Editor’s note: Sid Trivedi is a Partner at Foundation Capital, where he invests across the enterprise stack and helps lead the firm’s focus on cybersecurity. His experience runs the gamut from public, to growth, to early-stage, affording him a unique perspective on how brand leaders are built and sustained. Sid started his career on Wall Street at Barclays Capital, advising on tech, media, and telecom companies, spending time on both the buy- and sell-side of major deals. He then worked as an investment professional at Symphony Technology Group, a Palo Alto-based private equity firm investing in software, technology-enabled, and data analytics companies. Before arriving at Foundation Capital, Sid was an investor at Omidyar Technology Ventures.

Let’s start at the beginning, Sid. How would you characterize the current cyber industry? 

There are numerous ways to think about the industry. One way is to think about it in terms of the growing number of breaches happening each year. According to the Identity Theft Resource Center, 2023 saw a staggering 3,205 public data breaches, more than any other year so far and 70% more than the previous record set in 2021. Another is in terms of the three attack vectors — hardware, software, and people — that bad actors rely on to perpetuate those attacks. 

You can also look at cybersecurity in terms of the industry that has been built up to try to prevent such attacks. There are currently around 4,000 cyber companies, about two dozen of which are publicly traded. That’s noteworthy because it’s the largest number of public companies in any specific software sector and because it means that there’s no single winner. That, in turn, continues to allow for healthy competition and for new players to break out. 

Of course, I also look at cybersecurity from an investor’s perspective. It’s a very active market and what stands out about it is how dramatically VC financings have varied in recent years. In 2021, for example, investors poured approximately $30 billion into cybersecurity businesses spread across approximately 1,000 financings. The following year saw $18.5 billion invested across roughly the same number of financings. Meanwhile just $9.4 billion was invested in 2023, spread across around 800 financings. So while the number of financings has remained fairly steady, the dollar values have gotten much smaller. 

How should we interpret the recent decline in VC dollars going toward cyber companies?

I’d say that it has less to do with the sector and is really more of a reflection of the current interest rate environment and the state of the financial markets overall. While VCs may no longer favor the $100-million-plus rounds that were common just a couple of years ago, they are still very actively investing in cybersecurity businesses.

And as a cyber investor, where do you see the biggest opportunities?

Over the last few years, the big focus has been on cloud security. That’s not exactly surprising given that when you look at the publicly reported data breaches, over 80% of them involve some level of data stored in the cloud. With public cloud adoption now at around 30%, enterprises have realized that their cloud footprint has the potential to be a vulnerability and that they need to do something about it.

More recently I’ve been spending a lot of my time on product security. Today, most code is assembled rather than written by developers. With those developers increasingly relying on open-source repositories and third-party integrations to speed up their workflows, new security vulnerabilities are emerging. To prevent security from becoming a bottleneck, companies need new tools that satisfy security decision makers, developers, and infrastructure teams alike. I think the big opportunity going forward will be with companies that are working to change the product security stack. And with the now virtually ubiquitous nature of hybrid working arrangements, network security is another area I’m paying attention to.

AI is changing the tech landscape. What are some of the most immediate implications of the technology for cybersecurity?

It’s certainly opened new doors for attackers, many of whom are already leveraging AI to make their attacks more impactful. Take spear phishing, for example, which are phishing attacks targeted at individuals. Because those attacks generally take the form of emails created in either developing or non-English speaking countries, in the past they typically had so many spelling and grammar mistakes that they were easy to spot. 

With the introduction of products like ChatGPT in November 2022, however, not only can anyone create high-quality emails, they can also automate the process to do so at scale. And that’s exactly what the data reflects. In Q3 2022, prior to the launch of ChatGPT, around 75 million phishing emails were sent worldwide. By the end of Q4 that year, the number of phishing emails quadrupled to around 280 million. And while we can’t directly attribute that increase to ChatGPT, I think it’s a reasonable assumption when you consider that 170 million of the phishing emails in Q4 2022 were sent in December, right after ChatGPT’s launch.

Hackers are also using AI to build more sophisticated malware that can break an endpoint environment like a laptop or mobile phone. Here AI lowers the barrier, making it easier for less skilled hackers to increase the types of malware attempts that they can run. 

The last way I see bad actors starting to leverage AI is to target the actual models themselves. There’s lots of ways to do that, including model poisoning, model injection, and model inversion, to name just a few, any of which can allow hackers to breach models and have a material impact on how they work.

