Enterprise Cybersecurity Software: A cosmic sea with sporadic stardust
Security has transitioned from a latent requirement to a critical priority for enterprises and organizations over the last decade. Driven by the rise in the use of external software and applications, increase in data usage in enterprise and mid-market companies, and digitization of the employee lifecycle, cyber attacks and data thefts pose not only as a technology risk but also as a business risk. Regulatory restrictions and rising awareness among end consumers increase the demand for more efficient cybersecurity solutions and products. Startup activity in cybersecurity has increased significantly with several founders starting up and building novel solutions. Enterprise security SaaS has become a key investing theme for investors. This article presents a deeper analysis of the landscape of various cybersecurity software products and the various rights to win that founders should establish to capture market share.
Cybersecurity Product Landscape
Every internet-based organization has 3 critical cyber assets that it wants to protect: First includes physical assets, including computer hardware and internet infrastructure, that form the backbones of a connected ecosystem of users. The second includes user-facing software that serves as the point of interaction between users and the network. The third includes data stored underneath the software that is transferred over the internet.
Security solutions serve a 3-fold goal for organizations starting with preventing cyber attacks by securing cyber assets, followed by identifying when a cyber attack happens and diagnosing the root cause, and finally resolving any threats in case of cyber attacks.
A wide range of products exists across the 3 cyber assets, trying to solve the 3 goals mentioned above. Modern cyber security organizations have shifted focus to building 8 types of products:
- Network Security using Zero Trust and Secure Access methodologies (ZTNA & SASE)
- Identity and Access Management (IAM) solutions
- Governance, Risk, and Compliance (GRC) solutions
- Vulnerability Management Solutions (CVE)
- Cloud Native Application Protection Platforms (CNAPP)
- Security Information and Event Management (SIEM)
- Managed and Extended Detection & Response (MDR & XDR)
- Data Loss Prevention (DLP) platform
Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA)
SASE is a recently emerged, popular cybersecurity solution that has drawn the attention of most large-scale enterprises. SASE combines the practices of Network-as-a-service and Security-as-a-service to enable full remote and effective management of security and functioning of cyber assets. Network-as-a-service focuses on setting up the enterprise network on the cloud, allowing users to virtually access enterprise applications, data, and other resources stored on the cloud, replacing any on-premise network hardware, and solutions like VPNs.
SASE solutions overlay security on the top of this cloud-based network by enabling security policies coherent with network policies, automating permissions and access of applications on the cloud to users in an organization, and providing antiviral and anti-malware solutions for cloud networks. They differ from traditional cybersecurity solutions such as a VPN by having various smaller security solutions deployed across multiple locations instead of a single security solution deployed at a centralized location. This leads to lower latencies and lesser delays in data transfers, ensuring security at the same time.
Zero Trust Network Access (ZTNA) is a key element of SASE, that focuses on eliminating the need for trust in applications within an enterprise’s network, to create a trustless system by verifying and checking every action that occurs inside the network, providing only minimal required access to employees and constantly monitoring the smooth functioning of enterprise applications. ZTNA has made SASE a highly demanded product by a majority of enterprise and mid-market organizations, with most cybersecurity companies offering SASE/ZTNA as an offering.
Identity and Access Management (IAM)
IAM products aim to provide visibility and monitor the interaction of users in an organization with cyber assets and identify the vulnerabilities introduced by these interactions. This is done by providing a digital identity to every user in an organization, assigning them a role, and assigning each role a level of access limiting the privilege and functionality the user is granted while interacting with cyber assets. Companies approach IAM by various methods, including single-sign-on systems (SSOs), two-factor authentication, and most recently, privilege access management. Given the plethora of ways, IAM serves as a key domain for founders to create differentiated products.
Governance, Risk, and Compliance (GRC)
GRC involves tools that enable an organization to adapt its tech stack according to changes in regulations and technology. The key aim of these tools is to identify potential cyber risks that may not comply with existing regulations, and frame governance policies to mitigate those risks. The output is that the organization becomes compliance ready and gets compliance certifications such as ISO27001, SOC2, etc., thereby allowing organizations to claim that the SaaS product offered is safe to use.
Common Vulnerabilities and Exposures (CVE) Management
CVE management involved discovering open holes for cyber attacks in an application used and patching those vulnerabilities to ensure protection against cyber attacks. The key aim here is to reduce the probability of cyber attacks by identifying open vulnerabilities and fixing them. CVE systems serve as one of the most common and legacy offerings of cybersecurity companies with limited potential for new players building in this space to create a differentiated product.
Cloud Native Application Protection Platforms (CNAPP)
CNAPPs are tools aimed at identifying risks and cyber attacks in cloud workloads of organizations and mitigating these threats and risks faced by cloud applications during a cyber attack. These risks include unpatched software versions, unregulated privileges, etc. With time, CNAPP has become an indispensable security solution to be established before deployment of the cloud, thereby becoming essential for DevOps teams and Integrated Development Environments (IDEs).
CNAPPs have 3 components, beginning with Cloud Security Posture Management (CSPM), which helps visualize the health of a cloud. The second component is Cloud Security Network Service (CSNS), which provides network security solutions like firewalls and antiviruses. The last component is Cloud Workload Protection Platform (CWPP), which enables developers to enable security across different stages of the development of an application.
