A Security Tools Crash Is Coming

A week ago I published a short form post on Linkedin about the sheer number of security companies, the corresponding number of security tools and how the economic climate is going to create a train crash. This is the long form version of that post, cross posted to my Linkedin page for comments. 

The great security startup crash is inevitable. It will be painful for many, including myself as it may affect my previous startup. I am far from alone and there are of course opportunities in what's to come for us all if you can read the tea leaves. In downtimes some of the most iconic companies have been born, because they are forced to focus on fundamentals, building a real business, solving “gunshot to the chest” problems and being capital efficient while they are doing it. It’s back to basics and no more funny money. 

To get it out of the way upfront, you may accuse this post of being self-serving. It’s true that one of the things we are thinking about solving at Crash Override is determining what tools are actually providing value and which ones can you switch off, but we are looking at this as a result of actively listening to the market. Tool reduction may or may not be core to our product and we have nothing to sell. We are simply looking at the problem, hence the opinion in this article.

To take a step back there are four conditions colliding. 

1. Security teams want less and not more tools

2. There are way more vendors than the size of the market can support

3. The venture market has changed and many startups will run out of cash in 2023

4. The global economic climate means security budgets are being frozen and in many cases declining

Security teams want less tools

There is no doubt that the technology landscape is evolving fast and we all have to change the way we do security to adapt. Tools need to change to support that. Change is happening fast. It’s worth remembering AWS was first launched in 2006, but we are now firmly living in a cloud native world and never going back. We are already on the second generation of CSPM (cloud security posture management) tools, I am told the first generation like PANW Prisma did not age well, and the second generation companies like Wiz.io are taking off like wildfire. It’s rip and replace. 

When we look at the diversity of technology there is a veritable buffet of things to now secure. Cloud configurations, containers, data lakes, CI/CD pipelines, mobile apps, open source and third party code, frameworks and SDK’s, smart contracts, micro-services, API’s and the list goes on. We are no longer securing an executable that gets deployed to a runtime.  

Each of these technologies has spawned new security categories, new security companies and new security tools. CSPM, container scanners, data classification, supply chain, SCA, IAST, DAST, API gateways and the list goes on. 

If you have ever built a piece of software, then you will appreciate that it's very hard. Features are easy to dream up, easy to talk about and always hard to implement. Edge cases are not really edge cases, they are typically the norm, just not the idealized happy path you wanted people to go down. You scan a terraform template and its not valid terraform. You use the AWS API to list the resources in your AWS account and realize the api doesn’t return consistent results (that happened to us at Open Raven). It’s scar tissue you need to build up as a startup. 

The result is that early categories of tools solving emerging problems will always have quality issues and high false positive rates, and to make the problem worse the flexibility and extensibility that this emergent technology brings means that it is a lot harder than ever. AWS IAM is almost a language in itself for instance and Terraform is indeed a DSL or a domain specific language. We have seen specialist tools like IaCS emerge but many of these specialist tools are really just features. Take SCA as an example, at its core it’s really just static analysis of code. SCA is SAST of third party modules and IaCS is SAST of cloud configuration code. 

BridgeCrew (IaCS) was recently bought by PANW who are clearly building a mega platform. Last week they acquired Cider, an ASPM or Application Security Posture Manager. Snyk bought a CSPM to come at it the opposite way around. 

What we have is a legitimate situation where the surface area that we need to secure has bloomed, the amount of tools to secure has bloomed and those first solutions to those new problems will always be noisy. That’s life, I am just spitting facts as they say. 

Now consider the vendor side of that coin. Good product managers know that unless their tools demonstrate value they will not be purchased after trials or renewed when subscription terms end. This means that as a vendor you have to show people that your tools can find “stuff” that people may find valuable enough to pay you, and you have to do it fast while you have their attention span. This means that during the subscription period you must continue to demonstrate value and be constantly visible. 

The result is alerts and issues firing off all over the place. It’s like Guy Fawkes night in Lewes near my home town, Brighton. Loads of drunk people with fireworks burning effigies of Donald Trump and Boris Johnson. It’s total carnage. 

Now let's consider the practitioners side of that same coin. The backdrop is that the industry can’t hire enough talent to manage the noise coming out of the tools. Even if the industry did want to do this, it simply doesn’t scale. I know one security team that hired three people to chase down alerts from a CASB about open S3 buckets. Those buckets almost always contained nothing of value and were usually empty. I know another security team that recently showed us their Wiz instance and it had 884 alerts for Log4J issues. Despite the potential for that vulnerability to do serious damage, they just ignored it. They decided that the alerts were more expensive to triage than the potential risk to the business.

There are way more vendors than the size of the market can support

A few weeks ago, John Viega and I sat in the Lower Manhattan office of Ed Ammoroso. If you don’t know Ed, he was one of the old guard CSOs, probably best known as the CSO of ATT. These days Ed runs an analyst firm called Tag Cyber. He is one of the most connected people in the security industry, has had his ear to the ground for decades, and has an unparalleled track record of being able to spot trends in the market. 

John and I were sharing the findings of the 70 plus recent interviews that we did with CSOs and appsec leaders, who had told us they were overwhelmed with data coming from their tools, and couldn't make head nor tail of what was real or what was valuable. We wanted Eds opinion on a thesis that we now have, about the problems we are thinking about solving.

