Our Culture

What you believe and what you value as an organization matters. Discover the DNA of our firm.

Our People

Get to know our teams and the stories of select staff members who share why they choose to work at Sands Capital.

News & Events

Read about some of the latest events, partnerships, and business highlights from Sands Capital.

Careers

At Sands Capital, we strive to hire exceptional talent who will live our values and support our efforts to deliver on our mission.

The combination of software and the move to cloud computing remains one of the largest secular growth trends we see, which is driving increased demand for scalable, cloud-based solutions across every sector of the economy.

In this episode of What Matters Most, we delve deep into the world of online sports betting, focusing on the global leader, Flutter. Research Analyst Katherine Bates joins us to discuss Flutter’s journey, its innovative strategies, and how it’s transforming the gambling landscape.

At Sands Capital we encourage our investment team to think in decades not quarters. Director of Research Michael Raab, CFA discusses how culture can support the visionary research needed to find businesses creating the future.

Nu Holdings’ Nubank focuses on driving financial inclusion among underbanked populations who lack sufficient access to mainstream financial services and products, including access to common banking services, such as credit cards or loans.

Philosophy & Approach

Our philosophy is rooted in the belief that, over time, stock prices will reflect the earnings power and growth of the underlying businesses.

Our latest annual report offers a comprehensive view of how we add value through active stewardship.

Public Equity

Our newest strategy takes an unconstrained approach to seeking the best growth businesses outside of the U.S.

Venture & Growth Equity

Sands Capital invests in innovative businesses across all stages of the growth spectrum

Investment Opportunities in Cybersecurity 

Contributors

Principal

Venture Partner

on
February 5, 2024

At the beginning of each year, we find it valuable to pause to compile a concise list of the top themes and trends that we believe summarize the state of the cybersecurity sector in the previous year. We use this as a baseline for identifying the 2024 cybersecurity investment themes that most excite us. Here is our review of 2023 and our top themes for 2024.

Year In Review 2023

1. AI Mania

There’s no doubt, 2023 was the year of fear of missing out (FOMO) on generative artificial intelligence (AI) applications. As the excitement of using generative AI applications swept through enterprises, attention quickly turned to how companies could both securely deploy AI products internally (i.e., for use by employees) as well as externally in customer facing applications. Internal AI security concerns largely relate to data loss prevention amid risks of employees inputting sensitive, confidential data into third-party managed chatbots and AI services. Conversely, securing customer-facing AI applications from attack is more akin to traditional application security, with the added twist/complexity introduced by AI models, due to the nondeterministic nature of AI and the black-box nature of models.

2. Browser as the New “Operating System”

Browser security made big headlines in 2023 with a few outsized acquisitions and investments. But the jury is out in declaring this is a new cybersecurity product sector. Browsers clearly have an increasingly central role in modern-day work. Enterprise applications that were formerly installed onto laptops and computers are now delivered via software as a service (SaaS) and accessed via internet browsers, making the browser akin to the SaaS-era’s “operating system.” The question now is: Will enterprises augment, instrument, and attempt to secure browsers?  And if they do, what form factor will gain the most market share: 1. new, standalone browsers built with robust security and policy controls; or 2. security plug-ins that extend existing browsers (e.g., Google Chrome, Safari, etc.) providing value, such as real-time user guidance and observability?

3. Believe It or Not, It’s A Lot Harder to Be a CISO

Life in 2023 did not get any easier for chief information security officers (CISOs), who already suffer from intense stress, scrutiny, and pressure. Sixty percent of CISOs polled by Proofpoint stated they had experienced burnout in the previous 12 months, as of 2023’s first quarter.1 Notable criminal cases were filed against CISOs (e.g., Uber, SolarWinds) in 2023, highlighting the potential personal liability risk these executives face. Additionally, new cybersecurity reporting rules from the U.S. Securities and Exchange Commission, which took effect in December 2023 place further responsibility (and liability) on CISOs for complying with timely disclosure requirements for material cybersecurity incidents.

4. Like Bees to … Application Security (AppSec)

A slew of new AppSec entrants appeared in 2023, with functionalities that range from making sense of all your other AppSec tools to AI automagically fixing code. It’s easy to see why entrepreneurs and investors are attracted to AppSec, given the increasing amount of code being written and the unsolved problem of ensuring its security.

5. Your cyber issues make me uncomfortable: Third-party Risk

Third-party security traditionally focused on the security hygiene/posture of external vendors used by an enterprise, typically delivered as security questionnaires. Over the last few years, we have seen this concept expand into “full-stack third-party security,” with efforts focused on detecting and managing the security vulnerabilities introduced by anything external to the organization, incorporating everything from third-party software libraries and code (e.g., software supply chain security) to SaaS application security to external security rating services (e.g., BitSight, SecurityScorecard.)

