2023 Was Not the End of Cybersecurity
There were times in the beginning of 2023 when it felt like it was over for the booming cybersecurity industry. 500 security companies were caught up in the closure of Silicon Valley Bank on March 10. Founders faced uncertainty as they were denied access to their funds for a harrowing 72 hours. Luckily, regulators opened the bank and gave access to those funds. Payrolls were met.
The press jumped on every closure as a sign of more failures to come. Yet, in Security Yearbook 2024, I could only report on a couple of new failures. Qomplx, a risk analytics company in Tysons, Virginia, was reported to have failed yet still appears to be in operation employing 52, down from 190. It may have been the victim of a failed attempt to merge with a special purpose acquisition company.
Speaking of SPACs, IronNet was the most dramatic failure of 2023 as it delisted and shut down operations. Note that we record headcount on the first day of every month in the Analyst Dashboard. It is the norm for people to wait to update their LinkedIn profiles until after they land a new job. So charts like the below are excellent for showing growth realtime, but declines (or de-growth as they call it in board meetings) is a lagging indicator.
I can’t help thinking about a similar failure in the early days. Remember Vigilinx Digital Security Solutions? It was an attempt by investors to build a major player in the security consulting space to compete with PricewaterhouseCoopers, KPMG, Deloitte, and EY. Investors put $90 million into a venture of their own creation and hired my former boss, Bruce Murphy, from PricewaterhouseCoopers to lead it. It was only two years before it morphed into a reseller and managed security firm, and was eventually sold to TruSecure for an undisclosed amount.
The market for public stocks was at a low at the beginning of 2023. But after January 6 began to climb back towards their all-time highs of November 2021. Despite the doom and gloom at the time, once again the markets were leading indicators. One year later here are the results for thirteen publicly traded cyber stocks. You can follow along with this Google Sheet.
Crowdstrike tripled in value over the year. Palo Alto became the first pure-play cybersecurity company to be worth over $100 billion. Zscaler actually hit it’s low later in the year. You could have bought it for $84 mid-day on May 1. It is up 270% from then.
It turns out that VC sentiment is closely coupled to Wall Street, which kind of makes sense. As individuals, VCs sock their money away in retirement-grade investments. A stock market blood bath of a 50% drop leaves them feeling insecure and therefore cautious. Instead of dollar cost averaging with their LPs’ money they freeze investing, deeming it better to wait until valuations go up before investing.
With all of the talk of valuations declining I fully expected 2023 to be a record year for acquisitions. Yet there were only 148 acquisitions of cybersecurity vendors in 2023 according to data provided by AGC Partners. That compares to 332 in 2022, a fall off of 55%. VMware’s acquisition by Broadcom, although recorded the year before, actually happened in 2023. And the biggest deal of all time, Cisco buying Splunk for $28 billion in cash, was announced in September. Cisco had a busy year, also acquiring Valtix, Lightspin Technologies, Armorblox, Oort, and Isovalent.
Despite the doom and gloom it turned out that new funding did not disappear in 2023.
2023 saw a healthy $10.05 billion in investment across 315 vendors. The breakdown by category put GRC at the top once again for total number of investments. Those 59 investments totaled $2.216 billion. $10 billion matches the levels of investment recorded for 2020 in Security Year Book 2021. That was followed by a record $26 billion in 2021 and a drop to $17 billion in 2022.
That number of 315 companies to receive new funding is a drop from 451 the previous year and 474 in the record year of 2021.
There were twenty two investment rounds that exceeded $100 million, down from 36 last year. There were 23 that raised between $50 and $100 million.
All in all I think 2023 was a healthy year for the cybersecurity industry. Some of the exuberance of 2021-2 was damped down. Hiring reflected actual revenue growth, not just easy money. Investors still put their capital to work. I don’t believe boom times will return in 2024 but I do predict investments will bounce back to at least $15 billion and the drought in cybersecurity IPOs will end.
Interesting to see GRC and IAM at the top.