The security industry has used biological models as an analogy for what is happening on networks and in computers for decades, which is why we have the notion of a computer virus to begin with. It is ironic then, that the security industry is being dramatically affected by a real, biological virus and that what is happening in the world of biology is affecting cyber conflict and cyber markets. It’s important to realize there is, however, a massive degree of general market uncertainty at the moment as we all shelter in place and practice social distancing and sometimes more extreme forms of quarantine.
Q4 2019 hedge fund letters, conferences and more
Risks to the Cyber Security Industry
From a run on toilet paper to market instability, risk is soaring and many companies are responding by shrinking from investments, preserving capital and hibernating. The big question before us all is: what will be the ultimate fate of the economy? Examining that first leads to a better understanding of the likely evolution short, medium and long term for the cyber security industry.
The cyber security industry is not all the same. It has several different submarkets, it has its blue chip brands (many of which were struggling before the current situation) and it has its new vulnerable startups and disruptors. In the short term, while the novel coronavirus is assured to be running amok, the companies that will do well are those that have solutions that minimize disruption and help protect customers who now are radically expelled from the reassuring perimeters on networks tied very physically to their corporate offices. Keep in mind that many customers will be slapping constraints to control the outflow of money; but they will still spend for things that will help them stave off existential crisis and keep critical services running, especially around remote work. Cybersecurity can fall into that category.
The Existential Threats Of Suddenly Being Remote
Whether or not a cyber company is classified as critical depends almost wholly on their offering. If a cyber company is asking for heavy lifting from companies to rip-and-replace things that don’t deal with the existential threats of suddenly being remote, or those that might increase help desk tickets, or confuse users, it’s quite plausible that they will end up in hibernation. If, however, a company can help with things like awareness, strong authentication, protecting layer 8, detecting the start of those kill chains, stabilizing remote access and so on, they can potentially do well; but they still need to watch their own P&Ls since the free flow of cash is still going to be slow.
In the next phase, cyber companies will begin to wither just like any others if the macro crisis isn’t resolved. No one is immune, and the free flow of capital is essential to all members of the economic ecosystem. Like a land turned suddenly arid due to environmental change, when there’s no more water, there is a die-off that is merciless and relatively quick.
Cyber Security Industry: A New Economy Will Emerge
However, in this phase, a new economy will be emerging. Whether or not a recession is under way in the classic sense of a quarter of negative growth, some companies will be spending; and those who reach equilibrium will start to consider more complex security solutions. The cyber companies that weather the first phase and reduce real risks and the emergent threats that will come from the adversary’s R&D and adaptation, will find the start of new opportunities. To be clear, this will not be a boom or a new heyday for cyber but rather that it will start to become evident who has money and who doesn’t, who has new risks beyond existential connectivity and continuity.
In the final phase, looking six months and beyond, we have two possible outcomes. We all hope for the first where we exit quarantine and beat COVID-19 and fight to rebuild the economy, probably with a completed election in the United States and hopefully a return to a global world order. In this world, we see hope for inoculation in the future against future coronavirii, and the cyber sector recovers quickly in a narrowed field having seen some companies fail. It will be a while until things boom, but acquisitions and mergers become likely and a new crop of solutions will emerge even as many old names die because they have gone into bankruptcy or simple stagnation.
In the second scenario, we still fight the virus and as with any devastating economic “extinction event,” new life emerges and adapts in a less rich and booming world for a while. Here is where we learn to live with coronavirus and find a hoped-for stasis and a slow path to recovery, which is not a new spring for the cyber security industry. No one wants to consider a third scenario where no one does well, and things become completely unpredictable.
Conclusion
In the end, there is no one outside the realities of the macro economic conditions and there is very little certainty in future performance of companies, cyber or otherwise. Our values are being tested and our species is at war with a tiny-in-some-ways but huge-in-other-ways threat. How businesses behave now will tell the world a lot about what a company stands for with employees, customers and community. We need to remember that we must all try to help ourselves as our corporate culture is tested: that means we must tighten our spending as humanely as possible; And we must try to help where possible and do no harm in anything we seek to protect; we must seek to be relevant; and we must be ambulance drivers, not ambulance chasers as we heal ourselves and our economy.
About the Author
Sam Curry is chief security officer at Cybereason, a Boston-based cybersecurity firm backed by SoftBank, Lockheed Martin, CRV and Spark Capital.
