Related Articles
At the beginning of each year, we find it valuable to pause to compile a concise list of the top themes and trends that we believe summarize the state of the cybersecurity sector in the previous year. We use this as a baseline for identifying the 2024 cybersecurity investment themes that most excite us. Here is our review of 2023 and our top themes for 2024.
Year In Review 2023
1. AI Mania
There’s no doubt, 2023 was the year of fear of missing out (FOMO) on generative artificial intelligence (AI) applications. As the excitement of using generative AI applications swept through enterprises, attention quickly turned to how companies could both securely deploy AI products internally (i.e., for use by employees) as well as externally in customer facing applications. Internal AI security concerns largely relate to data loss prevention amid risks of employees inputting sensitive, confidential data into third-party managed chatbots and AI services. Conversely, securing customer-facing AI applications from attack is more akin to traditional application security, with the added twist/complexity introduced by AI models, due to the nondeterministic nature of AI and the black-box nature of models.
2. Browser as the New “Operating System”
Browser security made big headlines in 2023 with a few outsized acquisitions and investments. But the jury is out in declaring this is a new cybersecurity product sector. Browsers clearly have an increasingly central role in modern-day work. Enterprise applications that were formerly installed onto laptops and computers are now delivered via software as a service (SaaS) and accessed via internet browsers, making the browser akin to the SaaS-era’s “operating system.” The question now is: Will enterprises augment, instrument, and attempt to secure browsers? And if they do, what form factor will gain the most market share: 1. new, standalone browsers built with robust security and policy controls; or 2. security plug-ins that extend existing browsers (e.g., Google Chrome, Safari, etc.) providing value, such as real-time user guidance and observability?
3. Believe It or Not, It’s A Lot Harder to Be a CISO
Life in 2023 did not get any easier for chief information security officers (CISOs), who already suffer from intense stress, scrutiny, and pressure. Sixty percent of CISOs polled by Proofpoint stated they had experienced burnout in the previous 12 months, as of 2023’s first quarter.1 Notable criminal cases were filed against CISOs (e.g., Uber, SolarWinds) in 2023, highlighting the potential personal liability risk these executives face. Additionally, new cybersecurity reporting rules from the U.S. Securities and Exchange Commission, which took effect in December 2023 place further responsibility (and liability) on CISOs for complying with timely disclosure requirements for material cybersecurity incidents.
4. Like Bees to … Application Security (AppSec)
A slew of new AppSec entrants appeared in 2023, with functionalities that range from making sense of all your other AppSec tools to AI automagically fixing code. It’s easy to see why entrepreneurs and investors are attracted to AppSec, given the increasing amount of code being written and the unsolved problem of ensuring its security.
5. Your cyber issues make me uncomfortable: Third-party Risk
Third-party security traditionally focused on the security hygiene/posture of external vendors used by an enterprise, typically delivered as security questionnaires. Over the last few years, we have seen this concept expand into “full-stack third-party security,” with efforts focused on detecting and managing the security vulnerabilities introduced by anything external to the organization, incorporating everything from third-party software libraries and code (e.g., software supply chain security) to SaaS application security to external security rating services (e.g., BitSight, SecurityScorecard.)
6. Give Me Some of that Identity Threat Stuff
Enterprise defenders know that attackers are more likely to log in than to hack. But, until recently, the only useful tool they had to thwart this was deploying a multifactor authentication (MFA) solution. MFA creates a pretty good barrier to entry, which is great. Unfortunately, it doesn’t enable enterprises to monitor access or user activities, and this observability gap is increasingly obvious to both defenders and the attackers who exploit it. Over the past year, several of the established vendors (e.g., Cisco, Okta, Proofpoint) have acquired early-stage identity threat detection and response companies to jumpstart their efforts and provide identity monitoring solutions. There’s lots more to be done with identity. Watch this space.
7. Fraud: Who Said You Can’t Teach New Dogs Old Tricks?
8. Show Me the Cyber Insurance!
Although cyber insurance remains a fast-growing category within the broader insurance industry, it continues to be a pain point for many buyers. Anecdotally, it is common to hear complaints among buyers of cyber insurance that premiums continue to rise, while the plans simultaneously provide less coverage and more exclusions/limitations. The demand-side of this market has largely been driven by third-party /vendor due diligence requirements, with companies expected to provide proof of adequate cyber insurance coverage in order to pass enterprise procurement processes. On the supply side, traditional insurance underwriters who have entered the cyber insurance market face rising loss ratios. They also face challenges in appropriately pricing risk due to the asymmetric information gap that exists between underwriter and applicant on the applicant’s cybersecurity posture. We think cyber insurance will increasingly be seen as a form of “instant budget” for incident response, providing fast access to talent and investigative tactics when needed. On the other hand, we expect that the specifics around indemnification and business damages will be seen as a secondary value.
