In 1969, a team of researchers at UCLA sent the first message between two computers to Stanford on the Advanced Research Projects Agency Network (ARPANET). Often known as the forerunner of the internet, ARPANET was funded by the Department of Defense to link research institutions with government grants to speed technological development. It only took a few years for one of the academics, Bob Thomas, to create a program named Creeper that could track network activity and report back its findings. This was quickly followed by Ray Tomlinson’s Reaper antivirus software, which chased and deleted Creeper wherever it was found.
This tit-for-tat between Bob and Ray is the first example of cybersecurity in action, and for the past five decades, the battle between those looking to penetrate online networks and those erecting defenses has continued to escalate. In 2023, end-user spending in the market for information security from cyber attacks was projected to reach $188B, which would represent 11.3% growth from 2022. Estimates for how large this market can get vary widely, but a study by McKinsey pegged the top end at $2 trillion.
Why does such explosive growth appear likely? One way to approach that question is to consider how much cybercrime costs today and how that’s likely to change. The team at Cybersecurity Ventures estimated that cybercrime would cost $8 trillion in 2023 and $10 trillion by 2025 due to a host of costs, including data destruction, stolen money, IP theft, and reputational harm, among others. Another barometer includes surveys of top executives purchasing cyber defenses as they are the ones writing the checks. Morgan Stanley asked 100 Chief Information Officers in early 2023 about which programs would receive the largest spending increase, and Security Software came first.1 More revealingly, when asked which programs are most likely to be cut, none of the CIOs mentioned Security Software.
Not only is explosive growth possible, but there are reasons to believe startups will have an outsized role to play in defending against the next generation of attackers. One is that entrepreneurs can structure their firms to prevent today’s threats. Cyber professionals have already started to see Generative Artificial Intelligence (AI) contribute to cyber attacks by making it cheaper for groups to run spear phishing or automated customer support scams. The US government has noticed, setting up an AI Security Center within the National Security Agency (NSA) to guard sensitive information that can’t always be addressed with third-party software. Similarly, advances in quantum computing threaten to make many current encryption methods obsolete. Companies built to stop these new vectors of attack stand to benefit if they can outperform legacy players, and historically, incumbents have struggled to innovate on new products while staying at the cutting edge of their existing products. This is especially easy because experienced cyber operators can offer consulting services independently to generate revenue while developing the next software program to productize their insights.
Why Entrepreneurs Need Venture Capital
Considering the size and growth of the cyber market, you might expect the venture industry to be rushing headlong into cyber. TechCrunch’s data disagrees, and they estimate Security startups only raised $2.7B in funding over the first quarter of 2023, down 58% year over year. Beyond a general funding malaise, VCs also might be reacting to the difficulties in investing in the space as a generalist. Cyber-specific VCs enjoy advantages on the sourcing side because their relationships with executives purchasing cyber solutions can help startups get a foot in the door with potentially huge clients. They are also advantaged with investment diligence because extensive experience allows them to more easily separate overhyped players from true security breakthroughs. This is crucially important in an industry where companies can grow revenue before the flaws in their security solutions manifest.
Cybersecurity is an industry ripe for continued growth and disruptive innovation. As investors consider how they want to position portfolios against potential disruptions from AI or quantum computing, it would be wise to consider how cybersecurity investments could function as an (imperfect) hedge. We are excited to see how the space develops in the years ahead and hope that those building protective walls outpace bad actors seeking to scale them.
- Source: AlphaWise 1Q23 CIO Survey (n=100), Morgan Stanley Research. ↩︎