As an associate at Battery Ventures in 1999, one of my first VC mentors told me that he would only fund companies that were creating a new category and that could be valued at $1 billion or more, a fairly radical idea in 1999. He went on to say (only somewhat tongue in cheek) that if the company was in an existing category, I should make up a new category before I pitched him on the investment or else it would never be worth $1Bn+.
Twenty years later, this notion of funding the “category creator” is old news in venture, simply by looking at what Tesla (mkt cap of $185B) did for electric cars, what Stripe (est. valuation of $36B) did for payments, and Qualtrics (purchased by SAP for $8B in 2019) did for experience management. Companies that create a new category typically capture 76% of total market capitalization.
Even given all of this lip service (real and cliche) paid to “category creators,” the opportunity being created around data and cybersecurity in the cloud has to be one of the single biggest category creation opportunities I have seen in my venture career. Because as we experience this accelerated shift to the cloud, everything about how businesses work – and spend – have to change.
The shift to the cloud requires new tools and processes, fast.
The massive paradigm shift to cloud requires a very different skill set than on premises. Whereas once IT and devops were considered the foundation and cybersecurity was “a final ‘check the box’ for compliance”, this model simply can’t exist in a cloud-based world. The acceleration with which remote and distributed activity is happening requires these two disciplines to mesh. Everything that was once done on premise must now be done in the cloud and – more excitingly – must be done using tools built and optimized for the cloud. That puts cloud-based cybersecurity innovators in a unique and valuable position of being revenue-generating category leaders within a space while simultaneously creating and defining a new space (cloud-first security products).
Category leaders will need to think cybersecurity first while also playing well with existing tech titans.
Because of this migration to the cloud and other factors like data legislation and explosion of data generation from users and machines, cybersecurity is not just experiencing massive growth but also is becoming an extension of configuration management and good data hygiene. That said, the picks and axes of the cloud will be dominated by a handful of the biggest tech companies in the world. Over the last decade, AWS, Microsoft Azure and Google Cloud Platform have grown to over $80B in annual cumulative revenue. The fast followers trying to take share in this area are not start-ups, but rather IBM, Oracle and Alibaba.
The new generation of cloud-first cybersecurity logos will emerge from those that enable developers to work on top of these platforms, across these platforms and consider security from the start. While the large cloud infrastructure offers solutions with built-in security, best practice will be building on top of multiple clouds and utilizing third party software to enable and protect this type of new “multi-cloud” environment.
“Protect” is the key word here – market data from Gartner and AustCyber predict the global cybersecurity market will be worth $270B, and with a 2020 value of $173B, there is roughly $100B of new value up for grabs over the next 6 years. But compared to the $5.2T of cybercrime that Accenture predicts is at risk globally over the next half decade, it is clear security cannot be an after-thought or final check the box, relegated to some separate silo and budget “over there.” Security has to be integrated into workflows for the sake of agility and security. Even the most advanced dev-ops orgs cannot be both compliant to security protocols and responsive to customer feedback unless there is a unification of IT and Security. This union highlights one of the most important strategic partnerships in the modern enterprise: the CISO and the CTO. We see the convergence of these leaders creating a new category that we believe will be home to multiple Deca-unicorns in the 10 – 15 years.
Company leaders are already figuring this out – and organizing around it.
One of the simplest proof points for the likelihood of new category creators is the rise of a new title or the merging of existing titles, and this is happening. With the emergence of the secure cloud, Architects are now giving way to Cloud Architects, and potentially soon to be called multi-hybrid-cloud architect or even Chief Cloud Architect, who has a team that encompasses them all. Another increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of midmarket companies.
At the same time, titles are extending for developers. While the practice of dev-ops emerged just over ten years ago, it is increasingly giving way to dev-sec-ops in the last five. As cloud-first becomes standard and security is closely integrated with development and infrastructure management, I wouldn’t be surprised if titles return simply to Developers and Architects, but for now it indicates a big change. Without cloud expertise and security integrated into work processes, devs and architects won’t be hired for roles at the most innovative organizations. And when companies are organizing and prioritizing around business challenges, investment in software to help solve these same challenges is sure to follow.
For all these reasons, cloud and security are coming together to act as a joint enabler of faster, more scalable business, versus being at odds. In fact, anecdotally we are beginning to see more and more founders building security companies coming out of IT roles and seeing the CIO and CISO role held by the same person in some organizations who are moving aggressively to the cloud.
But unlike many category shifts that elapse slowly, in this case, cloud budgets and analogies are well understood by the C-suite, making it easier for new security category leaders to emerge not just due to adoption and usage, but more critically, with fast time to budget and real dollars flowing through the P&L. Once business leaders have committed real, recurring dollars to a business, we know there’s momentum.
Over the last couple years, we at Upfront have funded oriented companies that are commanding budgets that for decades were dedicated to on-prem solutions. Each are tackling a different sector of the category, whether securing devices (Fleetsmith, acquired by Apple), securing data (Open Raven) or managing identity and access (to be announced soon!). As I spend more time in the space and see data centers increasingly spun up in the cloud buy a single developer with a credit card in seconds with hundreds of millions of people working from home, it’s we are at very beginning of this sea change in cybersecurity becoming the key enabler of this shift.