Cybercrime, increasingly including nation-state attacks, costs businesses and the community upwards of US$440bn a year, according to McAfee, and the problem is getting worse. Other estimates put it in the trillions, depending on your definition. Rapid digitalisation during the pandemic increased the threat surface across many more systems and organisations. Worse, work done under pressure to shift employees en masse into work-from-home arrangements created conditions for a cybersecurity trainwreck.

There are also longer-term trends which have increased industry threat profiles.

In the construction sector, for example, new risks are emerging as new commercial buildings are developed with IP networks running up their spines, exposing their control systems to potential penetration. Likewise, industrial systems which used to benefit from the “air gap” between the network and the internet are increasingly connected as organisations determine the upside of big data outweighs the risk of system or network compromise. 

And with 6.6 billion people using smartphones around the world — representing over 80 percent of the world’s population — commercial systems have never been more at risk.

Despite this, the cybersecurity category has suffered the same valuation adjustments as other technology categories. While the industry is growing at a healthy double-digit clip (11.7 percent by our estimates), the valuations in public companies actually dropped drastically in H1 2021 — down by more than 25 percent.

On current form, the fastest growing businesses in the sector are valued at approximately seven times FY23 forecast revenue, according to the Houlihan Lokey Cyber security report. It also suggests medium-growth companies are achieving valuations of 4.5x FY23 forecast revenue, while lower-growth businesses are valued at 3.3x. Houlihan Lokey’s data also suggests a huge increase in financing activity in 2021, with deal value increasing from US$12bn to US$30bn while the number of transactions grew from 820 to 1074. The trend has softened though in the first half of 2022.

The first half of calendar 2022 has seen growth in M&A activity, with Broadcom’s US$61bn plunge on VMware the most spectacular — eclipsing all other deals. While not exclusively a cybersecurity play, the marriage puts Broadcom into the top tier of cybersecurity providers. It brings cybersecurity pioneer Symantec — which it acquired in 2019 for US$10.7bn — into the same portfolio as VMware’s Carbon Black (acquired in 2018), Octarine (2020) and Lastline (2020).

But while it was the largest deal, it was not the only one of significance. Among the other key deals this year:

• Google’s acquisition of Mandiant this week marks the second most expensive acquisition in its history at $5.4bn, underscoring the cloud provider’s commitment to become a standalone security brand.

• KKR completed its purchase of Barracuda Networks, which it bought from Thoma Bravo. Terms were not disclosed, but contemporaneous media reports, including Reuters, put the size of the deal at US$4bn.

• Thoma Bravo promptly revealed its plans to buy Ping Identity — an identity management firm — for US$2.8bn. It had earlier bought identity and access management firm Sailpoint for US$6.9bn.

• Kaseya bought data security firm Datto for US$6.2bn in April, in a deal more focused on the SMB markets, given Datto’s heritage.

• Flashpoint bought open-source intelligence firm EchoSystems for an undisclosed amount.

There were also a clutch of smaller deals, such as Thrive buying Edge Technology Group, a managed security service provider, to grow its footprint across APAC, IBM Security buying Randori, and encryption firm Cipherloc buying Side Channel.

The current consolidation underway in the cybersecurity sector is one of several key trends we see unfolding.

One of the most important is both architectural and organisational in nature. That is the shift from perimeter defence to what is known in the industry as zero-trust.

Basically, traditional approaches such as firewalls and antivirus software were designed on the premise that the best approach involved keeping the bad guys out. But cybercrime is now a sophisticated ecosystem. Its practitioners have high levels of specialisation and capabilities that are equal to, if not better than, the organisations they target. They are also adept at utilising social engineering techniques to fool consumers and employees into opening the gates. 

On top of that, nation-state attacks pit the capabilities of individual businesses against the resources of hostile national governments. In such an environment, the thin membrane between organisational systems and data is unlikely to hold firm for long.

The emerging philosophy is to trust nobody — even if they have ‘legitimately’ gained access to the system. Instead, the network is sub-segmented and decisions made around access based on specific permissions aligned to an identity and the context of that identity’s role in the organisation.

The other big trend — which reflects the scarcity of skills around the world — is outsourcing. Companies such as Crowdstrike, for instance, benefit from being able to aggregate not only skills and capabilities, but also data across its global network of clients. Crowdstrike is a specialist in defending endpoints, and the intelligence it gleans can then be used to defend everyone else in the ecosystem.

All of these trends provide fertile ground for growth of cybersecurity software and service providers in the medium term, as the problem keeps getting worse.

Technology industry analyst Gartner argues that in an increasingly distributed ecosystem cybersecurity leaders are losing control. That’s despite the US$172bn that Gartner estimates organisations will spend this year on information security and risk management. That will likely grow to US$192bn next year.

The firm breaks cybersecurity down into eleven sub-segments (See Chart 1 below).

Application security, cloud security and data privacy will be the three fastest-growing segments, according to Gartner. That’s reflected in the current outlook for IPOs.

Despite the decline in valuations as part of the overall tech retreat, the second half of the year could potentially see a number of IPOs adding to the burgeoning stable of tech industry unicorns.

·      Snyk, an application security firm with an US$8.5bn valuation, has raised US$1.0bn to date.

·      Lacework, a cloud security firm with an US$8.3bn valuation, has raised US$1.9bn.

·      Another cloud security company, Netskope, has raised US$1.0bn and now enjoys a US$7.5bn valuation.

·      End point specialist Cybereason has an estimated valuation of US$3.0bn having raised US$745mn.

·      Finally Illumio, with a US$2.8bn valuation, is another cloud security company and has raised US$560mn to date.

According to Gartner’s analysis, “Cybersecurity is turning into a social phenomenon. Investor interest, public pressure, employee demands, and governmental regulations are strengthening the incentives for organisations to track and report cybersecurity goals and metrics within their environmental, social and governance (ESG) efforts as a business requirement.”