RSA Conference 2023 took place this fine spring week in San Francisco, bringing together experts and thought leaders in the cybersecurity industry from across the globe. Foley & Lardner had the privilege of co-hosting a breakfast panel together with UBS, an entrepreneur and investor dinner with First Rays Venture Capital, and an afternoon roundtable co-hosted with Edgewood Ventures and 8VC. We also had the pleasure of attending panels and receptions hosted by, among others, Axios, At-Bay, Munich Re, and Guggenheim Partners. It was great to see San Francisco buzzing with conference attendees. Thanks to all the organizers, speakers, and guests for engaging in enlightening conversations. Here are some contextual data and a few takeaways for entrepreneurs and investors to consider.
Cyber investment and deal activity
To put things in context, #RSAC2023 happened in the midst of crosswinds in the market for new capital and exits. According to Crunchbase, funding for cybersecurity startups increased slightly from $2.4 billion in Q4 2022 to nearly $2.7 billion in Q1 2023. Some big winners included SandboxAQ, which raised a $500 million round in February to help companies and governments replace current public-key cryptography algorithms with quantum-resistant capabilities. Additionally, Netskope and Wiz each raised mega >$250 million rounds, while Tampa-based managed detection and response company Deepwatch closed a $180 million round. France-based crypto-hardware manufacturer Ledger raised a >$100 million round to continue securing digital assets.
The news wasn’t all good, however, as this year’s deals were a 58% drop from the $6.5 billion that was raised for cybersecurity startups in Q1 2022. The deal count also dropped to 149 deals announced, a 45% year-over-year decline. The driving sentiment is the fear that large enterprises will tighten their wallets for new products and reduce budgets for existing products as the economy cycles through a potential downturn. This was also reflected in the relatively paltry 13 M&A deals announced for VC-backed cybersecurity startups in Q1 2023 (compared to 31 deals a year ago in Q1 2022). One notable buyer was private equity firm Francisco Partners, which took SIEM provider Sumo Logic private for $1.7 billion, an exemplar of the broader trend of more cybersecurity companies going private than being taken public.
How is AI changing the landscape?
No technology discussion today is complete without addressing the impact of generative AI, which was true at all of the events we attended. Entrepreneurs asked buyers and investors whether AI should be integrated into products now or added later after achieving product-market fit. Responses were mixed. Executives were quick to point out that AI/ML is not new in cybersecurity threat detection and response. They conjectured that generative AI would rapidly become essential in front-end user interfaces for fielding and responding to queries across the software stack, managing incidents, and removing bottlenecks in the face of multiplying cyber threats by augmenting human processing and response times. Some dismissed the hype around generative AI as a distraction from companies addressing current cyber threats, positing that most people still fall for old tricks. On balance, executives and policymakers see generative AI benefitting both sides in the cybersecurity arms race between offense and defense. Threat actors are using generative AI to formulate and execute convincing social engineering attacks faster and more widely, while CISOs are optimistic that generative AI will be a force multiplier for their teams’ prevention, detection, and response efforts.
Regulatory outlook
The White House’s National Cybersecurity Strategy, published last month in March 2023, was a major topic of conversation. The Strategy proposes measures such as new regulations to establish baseline standards of cybersecurity and increased public-private collaboration in cybersecurity defense and threat disruption. It also calls for active disruption and dismantling of threat actors, which may include military involvement in both kinetic and cyber warfare. Of note for private enterprises, it also laid out plans to shift the burden of cybersecurity from software end users to providers of products and services. While the plans to shift liability are still nascent and likely to require legislative action, there may come a time when companies can be held liable for failing to take reasonable security precautions. When that happens, broad contractual disclaimers of liability, which are now common in end-user agreements, will no longer protect companies against selling products with vulnerabilities that should have been detected and corrected before release. The Strategy contemplates "safe harbors" from liability for companies that follow cybersecurity best practices, which the Strategy acknowledges will shift over time. Entrepreneurs who implement secure-by-design principles when building products and services will be ahead of the curve when this shifting of liability occurs.
Platforms vs. point solutions
Another frequent topic of discussion was the growing complexity of the cybersecurity landscape, the proliferation of point solutions, and how this impacts users. Investors and executives stressed the importance of collaboration and integration among cybersecurity solutions. Too many point solutions that do not communicate with each other are difficult for even the most sophisticated users to manage. Complexity can result in unintended gaps in coverage and poses its own security risk. Investors favor platforms over point solutions. They acknowledge, however, that platforms are challenging for early-stage startups to credibly sell, much less build, from day one. Despite lamentations about a crowded market, investors and buyers sounded receptive to the narrative of a startup building a point solution with a fervent customer following, so long as it builds with integration and expansion in mind to enable a realistic platform offering within a few years.
Talent shortage and opportunity for growth
Lastly and relatedly, many executives and policymakers expressed concern that current cybersecurity solutions assume and require significant capabilities of their customers to manage and expect too much know-how of end users. Event after event, speakers bemoaned a talent shortage in cybersecurity. Relatively few organizations possess advanced cybersecurity expertise or have the resources to afford a professional CISO and dedicated engineering teams to deploy and monitor disparate cybersecurity products and patches. Threat actors increasingly attack the under-resourced and vulnerable partners and suppliers in a target’s supply chain to infiltrate the otherwise well-defended target. To improve overall security in our digital and interconnected world, it will be crucial for startups to develop and investors to support solutions that make advanced cybersecurity accessible to the non-expert and less intimidating and resource-intensive for smaller businesses and everyday users to deploy.