As a Battery Ventures associate in 1999, I used to spend my nights highlighting actual magazines called Red Herring, InfoWorld and The Industry Standard, plus my personal favorites StorageWorld and Mass High Tech (because the other VC associates rarely scanned these).
As a 23-year-old, I’d circle the names of much older CEOs who worked at companies like IBM, EMC, Alcatel or Nortel to learn more about what they were doing. The companies were building mainframe-to-server replication technologies, IP switches and nascent web/security services on top.
Flash forward 22 years and, in a way, nothing has changed. We have gone from command line to GUI to now API as the interface innovation. But humans still need an interface, one that works for more types of people on more types of devices. We no longer talk about the OSI stack — we talk about the decentralized blockchain stack. We no longer talk about compute, data storage and analysis on a mainframe, but rather on the cloud.
The problems and opportunities have stayed quite similar, but the markets and opportunities have gotten much larger. AWS and Azure cloud businesses alone added $23 billion of run-rate revenue in the last year, growing at 32% and 50%, respectively — high growth on an already massive base.
The size of the cybersecurity market has gotten infinitely larger as software eats the world and more people are able to sit and feast at the table from anywhere on Earth (and, soon enough, space).
The size of the cybersecurity market, in particular, has gotten infinitely larger as software eats the world and more people are able to sit and feast at the table from anywhere on Earth (and, soon enough, space).
Over the course of the last few months, my colleague Spencer Calvert and I released a series of pieces about why this market opportunity is growing so rapidly: the rise of multicloud environments, data being generated and stored faster than anyone can keep up with it, SaaS applications powering virtually every function across an organization and CISOs’ rise in political power and strategic responsibility.
This all ladders up to an estimated — and we think conservative — $100 billion of new market value by 2025 alone, putting total market size at close to $280 billion.
In other words, opportunities are ripe for massive business value creation in cybersecurity. We think many unicorns will be built in these spaces, and while we are still in the early innings, there are a few specific areas where we’re looking to make bets (and one big-picture, still-developing area). Specifically, Upfront is actively looking for companies building in:
- Data security and data abstraction.
- Zero-trust, broadly applied.
- Supply chains.
Data security and abstraction
Data is not a new thesis, but I am excited to look at the change in data stacks from an initial cybersecurity lens. What set of opportunities can emerge if we view security at the bottom of the stack — foundational — rather than as an application at the top or to the side?
For example, data is expanding faster than we can secure it. We need to first know where the (structured and unstructured) data is located, what data is being stored, confirm proper security posture and prioritize fixing the most important issues at the right speed.
Doing this at scale requires smart passive mapping, along with heuristics and rules to pull the signal from the noise in an increasingly data-rich (noisy) world. Open Raven, an Upfront portfolio company, is building a solution to discover and protect structured and unstructured data at scale across cloud environments. New large platform companies will be built in the data security space as the point of control moves from the network layer to the data layer.
We believe Open Raven is poised to be a leader in this space and also will power a new generation of “output” or application companies yet to be funded. These companies could be as big as Salesforce or Workday, built with data abstracted and managed differently from the start.
If we look at security data at the point it is created or discovered, new platforms like Open Raven may lead to the emergence of an entirely new ecosystem of apps, ranging from those Open Raven is most likely to build in-house — like compliance workflows — to entirely new companies that rebuild apps we have used since the beginning of time, which includes everything from people management systems to CRMs to product analytics to your marketing attribution tools.
Platforms that lead with a security-first, foundational lens have the potential to power a new generation of applications companies with a laser-focus on the customer engagement layer or the “output” layer, leaving the data cataloging, opinionated data models and data applications to third parties that handle data mapping, security and compliance.
Put simply, if full-stack applications look like layers of the Earth, with UX as the crust, that crust can become better and deeper with foundational horizontal companies underneath meeting all the requirements surrounding personally identifiable information and GDPR, which are foisted upon companies that currently have data everywhere. This can free up time for new application companies to focus their creative talent even more deeply on the human-to-software engagement layer, building superhuman apps for every existing category.
Zero-trust was first coined in 2010, but applications are still being discovered and large businesses are being built around the idea. Zero-trust, for those getting up to speed, is the assumption that anyone accessing your system, devices, etc., is a bad actor.
This could sound paranoid, but think about the last time you visited a Big Tech campus. Could you walk in past reception and security without a guest pass or name badge? Absolutely not. Same with virtual spaces and access. My first in-depth course on zero-trust security was with Fleetsmith. I invested in Fleetsmith in 2017, a young team building software to manage apps, settings and security preferences for organizations powered by Apple devices. Zero-trust in the context of Fleetsmith was about device setup and permissions. Fleetsmith was acquired by Apple in mid-2020.
About the same time as the Fleetsmith acquisition, I met Art Poghosyan and the team at Britive. This team is also deploying zero-trust for dynamic permissioning in the cloud. Britive is being built under the premise of zero-trust Just-in-time (JIT) access, whereby users are granted ephemeral access dynamically rather than the legacy process of “checking out” and “checking in” credentials.
By granting temporary privilege access instead of “always-on” credentials, Britive is able to drastically reduce cyber risks associated with over-privileged accounts, the time to manage privilege access and the workflows to streamline privileged access management across multicloud environments.
What’s next in zero-based trust (ZBT)? We see device and access as the new perimeter, as workers flex devices and locations for their work and have invested around this with Fleetsmith and now Britive. But we still think there is more ground to cover for ZBT to permeate more mundane processes. Passwords are an example of something that is, in theory, zero-trust (you must continually prove who you are). But they are woefully inadequate.
Phishing attacks to steal passwords are the most common path to data breaches. But how do you get users to adopt password managers, password rotation, dual-factor authentication or even passwordless solutions? We want to back simple, elegant solutions to instill ZBT elements into common workflows.
Modern software is assembled using third-party and open-source components. This assembly line of public code packages and third-party APIs is known as a supply chain. Attacks that target this assembly line are referred to as supply chain attacks.
Some supply chain attacks can be mitigated by existing application-security tools like Snyk and other SCA tools for open-source dependencies, such as Bridgecrew to automate security engineering and fix misconfigurations and Veracode for security scanning.
But other vulnerabilities can be extremely challenging to detect. Take the supply chain attack that took center stage — the SolarWinds hack of 2020 — in which a small snippet of code was altered in a SolarWinds update before spreading to 18,000 different companies, all of which relied on SolarWinds software for network monitoring or other services.
How do you protect yourself from malicious code hidden in a version update of a trusted vendor that passed all of your security onboarding? How do you maintain visibility over your entire supply chain? Here we have more questions than answers, but securing supply chains is a space we will continue to explore, and we predict large companies will be built to securely vet, onboard, monitor and offboard third-party vendors, modules, APIs and other dependencies.
If you are building in any of the above spaces, or adjacent spaces, please reach out. We readily acknowledge that the cybersecurity landscape is rapidly changing, and if you agree or disagree with any of the arguments above, I want to hear from you!