CNAPPs along with SASE are the most popular cybersecurity solutions, together offering complete protection of network and software-based cyber assets.
Security Information and Event Management (SIEM)
The third most common type of product, SIEM offers tools that identify and mitigate cyber threats using data. SIEM solutions aggregate and harmonize log data to identify threats. They are more evolved than fundamental log management solutions by having advanced features such as event correlation, which maps discrepancies in logs with events that happened within a network, and real-time incident monitoring and security alerts, that forewarn an organization’s IT team in case of a cyber attack,
Managed Detection & Response (MDR) and Extended Detection & Response (XDR)
Detection and response solutions offer visibility into the enormous amount of security data generated by software, by providing a single dashboard to simplify and extract insights from the data. MDR solutions do so with the help of external SOC agents whereas XDR solutions do so with the help of automated dashboards which can be directly interpreted by in-house SOC teams. Both SIEM and XDR solutions are gaining popularity, due to the increase in data consumption and generation by software.
Data Loss Prevention (DLP) Platforms
DLP platforms aim at preventing sensitive data generated by organizations to leak away from the organization and come into the hands of unauthorized personnel. This is the newest trend in data security with solutions being developed for various states of data — when in use, static, or in motion. DLP has become a critical requirement for finance, healthcare, and retail organizations, where the sensitivity of data is high.
Key User Personas
Security is a priority for different roles within an organization. Below is a summary of how different user personas seek and perceive different products.
Cybersecurity is a priority in some verticals and a latent requirement in others. These verticals include banking & financial services, information technology, manufacturing, healthcare, retail, government, telecommunications, media and entertainment, energy and utilities, and defense.
The total addressable market (TAM) for enterprise cybersecurity software is defined as the total expenditure on cybersecurity by organizations across the priority verticals. A top-down estimate reveals the TAM to be ~USD 350B, presenting an enormous and growing opportunity for businesses.
The market is very fragmented with a significant portion of cybersecurity expenditure being spent on building products in-house or hiring external consultants. The revenues of the top 8 cybersecurity companies take up a fraction of the share of the global spending on cybersecurity. With a large and fragmented market, cybersecurity seems to be a hot spot for founders to start up and build solutions.
However, given that cybersecurity is a domain of a single goal with multiple approaches, it is very difficult for newer companies to establish a moat or right to win in this market.
Key Differentiators in Cybersecurity
Cybersecurity companies have established 4 ways of differentiating from the market standard. A deep dive into each would help us understand which one will be the best way to establish a moat going forward.
Variety of products
Legacy cyber security companies started by building a few products, establishing an initial enterprise client base, adding newer products to their offering, and selling them to their client base to increase Average Contract Value (ACV). A full stack solution helps create stickiness given that the focus of the organization is moved away from security to other revenue-generating activities. The majority of startups in this space have followed this approach and this has enabled them to scale and significantly increase switching costs for clients. Examples include Palo Alto Networks and Fortinet. A few scaled companies like Akamai have increased their ACV by adding cybersecurity to their existing set of synergic offerings like content delivery and cloud operations. Given that most of these solutions have achieved the full stack mark, it is difficult for newer startups to build this variety and scale.
In certain use cases, a technical moat can be established by using newer and more secure technology. For example, with the increasing popularity of blockchain, decentralized networks help create a trustless ecosystem supporting the zero trust ideology.
Distribution and domain expertise
The other most common method of scaling involves creating case studies in specific domains, establishing domain expertise, and winning more clients in that domain. Leidos is a full-stack engineering platform having expertise across specific domains such as defense. Leidos works with defense companies and government organizations to secure their cyber assets. Most horizontal solutions have developed in-depth security solutions for critical verticals such as fintech, healthcare, and retail, leaving limited room for newer startups to scale by this method.
Ease of use
Given the technical nature of cybersecurity products, they are difficult to understand and be used by untrained cybersecurity personnel. Products and tools that are easy to use, deploy and understand provide a significant opportunity for startups to create a large play. The most prominent example in this moat is Okta. Okta focused on one category — identity and access management (IAM) — creating products that are the easiest to use. This helped it achieve widespread adoption in this category. Similar arguments can be established for Drata and Vanta in their GRC products, where they increase their ACV by providing the best user experience via automation of compliance for SOC2, ISO27001, HIPAA, etc.
Another thing that worked well for Okta is the number of integrations it had with SaaS applications. Enabling organizations to instantly deploy security on top of commonly used enterprise applications, improves user experience and creates a hook for acquisition. With an increasing number of SaaS applications being utilized, integrations could become a synergic acquisition hook for newer companies.
Cybersecurity serves as a large market where a plethora of different players can coexist. That being said, founders should demonstrate a clear right to win and capture market share in this space. Legacy players have developed a foothold on the market through the plethora and variety of products they offer and the relationships they have built with enterprises. Founders building in this space may differentiate themselves by building a product having a good user experience, and integrations with common workflows, with a strong delta for organizations, offered in a particular product category. As an early-stage investor, I’m excited to partner with startups building in this space. Founders can reach out at firstname.lastname@example.org.