What Excites Us in 2024
1. Unified Remediation
The proliferation of cybersecurity scanners and extended security posture management (XSPM) solutions magnifies the challenges posed by traditional vulnerability scanners, which are famous for generating long lists of issues with questionable accuracy and unknown relevance. The cybersecurity team may be responsible for identifying problems and determining their criticality, but they are not capable of unilaterally remediating them. They rely on the work done by information technology (IT) and other teams to do that work. Unified solutions that enable IT, security operations centers, cybersecurity, cloud operations, network operations, and developers to dynamically prioritize, coordinate, task, track, and report on resolution are needed.
2. Novel Fraud Detection Paradigms
While real-time artificial intelligence/machine learning fraud detection algorithms are an improvement in combating transaction-based fraud, they are not a panacea to the industry’s issues.
Fraudsters know to avoid the anomalous-looking transaction patterns that are most likely to be flagged. This suggests that more of the effort to combat fraud needs to move “left of boom” (i.e., catching the fraudster in the act before moving money). We think interesting opportunities are emerging around the next generation of account takeover solutions that prevent fraudsters from impersonating their victims and community intelligence solutions that enable participating financial firms to quickly respond to new threats.
3. Passwordless and Passkeys
It’s time to eliminate passwords and credentials that individual users can easily compromise. Passwords are a weakness that everyone knows about, but in the past, they’ve been impossible to eliminate. Public key infrastructure-based capabilities such as passkeys and MFA are now mature enough and supported by enough browsers, operating systems, mobile devices, and password managers to be deployed. Additionally, zero-trust capabilities have led administrators to deploy and value capabilities that require provisioning and management for individual devices and systems. The next step is eliminating the user’s ability to inadvertently compromise their own credentials. Demand for these capabilities will likely be accelerated by spectacular ransomware attacks and targeted phishing attacks. Solutions that make it easy to deploy, monitor, and manage passkeys and passwordless capabilities are exciting.
4. Reusable Identities and Credentials
Prove it. Consumers are time and time again challenged and forced to validate facts about themselves, whether signing up for a new app, opening a bank account, or applying for a credit card. The quality and efficiency with which this question is answered varies drastically across companies. We believe that the know-your-customer and identity verification processes are increasingly open to a “verify once and share” approach that leverages digital credentials. The challenge is finding an approach that appropriately aligns incentives (and balances risks) across consumers, verifying parties, and relying parties.
5. Consumer-focused Cybersecurity and Risk
An enterprise CISO can choose from among many potential cybersecurity vendors. This diversity contrasts with the few choices for consumers looking to protect themselves or their families from cybersecurity threats. The scarcity of cybersecurity solutions focused on consumers is stunning and has seen little success outside of identity theft protection. We believe that cybersecurity risks are an increasingly top-of-mind concern for the everyday consumer, so we are particularly excited about companies leveraging a business-to-business-to-consumer go-to-market strategy to reach these consumers.
6. Embedded AI in Cyber
A magic eight ball asked about how AI will improve cybersecurity would answer, “Reply hazy, try again.” Large language models and AI could be valuable in defending systems, but it is not clear what those solutions look like—at least not yet. In some ways, this is comforting. Unlike most other markets, the cybersecurity market was not overrun in the past year with claims about how AI has changed everything. But we know some truly game-changing applications are going to appear, so we are actively looking for these capabilities and the visionary teams building them.
7. Driving Efficiency and Resilience via Security Operations (SecOps)
For the past 18 months, regulators have been emphasizing resilience and have recently ramped up the liability for CISOs. Forward-thinking CISOs often respond to these pressures by redefining how success is measured for their cybersecurity programs. Until now, defenders have been judged almost exclusively on their ability to prevent and detect compromises (i.e., judged based on measuring failures, not success). In the next two years, we expect CISOs will be increasingly focused on factors that they can accurately assess, manage, and report on. They will be investing heavily in the ability to quickly respond to incidents, contain damages, and restore business operations. These efficiencies will be delivered via automating their security operations center, focused observability solutions, and investments in SecOps.
