SHARED INTEL: VCs pumped $21.8 billion into cybersecurity in 2021 — why there’s more to come

By David Magerman

At the start of this year, analysts identified a number of trends driving the growth of cybersecurity. Among them: an expanding digital footprint, growing attack surfaces, and increasing government regulation.

Related: Taking API proliferation seriously

Last year saw an unprecedented $21.8 billion in venture capital poured into cybersecurity companies globally. Investors more than doubled down in 2021, increasing investment by about 145 percent.

Based on the early-stage startup pitches we are seeing at Differential Ventures, that trend isn’t going to let up anytime soon. The top drivers of the continued growth of cybersecurity are: the growing need to protect the API supply chain, the inadequacy of existing identity management systems, and the unfulfilled promise of data-driven AI-powered cybersecurity systems.

Securing APIs

The SolarWinds attack made API supply chain security a front-page story in 2020. Major breaches in Parler, Microsoft Exchange Server, Experian, and LinkedIn increased the intensity of concern about API supply chain attacks in 2021. The Log4j vulnerability reported at the end 2021 heightened concern even more. According to Gartner, 45 percent of organizations worldwide have experienced attacks on their software supply chain in 2022, a threefold increase from 2021.

Given all of this newfound concern for API supply chain security, where are the tools for solving this problem? The current tools are inadequate, brittle, statically rule-based, and require much manual intervention and processing. Every week, we see a new pitch for an API supply chain security startup. Many of them are pre-product and still in the design stage. But they are founded by highly-qualified and experienced cybersecurity experts, and they are likely to transform the landscape of API supply chain security in the coming years.

Improving identity management


For a long time, enterprise customers have been dissatisfied with cybersecurity solutions for identity management. Existing systems suffer from clumsy interfaces, overwhelming IT management burden, and oscillations between being too permissive and too promiscuous. COVID-driven remote work caused the problem of identity management systems to become a much higher priority. In addition, the growth of assets stored in digital wallets, as well as the promised growth of the metaverse and other Web 3.0 projects, makes the urgency of more robust and portable identity management systems even more imminent.

Existing tools trying to manage users’ identities and their access permissions are proving inadequate, driving frustrated IT managers to become cybersecurity entrepreneurs. Many of the startups attempting to tackle this vexing problem are offering the promise of data science and machine learning to automate the process of managing identities, although none of them even have the data collected to prove the accuracy and robustness of their proposed solutions.

Still, given the impact data science has had on other areas of software development, it seems likely that in the coming years one or more of these proposed solutions will yield a significant improvement in identity management systems.

Leveraging data science

Nearly every cybersecurity startup pitched to our fund promises artificial intelligence built into their software, powered by data science trained on cybersecurity data. These pitches fall into two categories: pre-product companies and companies with working prototypes of their solutions. The one commonality across nearly all of these systems: they have no data yet to train their models, much less prove that their approaches will lead to improvements over state-of-the-art static systems.

Data science has improved the performance of software in a lot of industries, but it fails in many cases. The only way to know if data science will yield improvements is to collect the appropriate data, annotate it (if necessary), and analyze the annotated data to see if there is information in the data that can reduce uncertainty of phenomena that need to be predicted. If that analysis leads to a positive result, then you still need to train models on that data and figure out how to integrate the predictions from those models into software to produce insights that solve existing problems better than current systems.

With enough ingenious cybersecurity software developers and data scientists collecting data, iteratively building models, and using these models to address vexing unsolved or poorly solved cybersecurity problems, inevitably they will find ways to make meaningful impact on those problems, and some minority of the startups being funded today will have the chance to blossom into unicorns in the coming years.

The recent swoon in public markets for technology stocks may lead one to predict that there will be a lull in funding of cybersecurity solutions, along with a downtick in valuations. However, I believe that the impact of the market correction will be counterbalanced by the growing need for new solutions to many problems in cybersecurity, and by the ingenuity of the new approaches being taken to solve these problems.

About the essayist: David Magerman is a co-founder and managing Partner at Differential Ventures. He was previously at Renaissance Technologies, a quantitative hedge fund management company.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone