Cybersecurity Market. PHOTO: Cybercrime Magazine.

May 2023 Cybersecurity Business Report

Acquisitions, venture capital, and AI paint a picture of the market

David Braue

Melbourne, Australia – May 19, 2023

Having apparently reached peak product, cybersecurity vendors have been working hard to consolidate service offerings and differentiate from competitors, diversifying their services offerings and pushing hard to offer standout AI capabilities — but could the market be growing too quickly for enterprise budgets to keep up?

Growth across the industry continued unabated through May, with the ongoing rise of OpenAI’s ChatGPT and innumerable generative AI startups reverberating across the cybersecurity sector as key players overhaul their security tools with the technology.

Surging interest in AI has focused the efforts of software developers and innovators, which in turn has driven venture capital interest in the sector. And while the number of new unicorns being generated every month has dropped dramatically from its 2021 peak, April nonetheless saw six new unicorns — including AI-adjacent firms CoreWeave, Quantexa, and code-writing firm Replit.

With money pouring into the field, startups are achieving unicorn status in record time, Global Data recently noted, with generative AI firms like Anthropic, Adept AI, Character AI, and Glean all riding massive interest in the technology to reach unicorn status in less than three years.

Chipmaker nVidia was also enjoying the fruits of the generative AI revolution, with its valuation briefly topping $1 trillion in late May as investors jumped on the coattails of the company, which makes specialized processors necessary to run the data centers that run the massive AI engines.

Cybercrime Radio: The cybersecurity market in focus

Latest venture capital deal flow

Recognizing the growing tumult over AI, analysts have waxed lyrical about its possibilities and risks — with Gartner recently noting that AI tools threaten corporate security and governance in areas such as data privacy, copyright, malicious code development, automated red teaming, deepfakes, and outright falsehoods as existing LLMs “hallucinate” facts that may or may not actually be true.

Suggesting that ChatGPT security is set to become yet another AI-related growth market, Gartner recommends that organizations “monitor unsanctioned uses of ChatGPT and similar solutions with existing security controls and dashboards to catch policy violations…. Steps should be taken to protect internal and other sensitive data used to engineer prompts on third-party infrastructure.”

AI prompts should be curated and stored as “immutable assets,” Gartner advises in recommending that enterprises formulate formal AI trust, risk and security management (AI TRiSM) policies to make the technology safe — a concern shared by no less than OpenAI CEO Sam Altman, who fronted Congress to plead for better regulation of the monster that his venture has created.

Security providers were unfazed, integrating generative AI into security and other products as quickly as developers can get their heads around the platform’s capabilities.

Microsoft’s Security Copilot, for one, leveraged the fruits of that company’s $10 billion investment in GPT-4 and ChatGPT developer OpenAI — segueing into what the company has called “the new era of security,” in which a security-specific large language model (LLM) will be trained on Microsoft’s global threat intelligence holdings and more than 65 trillion security alerts per day.

Yet for all its promise, even Microsoft admits that “Security Copilot doesn’t always get everything right.” That’s unlikely to be reassuring for CISOs hoping that AI will give them a leg up in fighting off ever more-empowered cybercriminals.

Indeed, as counterpoint to enthusiasm about the accessibility of AI-as-a-service (AIaaS) — exemplified by ChatGPT — ExtraHop added new features that let security administrators monitor employees’ use of the tool and gauge whether they are risking a privacy or regulatory breach by sharing confidential company data with the model.

“Customers have expressed a real concern about employees sending proprietary data and other sensitive information into AI services,” said ExtraHop CEO Patrick Dennis, “and until today, there has been no good way to assess the scope of this problem.”

The AI problem has continued to grow as ChatGPT’s adeptness at manipulating words creates new security headaches — and empowers cybercriminals to act at large scale more easily. This includes automatically crafting increasingly convincing scams and phishing emails — a problem that is already, according to new research, driving a spike in the volume of phishing emails.

AI-based tools like ChatGPT and phishing kits helped drive global volumes of phishing attacks up by nearly 50 percent during 2022, the report found, with Zscaler global CISO and head of security Deepen Desai warning that threat actors are using the tools “to launch highly effective e-mail, SMiShing, and Vishing campaigns at scale…. Adversary-in-the-Middle attacks supported by growth in Phishing-as-a-Service have allowed attackers to bypass traditional security models, including multi-factor authentication.”

