The cybersecurity industry is burning — but VCs don’t care

Image Credit: Shutterstock / Jochen Schoenfeld

To say cybersecurity is booming would be an understatement. We’re talking about security companies’ skyrocketing valuations ($524.1 million on average) and the massive amount of funding ($12.2 billion just this year so far) investors are pouring into the industry, of course. Because in terms of success, there’s a lot to be desired. Recent supply chain attacks on SolarWinds and Kaseya, as well as the zero-day attack on Microsoft Exchange, took cybercrime to new levels and showed how one breach could cripple tens or even hundreds of thousands of organizations. And attacks on critical infrastructure like hospitals and the Colonial Pipeline made clear just how high the stakes are. The year 2020 alone saw more data breaches than in the last 15 years combined — and 2021 isn’t looking any better.

“It’s depressing,” Jadee Hanson, chief information security officer at cybersecurity company Code42, who has 15 years experience in the industry, told VentureBeat.

Dave Furneaux, who recently joined security company Virsec as CEO after 20 years as an IT and cybersecurity investor, echoed this sentiment. “We’re at a worse point now than we [ever] were,” he said.

Some industry veterans even consider cybersecurity a losing game, including Ryan Naraine, a longtime security reporter and former security director at Intel. Overall, he says he has a “pessimistic” view.

“I’ve been hearing about solving security problems for the last 10 years,” he told VentureBeat. “We’re here 10 years later. Things have only gotten exponentially worse.”

So how did we get here? And if decades of innovation, a wide field of players, and billions upon billions invested have only landed us in a world where the amount of money lost to cybercrime annually is outpacing nearly every country’s GDP, what should we make of this current VC gold rush?

Why everything feels like it’s on fire

The sharp increase in cyberattacks doesn’t mean there hasn’t been any progress. Multi-factor authentication (MFA), encryption, and technologies that enable zero trust can make a real difference. And HTTPS, while simple and often taken for granted, introduced effective authentication into our browsers. We can use our smartphones to securely pay for everyday goods in stores, and that’s significant.

“Year on year, security technology advances and gets provably better,” Gunter Ollmann, an early security analytics pioneer and current chief security officer at Devo, told VentureBeat. “However, the diversity and complexity of interconnected systems is growing much faster, and so attack surfaces are increasing quicker than most businesses can effectively secure.”

Across the board, security experts cite the pace of technology adoption as the major contributing factor to the current cybercrime environment. The technology is simply advancing too quickly. And many of the latest tech-powered business strategies — such as storing massive amounts of data — introduce exponentially more risk. Additionally, companies that weren’t relying much on technology a decade or even five years ago very much are today.

Hanson noted how in the old days, you were generally dealing with a server running an application, and it was possible to actually physically lock it down. “It’s not today with the changing landscape and all the tech we have at our fingertips,” she said.

The shifts to remote work and the cloud, in particular, are playing an outsized role. McKinsey found that the pandemic accelerated the pace of digital transformation by seven years, and Gartner predicts 70% of all enterprise workloads will be deployed in the cloud by 2023, up from 40% in 2020. Overall, worldwide public cloud services are predicted to grow from $387.7 billion in 2021 to $805.5 billion in 2025, according to Gartner.

But in a recent survey of security professionals, the majority said public cloud security is “just barely” adequate. Just the other day, security researchers at Wiz warned Microsoft that they discovered a vulnerability in the central database of Azure and “were able to get access to any customer database [they] wanted.” And when examining how a “more sophisticated and destructive” cyberattack — like one on multiple financial institutions — would theoretically go down, New York City’s Cyber Task Force determined it’d likely start with North Korean hackers compromising a third-party service provider, such as a cloud computing company.

“That’s why we have a ransomware epidemic. That’s why everything feels like it’s on fire,” Naraine said. “Because we’ve gone to the cloud in dramatic ways, and it’s just impossible to configure it properly. Things are exposed.”

The other significant factor is that there are well-equipped and financially motivated adversaries working every minute of every day to undermine security efforts. They’re continuously adopting new strategies and forming alliances, and cybersecurity is only ever a step ahead. A Microsoft 365 setting created specifically to thwart phishing attacks, for example, was recently co-opted by hackers for — you guessed it — phishing. What’s more, Naraine notes that a lot of the high-end exploit tools previously only used by nation-state actors are now filtering down to everyday cybercriminals, which was not the case just a few years ago.

“Organized crime has continued to embrace these new technologies and are, quite frankly, outspending both the defenders and law enforcement,” Ollmann said.

A prioritization problem

Despite the increased risk associated with today’s technology and data practices, cybersecurity is often seen as an afterthought.

“I don’t think every company is investing in cybersecurity the way they probably should,” Hanson said, adding that security should be a core department in every company — just like finance and HR.

