at Blume therefore decided to develop some level of understanding of the vast cybersecurity universe and make some sense of the solutions available in this complex threat environment. In the process, we developed a detailed report that helped us understand topics ranging all the way from a typical firewall to Quantum Random Number Generators and QKD! (seemingly basic concepts to experts but Greek to us just a month back).
The first challenge that we faced was how to categorize the hundreds of solutions that exist in the market while ensuring that the classification framework works with the new categories that are emerging and expected to see adoption shortly. The traditional approach is that of the security perimeter and castle-and-moat concept of cybersecurity. But we took a different approach as the network perimeter itself is dissolving as we speak!
We’ve divided the entire universe of cybersecurity into three broad buckets namely:
Security Culture and Governance
More and more endpoints exist outside the enterprise perimeter and sensitive data & applications are being accessed remotely on unmanaged devices. NIST’s IPDRR that talks about the five core functions of cybersecurity are comprehensive in a way but this isn’t intuitive to folks like us who start with zero domain experience. The majority of current cybersecurity market share is that of Security Services like VAPT, etc.
From the Indian ecosystem POV close to 30-40% of the startups are service focussed, driven by the labour arbitrage in the IT/ITES market.
If in a particular solution category, the tech is changing rapidly i.e. a shorter half-life of technology, it might outpace the capacity of a company to innovate. In that case, there might be a lot of new players emerging in the respective domain. A lot of niche players emerge and dominate such a category. Now the beautiful thing about cybersecurity is that the whole market of ~$300 bn has over 100+ such categories each with a multi-billion dollar market potential – tens of unicorns!!
The focus initially was around securing the core infrastructure and digital assets and hence the different solutions in the protection stack were gaining vital traction. Slowly as the cyber exploits became more frequent and common, the solutions categories to cope with them and fight any attempt of exploit grew. But strengthening the weakest links of any enterprise security infrastructure – employees / humans – has been a persistent challenge for organizations. They all aim to build human firewalls via training and user education. Additionally, with the stringent policies and more compliance to meet, Governance and Risk Compliance solutions and services became important too.
We realized that each of these waves of evolution was enabled by few tech megatrends and it is imperative to envision how the emerging technologies of today can shape the security needs and solutions for the next wave of evolution.
Some of the opportunities that we could map out include:
DL/ML based Endpoint/Insider Protection
Microservices and API Protection/ Security
Unified Security delivered via Cloud (SASE etc.)
Connected Devices Security
Machine to Machine Communication Security
Access Risk Intelligence
Non-Human Attack Prevention
Blockchain-based Digital IAM
Security Culture and Governance
Employee Awareness: Human Firewall Solutions
Advanced Cyber Range Solutions
Automated Compliance Management Tools
With our analysis and multiple conversations with the industry experts, some of the themes became evident to us. Cloud delivered security, Zero Trust, Protection for the Microservices, and APIs to name a few. One more theme in the evolution of cybersecurity we found interesting was the unbundling of security solutions and services and the re-bundling that is happening now. Network UTMs, Endpoint UTMs, and Enterprise Security Suites started appearing in the late 1990s which were bundled solutions to cater to the security demands of an enterprise or their digital assets. Over the years the complexity of threats was increasing rapidly and vulnerabilities were rising in the applications and enterprise infrastructure. This led to the need for advanced security solutions that can provide specialized security against certain types of threats/vulnerabilities. Payment security solutions, WAF, etc are the individual security products that enterprises deploy on top of the existing security blanket. There was clear unbundling happening in the cybersecurity space.
Talking about and fitting in the Quantum Cybersecurity here won’t do justice to the huge shift that has already started happening around the world. India is also playing its role in this with multiple companies and research labs that are building Quantum Random Number Generators and attempting to solve existing challenges and make Quantum Key Distribution more accessible to enterprises. In our report, we have covered the threat that the upswing of Quantum Computing poses to modern cybersecurity and the challenges for post-Quantum Cybersecurity very briefly.
In the end, we would also like to highlight a rather interesting angle to cybersecurity. Israel is the leading source of innovation in the cybersecurity space (among many other deep tech spaces). Several multi-billion dollar cybersecurity companies have been constantly emerging out of Israel. We performed a comparative analysis of funding trends in technology companies across the US, India, and Israel. As much as 12.8% of total tech investments in Israel have been in cybersecurity companies. This stands at 5.1% and 1.3% for the US and India markets respectively. Another signal! We were curious as to why almost everything great in cybersecurity links back to Tel Aviv and Israel and threw this question to multiple Israel based founders that we spoke with. All resonated with what Dan Senor mentions in his famous 2009 book titled ‘Start-up Nation’ where he says “in this country [Israel], there’s an unwritten social contract: we are going to serve in this army provided the government and the army are responsible towards us….”. The innovation that has been coming out of Israel in Cybersecurity links back to the Military and Mossad! While knowing this fact doesn’t change a lot of things for Blume as a VC firm but definitely gives us certain confidence that we were able to trace back the source of innovation and novelty at least partially while we weren’t actively scouting for it.