8. Ideas Tackling Fundamental Cyber Problems
In addition to the above-mentioned investment themes for this year, we are also interested in any businesses working on the following longer-term moonshot ideas:
- Credentialing robots and autonomous processes
- Credibility rating service(s) i.e., human versus machine-generated; factual versus disinformation
- Cybersecurity training that provides real value and is “sticky”
- Clever solution to address the cybersecurity skilled labor gap
1 Proofpoint 2023 Voice of the CISO Report. https://www.proofpoint.com/us/newsroom/press-releases/proofpoints-2023-voice-ciso-report-reveals-nearly-two-thirds-cisos-have-had
2 https://www.fincen.gov/reports/sar-stats
Disclosures:
The views expressed are the opinion of Sands Capital and are not intended as a forecast, a guarantee of future results, investment recommendations, or an offer to buy or sell any securities. The views expressed were current as of the date indicated and are subject to change. This material may contain forward-looking statements, which are subject to uncertainty and contingencies outside of Sands Capital’s control. Readers should not place undue reliance upon these forward-looking statements. All investments are subject to market risk, including the possible loss of principal. There is no guarantee that Sands Capital will meet its stated goals. Past performance is not indicative of future results. References to companies provided for illustrative purposes only. The specific securities portfolio holdings identified and described do not represent all of the securities purchased, sold, or recommended for advisory clients. There is no assurance that any securities discussed will remain in the portfolio or that securities sold have not been repurchased. You should not assume that any investment is or will be profitable.
As of January 19, 2024, Alphabet (the parent of Google Chrome), Okta, and Uber were held in Sands Capital strategies. Apple, the parent of Safari, Cisco, SolarWinds, BitSight, SecurityScorecard, and Proofpoint were not held in any Sands Capital strategy.
References to “we,” “us,” “our,” and “Sands Capital” refer collectively to Sands Capital Management, LLC, which provides investment advisory services with respect to Sands Capital’s public market investment strategies, and Sands Capital Ventures, LLC, which provides investment advisory services with respect to Sands Capital’s private market investment strategies, which are available only to qualified investors. As the context requires, the term “Sands Capital” may refer to such entities individually or collectively. As of October 1, 2021, Sands Capital was redefined to be the combination of Sands Capital Management, LLC and Sands Capital Ventures. Both firms are registered investment advisers with the United States Securities and Exchange Commission in accordance with the Investment Advisers Act of 1940. The two registered investment advisers are combined to be one firm and are doing business as Sands Capital. Sands Capital operates as a distinct business organization, retains discretion over the assets between the two registered investment advisers, and has autonomy over the total investment decision-making process.
This communication is for informational purposes only and does not constitute an offer, invitation, or recommendation to buy, sell, subscribe for, or issue any securities. The material is based on information that we consider correct, and any estimates, opinions, conclusions, or recommendations contained in this communication are reasonably held or made at the time of compilation. However, no warranty is made as to the accuracy or reliability of any estimates, opinions, conclusions, or recommendations. It should not be construed as investment, legal, or tax advice and may not be reproduced or distributed to any person.
In the United Kingdom, this communication is issued by Sands Capital Advisors – UK Ltd (“Sands UK”) and approved by Robert Quinn Advisory LLP, which is authorised and regulated by the UK Financial Conduct Authority (“FCA”). Sands UK is an Appointed Representative of Robert Quinn Advisory LLP. This material constitutes a financial promotion for the purposes of the Financial Services and Markets Act 2000 (the “Act”) and the handbook of rules and guidance issued from time to time by the FCA (the “FCA Rules”). This material is for information purposes only and does not constitute an offer to subscribe for or purchase of any financial instrument. Sands UK neither provides investment advice to, nor receives and transmits orders from, persons to whom this material is communicated, nor does it carry on any other activities with or for such persons that constitute “MiFID or equivalent third country business” for the purposes of the FCA Rules. All information provided is not warranted as to completeness or accuracy and is subject to change without notice. This communication and any investment or service to which this material may relate is exclusively intended for persons who are Professional Clients or Eligible Counterparties for the purposes of the FCA Rules or fall into a relevant category under COBS 4.12 in the FCA Rules and other persons should not act or rely on it. This communication is not intended for use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to local law or regulation. #3183815