In conversation Ed told us that his team now knows about 4,300 cyber security companies, and assumes that there are probably 500 more that they can’t find, therefore estimate a grand total around 5,000 security companies. That's at least 5,000 tools and 5,000 marketing teams pushing narratives (word chosen carefully as a narrative is a story) about why their company is credible and why their tools are needed. 

The amount of companies and tools can in no shape or form be sustained by the security market, no matter how many billions it is worth and no matter what CAGR it is growing at. For example, I am told that in the API security market there was around $20M of ARR spent over the past 12 months with the two major players taking the vast majority of it between them. What that tells me is that API security is not a priority and there is not a large market, yet last year alone over $200M of new venture funding poured into that market segment. The same is happening with many categories and if you don’t believe me, sign up for the excellent daily Term Sheet newsletter that follows venture financing. You can raise your eyebrows every morning over your cup of tea.

The venture market has changed and many startups will run out of cash in 2023

When the pandemic came in 2020 everyone panicked.  No one knew if it was going to be a global economic crash. News outlets talked about a new great depression and a world order collapse. It was doom and gloom. The good news for security startups was that money from venture investors was being poured into the sector at unprecedented rates, and valuations were sky high. Most boards advised their companies to go out and raise a war chest, and most startups did just that.  

The reality was that the pandemic didn’t affect the security industry anything like was predicted and so those startups that raised two years of financing, are only now facing down zero cash day and getting ready to raise new finance in 2023. But there is a storm that is gathering force. 

I have always questioned the accuracy of research reports, having been the subject of a few that were factually incorrect, but I think, unless click bait, they are usually directionally correct. The DataTribe Insights - Q3 2022: Brakes are Smoking… Headin’ for the Runaway Ramp report about security funding makes for sober reading.

Cybersecurity seed deal volume fell in the quarter by 19.5% year-over-year, with 41 deals in the second quarter of 2021. Cybersecurity Series A deals plunged 43%, with 12 deals in the quarter. As a percentage of overall deals, cybersecurity seed deals were down but still in line with historical averages of 3%, while Series A deals have fallen from a peak of 8% in the second quarter of 2020.

Valuations on seed deals have also declined, down to 33% from the first quarter but still 50% higher than the second quarter of 2021. Cybersecurity Series A rounds saw a 10% drop in median valuation from $45 million to $40 million, though that was 23% higher than a year ago.

The global economic climate means that security budgets are being frozen and in many cases declining

Last week I had dinner with a CSO who is a long term friend. He's been the CSO of a number of Fortune 500 companies and has a deep peer group. In his circle, almost without fail, budgets are being frozen or reduced. In many cases I am told reductions will mean natural attrition is not being replaced and in almost all cases tools budgets are being evaluated at best. It's happening everywhere. Microsoft laid off 1% of its global workforce and removed job postings for open positions in Azure. Azure is doing very well as their earnings show. 

“This quarter Microsoft Cloud revenue was $25.7 billion, up 24% (up 31% in constant currency) year-over-year. We continue to see healthy demand across our commercial businesses including another quarter of solid bookings as we deliver compelling value for customers,” said Amy Hood, executive vice president and chief financial officer of Microsoft.

So what is this likely to mean?

In my short form version of this post I referred to it as a train wreck. I think that's true. 

• If you want to sell to a security team, then you have to reduce the amount of tools they have (the best option), or replace existing tools by being a better mousetrap (the next best option). If you are adding a new tool, then good luck because you are going to need it. 

• Unless you are a top five priority you will either not get a look in or will be deferred to a later indeterminate date.

• We will see “good enough” baked into developer tools and cloud platforms like Github and AWS. “Good enough” will become common, replace existing tools and be the preferred new tool. 

• We will see the rise of mega security platforms that offer all the features (many bought on the cheap via tuck-ins and even acquihires) into a single pane of glass and from a single procurement team. CSPM and application security tools will be merged into a common platform.

• We will see innovation from early stage companies with money, solving real problems, of which yes noise, and the amount of tools, are two. 

• We will see better mousetraps that replace legacy tools for less money. 

• There will be a parade of security startups that didn't grow into their previous valuations going out for finance and getting a black eye. There will be more startups chasing fewer available dollars from venture investors at lower valuations than they expected. There will be down rounds, tuck-ins, acquihires and doors being closed. 

• In order to stand out from the crowd marketing teams will be making increasingly salacious claims. You will see “an ROI of 500%” (that one is real today), “zero risk is a reality”, “our AI powered system always has your back when you are asleep”. Struggling or worried vendors will all be shouting about why their area of focus is the most important to secure and why their product is critical. 

Life in security is never dull. It’s why I like it. As I said at the beginning I am likely to be personally affected by this, one of many, many people. I think the reality for the industry as a whole is that it will be good in the long term. We don’t need noise. We don’t need more tools. We don’t need market confusion. We don’t need salacious marketing. 

What we do need is people listening to practitioners about what problems they want to solve, how they want them solved, high quality tools that produce less noise and clear and honest marketing from the industry. 

There is going to be a security tools train crash, but if you know what's coming, you can get off the train and take the autobahn.