Cybersecurity Investment: The Next $100 Billion Opportunity

Reflections on Two Decades of Tech Evolution

During my time as an associate at Battery Ventures in 1999, a significant portion of my evenings was dedicated to meticulously highlighting key publications. These included magazines such as Red Herring, InfoWorld, and The Industry Standard, alongside my preferred sources, StorageWorld and Mass High Tech.

At the age of 23, I focused on identifying the names of seasoned CEOs leading organizations like IBM, EMC, Alcatel, and Nortel. My aim was to gain insights into their strategies and innovations.

The Enduring Nature of Technological Challenges

These companies were pioneering technologies related to mainframe-to-server replication, IP switching, and the initial development of web and security services. Interestingly, when looking at the landscape 22 years later, fundamental aspects remain surprisingly consistent.

The evolution of interface innovation has progressed from command-line interfaces to graphical user interfaces (GUIs), and now to application programming interfaces (APIs). However, the need for a user-friendly interface, accessible to a diverse range of users across various devices, persists.

The focus has shifted from discussions surrounding the OSI stack to the decentralized blockchain stack. Similarly, while the core concepts of compute, data storage, and analysis have remained, their implementation has transitioned from mainframes to the cloud.

Market Expansion and Growth

The underlying problems and opportunities have demonstrated remarkable resilience, but the potential markets have experienced substantial expansion. For example, the cloud businesses of AWS and Azure collectively generated $23 billion in recurring revenue during the past year.

This represents growth rates of 32% and 50% respectively – impressive figures considering the already substantial scale of these operations. The cybersecurity market, in particular, has grown exponentially as software increasingly permeates all aspects of life.

More individuals than ever before have the ability to participate in the digital economy from any location on Earth, and soon, even from space.

Recent Analysis and Market Projections

Over recent months, alongside my colleague Spencer Calvert, we have published a series of analyses detailing the factors driving this rapid market growth. These include the increasing adoption of multicloud environments, the exponential growth in data generation and storage, the widespread use of SaaS applications, and the growing influence of Chief Information Security Officers (CISOs).

Our estimations suggest a conservative projection of $100 billion in new market value by 2025, bringing the total market size to approximately $280 billion.

Investment Focus Areas

Consequently, the cybersecurity sector presents significant opportunities for substantial business value creation. We anticipate the emergence of numerous unicorn companies within these spaces. While still in the early stages of development, Upfront is actively seeking investment opportunities in the following specific areas:

• Data security and data abstraction: Protecting and managing data effectively.
• Zero-trust security: Implementing a security model based on the principle of "never trust, always verify."
• Supply chain security: Securing the complex network of suppliers and vendors.

Data Security and Abstraction: A Paradigm Shift

While data itself isn't a novel concept, the evolving landscape of data stacks presents a compelling opportunity to re-evaluate cybersecurity strategies. Considering security as a foundational element—integrated at the base of the stack—rather than a subsequent application, could unlock significant advantages.

The Expanding Data Challenge

Currently, data is growing at a rate that outpaces our ability to adequately secure it. A crucial first step involves comprehensively understanding data location, both structured and unstructured, and verifying its security posture. Prioritization of remediation efforts, based on impact, is also essential.

Achieving this at scale necessitates intelligent, passive data mapping. This requires employing heuristics and rules to effectively filter meaningful signals from the increasing volume of data-related noise.

Open Raven and the Future of Data Security

Open Raven, a portfolio company of Upfront, is developing a solution designed to discover and protect structured and unstructured data across diverse cloud environments. We anticipate the emergence of substantial new platform companies within the data security sector as control shifts from the network layer to the data layer itself.

We believe Open Raven is well-positioned to become a leader in this evolving space. Furthermore, its technology will likely empower a new wave of “output” or application companies currently seeking funding.

A New Ecosystem of Applications

These future companies have the potential to reach the scale of established giants like Salesforce or Workday. They will be built upon a foundation of data that is abstracted and managed in a fundamentally different manner.

By analyzing security data at its point of creation or discovery, platforms such as Open Raven could catalyze the development of an entirely new ecosystem of applications. This includes both solutions Open Raven might develop internally—like compliance workflows—and entirely new companies that reimagine long-standing applications.