Industry consolidation

Consolidation was rife during May, with 36 cybersecurity acquisitions announced in May on top of the 41 deals already announced in March and 38 in April.

And while CISOs have long expressed their frustration with having to coordinate large numbers of point security products, many of the recent deals revolved around consolidation of service capabilities — reflecting the growing New Normal in which service providers are increasingly called upon to offer core security capabilities that end-user organizations simply can’t find enough qualified staff to deliver.

Acquisition-hungry reseller Daisy, for one, expanded its cybersecurity service offerings with the acquisition of cybersecurity firm ECSC, which brings a host of capabilities including managed security services, incident response, testing, PCI DSS, ISO and consultancy skills. The deal, which will fold ECSC into Daisy’s Cyber & Operational Resilience Division, offers the “very real prospect that ECSC can become the UK’s leading cyber security organization,” ECSC CEO Matthew Briggs said as the acquisition was announced.

Also expanding its services capabilities was Ultimaco, a security solutions provider that bought longtime channel partner conpal — whose capabilities, including the LAN Crypt Cloud system for regulation-compliant secure document handling, will underpin Ultimaco’s evolving service strategy.

Other recent deals — including Trace3’s acquisition of cybersecurity consulting and procurement solutions provider Set Solutions, ZeroFox’s acquisition of threat intelligence and attack surface management firm LookingGlass Cyber Solutions, and European cybersecurity firm Allurity’s purchase of cybersecurity service providers including Portuguese firm CloudComputing and Swiss company Securix — reflect continuing industry consolidation that confirms the sector continues to be reshaped by the forces of consolidation.

Ditto the merger of four existing cybersecurity firms — Metmox, Mosaic451, Stage 2 Security, and W@tchTower — spawned a new industry player called UltraViolet Cyber, which enters a managed security operations market with a unified range of managed detection and response, vulnerability management, penetration testing, and red teaming capabilities that will, CEO George McKenzie said, provide a “radically new approach that unifies those solutions — creating a one-stop unified security operations offering.”

“Our focus is reducing demonstrable risk and enabling companies to focus on their core business.”

Pushing the technology envelope

Yet for all the service-focused acquisitions, there were, as always, technology-driven deals such as Akamai’s purchase of API security firm Neosec — whose suite of security solutions provides what co-founder and CEO Giora Engel calls “complete visibility into all API activity and the use of behavioral analytics [that will give] Akamai customers… a better view into all their API activity, to identify vulnerabilities and threats before they are exposed, and detect attacks in real time.”

NetApp was also floating innovative new services, with the formal launch of a Ransomware Recovery Guarantee that uses ONTAP write once, read many (WORM) technology to protect data to the point that NetApp will compensate customers that can’t recover their backups after an attack.

Meanwhile, conventional cybersecurity firms continue to deal with changing market conditions as the market realigns itself. Despite securing a $100m funding round, for example, security standout Cybereason saw its valuation drop to $350 million — a dramatic fall from its July 2021 valuation of $3.2 billion.

That funding round was led by SoftBank, which some observers have said risks missing out on the AI wave after its Vision Funds were flagged as VC laggards that had already failed to capitalize on the first wave of generative AI investments.

It’s part of an overall trend that PitchBook has called “a grueling reset” as higher inflation, higher interest rates, and tight labor markets drive many valuations downwards — yet AI startups like Anyword, Deepscribe, Infinitus, BrainBox AI and many more are all integrating the technology at their core.

Managing this integration will be crucial for enterprises as the year brings more enthusiasm and adoption of security and other AI-related use cases — but enterprise adoption will, a recent Pitchbook analysis warned, be pegged to the speed at which security innovators can identify, address, and resolve the many risks that AI introduces.

AI LLMs “could have broad implications for many operational functions including customer support, analytics, research & development, and software engineering,” the firm notes, “potentially driving a step-function lift in productivity and efficiency in ways that could transform organizational structure.”

Securing that lift will be a key focus area for innovative security firms and established players alike this year — creating opportunities for cybersecurity startups that find the right balance between AI sophistication and cybersecurity relevance.

“While nimble startups may be well positioned to adopt and integrate LLM technology into existing processes and workflows,” PitchBook head of emerging technology research Paul Condra predicts, “larger enterprises are likely to move more slowly as they evaluate an emerging set of risks and implications related to privacy, intellectual property rights, security and data quality, the growing costs of running AI infrastructure, and the emerging regulatory landscape.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.