Making Sense of the Boom: Menlo’s Cyber Security Checklist

Venky Ganesan, follow me @venkyganesan

The global cybersecurity market is booming. Against a backdrop of uncertainty, it’s displayed resilience and has largely been insulated from the volatility of markets. Despite an expected slowdown in overall IT spending, cybersecurity remains one of the few bright spots in the IT budget. Gartner predicts that the cyber market, which continues to grow 8–12% YoY, will reach $170B by 2022 — a 48X growth since 2004. Cybersecurity companies in turn are capitalizing on the increased market demand. In the past 24 months, CrowdStrike, Sumo Logic, and Cloudflare, to name a few, have all gone public and performed well.

So, what will drive ’s driveing this interest and unprecedented growth in cybersecurity in 2021 and beyond? I put it down to a combination of new compliance and regulation, increased cloud adoption as well as a threat landscape that’s in constant evolution. It seems not a day goes past without a new cybersecurity law being enacted or a novel strain of malware detected in corporate networks. The pandemic has also played a part with the shift to digital but the reality is many companies were already on their way. It accelerated digitization and with that came an increased attack surface which organizations are now scrambling to protect.

In my 20+ years in the industry, I have observed the cybersecurity market reach a point of saturation with new solutions emerging daily to fight growing threats. Just look at any market map. Conventional wisdom in the industry used to be that all gains would go to the number one player and the rest would compete for scraps. However, in recent years we’ve seen that certain categories can support multiple players. Case in point; Tenable, Rapid7 and Qualys have all staked their claim to the vulnerability management market but the space is big enough for all of them to play a role.

The cybersecurity market is more boom than bust and we’ve created a checklist that has guided our investments in companies such as Abnormal Security, Appdome, Bitsight, Dedrone, Signifyd, Sonrai Security and StackRox.

• Founder DNA — If you can combine founder experience with in-depth sector knowledge then you are onto something. We’ve found that successful security companies tend to be led by serial entrepreneurs who are making a second go or even a third as is the case with Abnormal Security. Co-founder and CEO, Evan Reiser, co-founded Bloomspot (acquired by JP Morgan Chase, and AdStack (acquired by TellApart). Or Brendan Hannigan and Sandy Bird who co-founded Q1 Labs (acquired by IBM) and then went onto build Sonrai Security.
• Focus on applications and data — If the past was focused on networks and devices, the present is all about users. Future security companies will be built around identity, applications and data.
• GTM targets the Global 2000 — If you want to achieve meaningful scale and generate significant value then you need to be targeting the Global 2000. G2000 companies account for more than 50% of the total security spend, selling only to SMBs won’t cut the mustard.
• “Multi-cloud-native” DNA — Companies must stop paying lip service to “cloud-native” and make it a core design principle. Successful security products will be designed for the cloud and support multi-cloud. We’ve pegged cloud security as the next big category and recently welcomed Sonrai Security to our portfolio.
• Key DevOps features that marry security functionality ­– DevOps and security teams are starting to coalesce. UI, ease-of-use, and graceful degradation will become important purchasing factors because DevOps teams will need to maintain products that touch the application and data. This has cleared a path for the rise of “DevSecOps”. Companies like StackRox are enabling security and DevOps teams to operationalize security and compliance policies across the entire container life cycle.

These are the defining attributes which we look for in a security investment. We are actively investing in cybersecurity. If you’re building a company that ticks any of these boxes then we’d love to hear from you.