Beware the gold rush: The risk of a cyber investment surge

Co-founder and CEO at Cloudflare Matthew Prince shares the stage with venture capital leaders at TechCrunch Disrupt Berlin 2019. Cloud is among the factors influencing massive investments in the cybersecurity space during 2020. (Photo by Noam Galai/Getty Images for TechCrunch)

During a May interview, veteran cyber executive Dave Dewalt threw some big numbers my way.

The last year brought $20 billion in M&A, he said. There was $1.3 billion in IPO money raised, and $10.7 billion invested capital. During the first quarter of 2021 alone, cyber companies accounted for $18.9 billion in investments.

DeWalt saw this as encouraging – the latest and perhaps the most pronounced example of what he called a “super cycle,” characterized by a “threat epiphany,” followed by an influx of customer spending and ultimately an investment spike. I generally agree that if there is any silver lining of the pandemic, the ransomware surge, the SolarWinds hack, the Microsoft Exchange vulnerabilities – really, the list goes on – it is this spike that we're seeing in cyber investment.

But is all cyber investment created equal? 

Jill Aitoro
Jill Aitoro, SC Media

We have seen this before. In the last decade we saw Russian cyberattacks cripple Eastern Europe, high-profile hacks of Sony and others bring commercial enterprises to their knees, and disinformation create chaos in elections. These, too, were reality checks that spurred major cybersecurity investments. And to DeWalt’s point, those investments contributed to some success stories. Roughly 200 cybersecurity startups landed venture funding in 2017 alone, according to a Cybersecurity Ventures M&A Report, with Tenable, Tanium and Duo Security among those to receive significant infusions of cash.

But what else came out of those incidents? For one, we saw some of the biggest defense companies hop in, wrongly figuring that commercial cybersecurity aligned nicely with military system development. Boeing, General Dynamics, Northrop Grumman, and Lockheed all bought commercial cybersecurity companies or tried to stand up commercial cyber enterprises themselves, only to shed them within a few years when they realized that, no, a commercial business doesn’t fold too neatly into a government one. We also saw a plethora of cyber companies bought up by consulting firms or bigger tech companies, often for absurd valuations, only to be rolled into larger divisions. Founding teams of the startups would move on, and technology that showed so much promise withered within a corporate giant. Not always, mind you; but often enough.

Returning to now: venture dollars are flowing to startups at furious speeds. New tech businesses are emerging from stealth, securing millions in initial seed money, and more established startups are raising millions more to fund expansion. We’re also seeing private equity moving in on the market in a big way, shelling out billions for cyber giants like Forescout, Proofpoint and Forcepoint (the latter bought from Raytheon – the last defense company to hold out hope for its commercial cyber play to bear fruit). 

Crises begets demand which begets a terrific business opportunity.

I don’t question that investment in innovation is essential. And certainly, the last year proved that the market has some work to do to keep up with an increasingly sophisticated threat landscape. But any surge in investments does bring the risk that innovation might be stifled as well. What was lost, for example, amid the company buy-ups from defense and consulting giants? Was the trajectory of some of those commercial companies slowed? Did tech development that held great promise stall entirely? What might the typical restructuring that comes with private equity ownership mean for companies getting bought up today – in particularly their R&D efforts? Even venture investment, which at the core is all about innovation, brings expectations for some pretty fast returns and has a high failure rate. Are we confident the investments happening now are strategically tied to gaps in the market or do (some) investors maybe just want in? And where might we run the risk of oversaturation? 

Again, I do agree with DeWalt that the flow of cash into cybersecurity is a good thing. And investment always brings an element of risk. But like any gold rush scenario, we should also brace for some failures and hope that amid this rapid flow of dollars, the most promising technologies remain standing.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.