Focus on the Customer Experience

These reimagined applications could span a wide range of categories, from people management systems and CRMs to product analytics and marketing attribution tools.

Platforms prioritizing security from the outset have the potential to empower a new generation of application companies. These companies can concentrate their efforts on the customer engagement layer—the “output” layer—while delegating data cataloging, data modeling, and data applications to specialized third parties.

A Layered Approach to Application Development

To illustrate, if full-stack applications are visualized as layers of the Earth, with the user experience (UX) representing the crust, that crust can be significantly improved. Foundational horizontal companies underneath can address requirements related to personally identifiable information (PII) and GDPR.

This approach alleviates the burden on companies currently grappling with data scattered across numerous locations. It allows new application companies to dedicate their creative resources to building superior human-to-software engagement layers, ultimately creating more powerful applications across all existing categories.

Zero Trust Security

The concept of zero trust originated in 2010, yet its practical applications are continually expanding, with numerous companies now being founded on this principle. Essentially, zero trust operates on the assumption that any individual or entity attempting to access a system, network, or device should be considered potentially malicious.

While this approach might appear overly cautious, consider the security protocols in place at major technology companies. Access beyond reception areas typically requires a guest pass or visible identification. The same principle applies to virtual environments and access controls.

My initial comprehensive study of zero-trust security was undertaken through Fleetsmith. I made an investment in Fleetsmith in 2017, recognizing the potential of their young team developing software for managing applications, configurations, and security settings on Apple-powered organizational devices.

Within the Fleetsmith framework, zero trust centered on device configuration and permission management. Apple acquired Fleetsmith in mid-2020.

Concurrently with the Fleetsmith acquisition, I connected with Art Poghosyan and the team at Britive. They are focused on implementing zero-trust principles for dynamic permissioning within cloud environments.

Britive’s core philosophy revolves around zero-trust Just-in-Time (JIT) access. This means users are granted temporary, dynamic access privileges instead of relying on the traditional method of permanently “checked-out” credentials.

By providing temporary privileged access, rather than persistent “always-on” access, Britive significantly minimizes cybersecurity risks linked to over-privileged accounts. It also reduces the time required for privilege access management and streamlines workflows across multiple cloud platforms.

What future developments can we anticipate in zero-based trust (ZBT)? We view devices and access points as the evolving perimeter, particularly as workforces embrace flexible device usage and remote locations. Our investments in Fleetsmith and now Britive reflect this perspective.

However, we believe further progress is needed to integrate ZBT into more routine processes. Passwords, while theoretically embodying zero-trust principles – requiring continuous verification – are demonstrably insufficient.

The most prevalent route for data breaches remains phishing attacks designed to steal passwords. The challenge lies in encouraging users to adopt password managers, implement password rotation, enable dual-factor authentication, or transition to passwordless solutions.

We are actively seeking simple, elegant solutions that integrate ZBT elements into everyday workflows.

Supply Chains

Contemporary software development frequently incorporates components sourced from third parties and the open-source community. This process, where software is constructed from publicly available code packages and external APIs, is termed a supply chain.

Threats directed at this construction process are known as supply chain attacks.

Certain supply chain vulnerabilities can be addressed using established application security solutions. Tools like Snyk, alongside SCA (Software Composition Analysis) platforms such as Bridgecrew for automating security engineering and correcting misconfigurations, and Veracode for security scanning, offer protective measures.

Challenges in Detection

However, identifying other vulnerabilities can prove exceptionally difficult. The 2020 SolarWinds hack serves as a prime example. A subtle alteration within a SolarWinds update propagated to 18,000 organizations, all of whom depended on SolarWinds software for network oversight and related functions.

Protecting against malicious code embedded within a trusted vendor’s update, even after successful security onboarding, presents a significant challenge. Maintaining comprehensive oversight of the entire supply chain is equally complex.

Currently, the questions surrounding supply chain security outweigh the available answers. We anticipate the emergence of substantial companies dedicated to the secure vetting, onboarding, monitoring, and offboarding of third-party vendors, modules, APIs, and other dependencies.

Future Outlook

If you are involved in developing solutions within these areas, or related fields, we encourage you to connect with us. The cybersecurity environment is evolving at a rapid pace.

We welcome your perspectives and invite discussion regarding the points presented above, whether you concur or disagree.