6. Give Me Some of that Identity Threat Stuff

Enterprise defenders know that attackers are more likely to log in than to hack. But, until recently, the only useful tool they had to thwart this was deploying a multifactor authentication (MFA) solution. MFA creates a pretty good barrier to entry, which is great. Unfortunately, it doesn’t enable enterprises to monitor access or user activities, and this observability gap is increasingly obvious to both defenders and the attackers who exploit it. Over the past year, several of the established vendors (e.g., Cisco, Okta, Proofpoint) have acquired early-stage identity threat detection and response companies to jumpstart their efforts and provide identity monitoring solutions. There’s lots more to be done with identity. Watch this space.

7. Fraud: Who Said You Can’t Teach New Dogs Old Tricks?

In 2023, we saw a continuation of the COVID-19 era trend of elevated fraudulent activity across the financial industry, largely due to the significant shift of commerce and business activity to higher-risk online, non-face-to-face channels. Suspicious activity reports (SARs) filed with the U.S. government’s Financial Crimes Enforcement Network relating to fraud increased 85 percent in 2023 compared to pre-pandemic years (2019) and are up 32 percent over the last two years. Interestingly, while novel fraud schemes leveraging generative AI (e.g., voice cloning, phishing emails) have started to emerge, some of the more old-fashioned schemes, such as traditional check fraud, continue to be the most prevalent (e.g., check fraud was the most common type of fraud-related SAR, accounting for 31 percent of such SARs in 2023.).2

8. Show Me the Cyber Insurance!

Although cyber insurance remains a fast-growing category within the broader insurance industry, it continues to be a pain point for many buyers. Anecdotally, it is common to hear complaints among buyers of cyber insurance that premiums continue to rise, while the plans simultaneously provide less coverage and more exclusions/limitations. The demand-side of this market has largely been driven by third-party /vendor due diligence requirements, with companies expected to provide proof of adequate cyber insurance coverage in order to pass enterprise procurement processes. On the supply side, traditional insurance underwriters who have entered the cyber insurance market face rising loss ratios. They also face challenges in appropriately pricing risk due to the asymmetric information gap that exists between underwriter and applicant on the applicant’s cybersecurity posture. We think cyber insurance will increasingly be seen as a form of “instant budget” for incident response, providing fast access to talent and investigative tactics when needed. On the other hand, we expect that the specifics around indemnification and business damages will be seen as a secondary value.

What Excites Us in 2024

1. Unified Remediation

The proliferation of cybersecurity scanners and extended security posture management (XSPM) solutions magnifies the challenges posed by traditional vulnerability scanners, which are famous for generating long lists of issues with questionable accuracy and unknown relevance. The cybersecurity team may be responsible for identifying problems and determining their criticality, but they are not capable of unilaterally remediating them. They rely on the work done by information technology (IT) and other teams to do that work. Unified solutions that enable IT, security operations centers, cybersecurity, cloud operations, network operations, and developers to dynamically prioritize, coordinate, task, track, and report on resolution are needed.

2. Novel Fraud Detection Paradigms

While real-time artificial intelligence/machine learning fraud detection algorithms are an improvement in combating transaction-based fraud, they are not a panacea to the industry’s issues.

Fraudsters know to avoid the anomalous-looking transaction patterns that are most likely to be flagged. This suggests that more of the effort to combat fraud needs to move “left of boom” (i.e., catching the fraudster in the act before moving money). We think interesting opportunities are emerging around the next generation of account takeover solutions that prevent fraudsters from impersonating their victims and community intelligence solutions that enable participating financial firms to quickly respond to new threats. 

3. Passwordless and Passkeys

It’s time to eliminate passwords and credentials that individual users can easily compromise. Passwords are a weakness that everyone knows about, but in the past, they’ve been impossible to eliminate. Public key infrastructure-based capabilities such as passkeys and MFA are now mature enough and supported by enough browsers, operating systems, mobile devices, and password managers to be deployed. Additionally, zero-trust capabilities have led administrators to deploy and value capabilities that require provisioning and management for individual devices and systems. The next step is eliminating the user’s ability to inadvertently compromise their own credentials. Demand for these capabilities will likely be accelerated by spectacular ransomware attacks and targeted phishing attacks. Solutions that make it easy to deploy, monitor, and manage passkeys and passwordless capabilities are exciting.