But the reality is that many enterprises prioritize features and functionality without adequately considering the security trade-offs. A recent survey, for example, found that the majority of IT leaders are primarily focused on enabling competitive differentiation and digital transformation, even in light of the increasingly pressing cybercrime threats.

Because of this, you can sense a feeling of defeat and frustration among some experts. While they acknowledge it’s impossible to secure everything in today’s landscape, some feel as if the effective solutions the industry has put out aren’t fully being taken advantage of. Multi-factor authentication is widely considered standard and a strong defense against many types of password-related attacks, for example, yet only 55% of respondents in Thales’ 2021 Data Threat Report said their company has implemented MFA in any form. Another recent study of IT leaders and employees revealed that 43% admit to not following security protocols. And further complicating matters is the massive shortage of cybersecurity expertise, which is only expected to worsen in the coming years.

“We’ve been instructing and educating users to use 8+ character passwords for 30 years now, and the majority of people still haven’t mastered it,” Ollmann said. “We’ve had great passwordless and multi-factor authentication technologies for over a decade that provably enhance user experience and replace those legacy passwords (and all the attack vectors associated with them), and the businesses are only now starting to adopt them as default solutions.”

An impossible game of catch-up

All this points to an inherent truth about cybersecurity: It’s a never-ending cycle. As the field advances, so do both the adversaries working against it and the technology it has to protect.

“The thing that has stayed the same [about the cybersecurity industry] is that we’re still playing catch-up,” Hanson said. “That was true 10 years ago, and that’s true today.”

Even many of the advancements within cybersecurity — such as the use of data analytics and machine learning — have in turn led to new security issues, like increasing the attack surface. Furneaux said this is a “huge challenge.” And even Ollmann, whose career has been focused on security analytics, an approach focused on using data analysis to proactively thwart attacks, agrees the use of machine learning and intelligent solutions perpetuates the cycle and creates new security problems that must be dealt with.

At Code42, which creates insider risk detection and response software, Hanson even feels this is creating obstacles internally. One dilemma, she says, is that they want employees to use new collaboration tools and share their work, but doing so in and of itself is now “a huge risk that security teams need to deal with.”

A cybersecurity gold rush

Since 2019, the rise in cybersecurity funding has outpaced the increase in overall venture funding, according to The New York Times. And now since the pandemic, cybersecurity founders describe floods of money coming their way, closing massive deals quicker than ever before, and their phones ringing off the hook with calls from venture capitalists, even when they’re not looking for a deal. Greylock Partners just wrote its biggest check ever — $40 million — to Abnormal Security, and one VC told the Times he’s never seen valuations “so escalated.”

One could say these investors are watching the seemingly never-ending onslaught of cyberattacks unfold and are vying to support the development of a solution. But when you consider the existing solutions not being fully used, how much enterprises are now willing to spend on security (more than ever), and the cyclical nature of the industry, it’s easy to see why VCs have money signs in their eyes. An industry that, by nature, is poised to continue on forever, always trying to catch up, is perfect for investors.

Venture capitalists are, of course, first and foremost in the business of making money. More specifically, they use their money to compete, even when there’s no evidence a product works or that a company has a viable business model. From ride-hailing services to third-party food delivery, venture investments continue to prop up entire industries that have yet to turn a profit and are clearly lose-lose-lose situations. Even when a company or industry fails, venture capitalists have usually already made their return. Often, they’re the only ones who really win.

“They’re not even pumping money in with the expectation that this company may make money down the road, exit, sell, or IPO. That’s not what they’re doing,” Naraine said. “A lot of this is $10 million series As, and they’re betting they can get this company to a series B, and then they pass the buck to another investor, and the series B and series A guys get to cash out and go do it again. They’re incentivized not to build companies, but to get more funding. That becomes a snowball of just money chasing bad money chasing bad money.”

Naraine also pointed out that all the money being invested just doesn’t mesh with the “assumed breach” mentality of the industry today. And Furneaux agreed the gold rush of cash isn’t “helping the problem,” though his company, Virsec, did recently raise $100 million in funding. One notable difference about Virsec’s raise, however, is that aside from venture firms, the expansive roster of investors also includes several notable figures from the public sector, including former high-ranking government and intelligence officials. Furneaux believes something more similar to NASA’s public-private approach is the way forward, and this represents an emerging view — that cybersecurity is a critical task more aligned with national security and beyond the purview of security startups (and even big tech companies) alone.

Cybersecurity is at the top of President Biden’s agenda. Just the other day, he urged companies to “raise the bar,” as the White House announced an expansive cybersecurity initiative with Amazon, Microsoft, IBM, Google, and Apple. All of the companies’ chief executives attended the meeting and pledged various contributions, including cash donations, cyber training, and efforts around the approaches we already know to be effective, such as free multi-factor authentication devices.

“I don’t think pumping money solves problems anymore,” Naraine said. “I think we’re far beyond money being it. Because if money could have solved it, we would’ve resolved it already.”