Rick Grinnell is co-founder and managing partner at Glasswing Ventures, a Boston venture capital firm that launched earlier this year. Grinnell was previously managing director at Cambridge-based Fairhaven Capital Partners.
In 2016, we faced another year filled with devastating breaches and cyberattacks, which show no sign of slowing down in 2017. While the threats and new attack vectors that lie before us remain largely unknown, one thing is certain — enterprises and organizations globally will need to continue to evolve in their cybersecurity approaches and mindsets.
From a venture capital perspective, there are broader industry trends that I expect to drive the overall cybersecurity landscape which include industry and Wall Street pressures in addition to dynamic threat actors and methods. Here are some of my predictions for the overall industry, in addition to where the Boston cybersecurity market fits in:
? Consolidation will continue at a healthy pace.
“The larger companies must evolve their product lines via mergers and acquisitions.”
As exploits continue to increase in sophistication and frequency, cybersecurity vendors will need to build or acquire security products with dramatically improved detection, defense and remediation capabilities, and at an accelerated pace. Larger companies with established customers and products typically innovate more slowly than startups that are not encumbered by a legacy business. In the booming cybersecurity industry, valued at over $75 billion in 2015 by Gartner, the larger companies must evolve their product lines via mergers and acquisitions.
In 2015, there were 133 information security M&A deals per 451 Research’s Tech M&A Outlook 2016. M&A is a natural part of the IT security market and that is a primary reason why this market segment is so attractive to venture investors. While this is occurring at a national level, some of the most notable recent activity involved Boston-area companies — Cisco acquired Waltham-based CloudLock while IBM acquired Cambridge-based Resilient Systems. One can imagine another wave of Boston-area companies reaping the benefits of this market trend, with larger companies like Carbon Black, Digital Guardian and others coming to mind. Some of these players may opt to go public, but they will likely be very attractive acquisition targets for the established large public companies.
A couple of interrelated factors will continue to drive this M&A activity:
- Pressure to innovate and stay relevant. The larger, established cybersecurity companies are feeling the heat and need to provide new best-of-breed solutions to stay competitive and provide their customers with solutions that provide better defense. Look how long Symantec’s product line was stagnant, with a fairly negative perception by customers and Wall Street analysts. In recent months, we saw the company acquire Blue Coat and Lifelock, and as a direct result of the company’s more aggressive moves, the company’s perception and stock price have shown strong improvement. Symantec, like other big public players — Cisco, Check Point, HP, IBM, and others — will continuously need to refresh and add to their arsenal of security solutions as the threat landscape continues to evolve.
- Growth pressure from Wall Street. As is typical, if you don’t make your numbers, you can expect to see repercussions. This is amplified in the security market which the Street expects to be high-growth, justifying high multiples. Just last week, we saw Palo Alto Networks stock tumble (a 13 percent dive) because they missed their revenue number by $2 million ($398 million on a forecast of $400 million.) Even though the company beat its earnings, missing revenue — if only by a tiny fraction — was detrimental when coupled with a more conservative forward growth estimate. Wall Street expects consistency out of a market that should be red hot. With all the recent headlines (the worry of hacking the presidential election, Dyn’s huge DDoS attack, etc.), no market should be better poised for success than cybersecurity. The takeaway here is that in 2017, cybersecurity companies may need to spend a little bit of their balance cash to ensure growth and meet their numbers to continue an “up and to the right” trajectory.
? A shift in focus from the endpoint to the “middle point.”
In 2017, the industry will need to rethink the focus on security at the endpoint and instead begin to think about security at the middle point — layers of security between the exploitable surface area of the Internet of Things, and the assets, data, and services that we need to protect. From a VC perspective, I see a few critical areas that are ripe for innovation in this “middle point,” including two new market opportunities: 1) the detection and profiling of all connected devices and 2) the monitoring and analysis of traffic generated by IoT devices. This is something that Boston-area companies should have as top-of-mind.
“AI will be a critical component in the future of cybersecurity.”
? AI is going to fuel, or be the key ingredient, in next-gen solutions.
Artificial intelligence will be the core of the next-generation of powerful security solutions — whether they are endpoint, “middle point,” analytics or behavioral analysis. With the amount of data, the velocity of data, and the sheer number of connections to monitor and manage accelerating at an exponential rate, AI will be a critical component in the future of cybersecurity.
? Boston will lead in AI cybersecurity advancements.
In terms of AI, Boston has an extremely knowledgeable talent pool. From engineers, scientists and researchers coming out of Harvard, MIT and other local universities to the leading talent who work at big companies and local robotics—Boston has as much talent as anywhere. Additionally, some companies that are based out on the West Coast have sizable teams of AI talent based in Boston and NY (e.g. Facebook and Google). If we assume that AI is going to fuel the next-gen of cybersecurity solutions, Boston is primed to be a leader with both cybersecurity and AI expertise.
? Boston booms as Security Hub.
In addition to the few dozen companies headquartered in Boston, as well as leaders like IBM Security opening a new global headquarters in Cambridge, we will continue to see others dig their roots into the area. Thanks to the proximity of time zones and flights (compared to San Francisco), we will see more and more international companies, like CyberArk, have a European or Israeli backend and a Boston frontend.
? Boston will dominate in cybersecurity.
I feel confident in saying that during the next wave of AI-based cybersecurity, we are going to be No. 1 or No. 2 – if not the absolute leader, we’re going to be Silicon Valley’s biggest contender. Not only do we have some of the industry’s leading players (IBM, Rapid7, Carbon Black, RSA), but we also have several up-and-comers who may not be as well known. 2017 is going to be an exciting year for the industry while Boston may emerge as the innovation epicenter of the cybersecurity world.