4. Reusable Identities and Credentials

Prove it. Consumers are time and time again challenged and forced to validate facts about themselves, whether signing up for a new app, opening a bank account, or applying for a credit card. The quality and efficiency with which this question is answered varies drastically across companies. We believe that the know-your-customer and identity verification processes are increasingly open to a “verify once and share” approach that leverages digital credentials. The challenge is finding an approach that appropriately aligns incentives (and balances risks) across consumers, verifying parties, and relying parties.

5. Consumer-focused Cybersecurity and Risk

An enterprise CISO can choose from among many potential cybersecurity vendors. This diversity contrasts with the few choices for consumers looking to protect themselves or their families from cybersecurity threats. The scarcity of cybersecurity solutions focused on consumers is stunning and has seen little success outside of identity theft protection. We believe that cybersecurity risks are an increasingly top-of-mind concern for the everyday consumer, so we are particularly excited about companies leveraging a business-to-business-to-consumer go-to-market strategy to reach these consumers.

6. Embedded AI in Cyber

A magic eight ball asked about how AI will improve cybersecurity would answer, “Reply hazy, try again.” Large language models and AI could be valuable in defending systems, but it is not clear what those solutions look like—at least not yet. In some ways, this is comforting. Unlike most other markets, the cybersecurity market was not overrun in the past year with claims about how AI has changed everything. But we know some truly game-changing applications are going to appear, so we are actively looking for these capabilities and the visionary teams building them.

7. Driving Efficiency and Resilience via Security Operations (SecOps)

For the past 18 months, regulators have been emphasizing resilience and have recently ramped up the liability for CISOs. Forward-thinking CISOs often respond to these pressures by redefining how success is measured for their cybersecurity programs. Until now, defenders have been judged almost exclusively on their ability to prevent and detect compromises (i.e., judged based on measuring failures, not success). In the next two years, we expect CISOs will be increasingly focused on factors that they can accurately assess, manage, and report on.  They will be investing heavily in the ability to quickly respond to incidents, contain damages, and restore business operations. These efficiencies will be delivered via automating their security operations center, focused observability solutions, and investments in SecOps. 

8. Ideas Tackling Fundamental Cyber Problems

In addition to the above-mentioned investment themes for this year, we are also interested in any businesses working on the following longer-term moonshot ideas:

  • Credentialing robots and autonomous processes
  • Credibility rating service(s) i.e., human versus machine-generated; factual versus disinformation
  • Cybersecurity training that provides real value and is “sticky”
  • Clever solution to address the cybersecurity skilled labor gap

1 Proofpoint 2023 Voice of the CISO Report. https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-2023-voice-ciso-report-reveals-nearly-two-thirds-cisos-have-had

2  https://www.fincen.gov/reports/sar-stats

Disclosures:

The views expressed are the opinion of Sands Capital and are not intended as a forecast, a guarantee of future results, investment recommendations, or an offer to buy or sell any securities. The views expressed were current as of the date indicated and are subject to change. This material may contain forward-looking statements, which are subject to uncertainty and contingencies outside of Sands Capital’s control. Readers should not place undue reliance upon these forward-looking statements. All investments are subject to market risk, including the possible loss of principal. There is no guarantee that Sands Capital will meet its stated goals. Past performance is not indicative of future results. References to companies provided for illustrative purposes only. The specific securities portfolio holdings identified and described do not represent all of the securities purchased, sold, or recommended for advisory clients. There is no assurance that any securities discussed will remain in the portfolio or that securities sold have not been repurchased. You should not assume that any investment is or will be profitable.

As of January 19, 2024, Alphabet (the parent of Google Chrome), Okta, and Uber were held in Sands Capital strategies. Apple, the parent of Safari, Cisco, SolarWinds, BitSight, SecurityScorecard, and Proofpoint were not held in any Sands Capital strategy.

Further Disclosures
Investment Strategy
Are Emerging Markets Reemerging?
Hear Sands Capital's take on the resurgence of emerging markets in this short video highlighting past struggles, recent progress, and why we are optimistic about this asset class.
Investment Strategy
Going Where The Growth Is: Emerging Markets
Listen to Sands Capital's take on the nuances of investing in emerging markets, and the significance of selectivity and understanding growth opportunities.
Investment Strategy
Why Active Matters in Emerging Markets
In this brief video, we explain the shortcomings of passive investing in emerging markets and the benefits of active investments.
Investment Strategy
Positioning Investments in an Uncertain Election Environment
History suggests that markets trend upward regardless of who’s in the White House and who controls Congress. That said, given today’s geopolitical, economic, and social crosscurrents, we believe that selectivity will become increasingly important.
Investment Strategy
Decoding Software’s Future
The combination of software and the move to cloud computing remains one of the largest secular growth trends we see, which is driving increased demand for scalable, cloud-based solutions across every sector of the economy.
on
Print