What about for cybersecurity companies? What are the most immediate implications of AI for them?

Last summer, Morgan Stanely published a report that tried to size the market created from the confluence of AI and cyber. The report noted that there are about 5 million cyber professionals globally, each of whom earn around $80,000 a year on average. When you add that up, it translates to $375 billion in annual spend on cybersecurity personnel. What was interesting is that the report went on to say that approximately 30% of the work those professionals do can be automated. It ultimately concluded that there’s roughly a $35 billion opportunity for software vendors that sit at the intersection of AI and cyber. 

I see that opportunity playing out in a number of different ways. We’ll see a bunch of workflow-driven changes that automate parts of what security engineers, security architects, and CISOs do. We’ll also see an increase in using AI to automate some of the highly human-dependent pen-testing strategies currently in place to identify and fix net new vulnerabilities that hackers could exploit to breach an application. 

Of course, we’ll also see AI used to combat things like the spear phishing I mentioned earlier, by, for example, creating more accurate and engaging cyber awareness programs designed to educate end users so that they’re better equipped to avoid those attempts. And we’ll see AI used to ensure model security and to automate new areas of workflows that haven’t previously been addressed.

How mature is the industry in terms of AI adoption and how do you think the industry will evolve as its use becomes more widespread?

It’s early days for sure. The recent CIO surveys I’ve seen say that between 1% and 2% of global IT budget at the CIO level is currently being targeted at AI projects. Meanwhile, according to another CIO poll, about 50% of CIOs say that it won’t be until the second half of 2024 that their initial AI projects go into production. And a third of CIOs have no plans to use AI or LLM across IT at all in the near future. 

It took nearly 18 years to get to 30% public cloud adoption. I don’t think it will take quite that long for AI, but it could easily take another five years to reach that same point. 

Speaking of that, a key part of adoption is giving people what they want. What do you think the typical CISO wants from a cyber perspective? 

Today’s CISOs are concerned about product security. They spend a lot of time thinking about how they can avoid being a bottleneck and get applications into development faster without increasing risk. Network security has also become much more interesting to them as has identity following a flurry of high-profile breaches at Okta, a well-known identity management company that many of them standardized on.

I think CISOs also want fewer solutions. Today they might work with anywhere from 50 to 75 different vendors. I expect we’ll see some consolidation, with fewer vendors offering more services, and that within the next couple of years CISOs may only need 40 to 50 vendors to meet their needs.

And looking at this from a vendor perspective, what do you think it takes to win customers in the current environment?

Again, CISOs are trying to manage their vendor footprint and will likely spread the same amount, or slightly more, money as last year across fewer vendors. The way for founders to win, in my opinion, is to become a part of the community well before they are ready to sell. It’s about figuring out how to build a rapport with people rather than blindly selling software. That can happen by holding and participating in more events, leveraging customer networks, and getting down to grass roots community building.

There’s been a lot of M&A activity in the cybersecurity industry over the past 12 months. What were some of the most notable deals?

By far the biggest was Cisco’s $28 billion acquisition of big data platform Splunk, which was announced last September and is set to close later this year. This was a huge move by Cisco that really signals its renewed focus on cyber. Then there were a couple of other important, but considerably smaller deals. On the private equity front, Francisco Partners bought a public cyber company called Sumo Logic for $1.4 billion, while TPG bought Forcepoint for $2.5 billion.

Another area where there was a lot of M&A activity was with strategics either acquiring start-ups or other strategics. A defense contractor called Thales Group acquired Imperva for $3.6 billion. We also saw traditional security companies acquiring startups. HPE bought Axis Security for half a billion dollars and Palo Alto Networks did two big deals, buying Dig Security and Talon for a combined billion dollars. Meanwhile in late 2023, Okta announced its $100 million acquisition of Spera Security.

So, while down from 2021 levels, the M&A landscape continues to be strong with private equity acquiring security vendors, both cyber and non cyber strategics acquiring other strategics, and cyber strategics acquiring cyber startups. A lot of this activity is being driven by a desire to consolidate so that companies can offer more comprehensive solutions that can command a greater portion of the CISO’s budget. For others, it’s about getting a first toehold in cyber. 

Looking ahead to this year, I think all of the ingredients are in place for a very active year in terms of consolidation. That’s because interest rates are high, which makes venture capital less appealing as an asset class since it puts downward pressure on founder-friendly growth rounds. That in turn forces M&A to happen. Beyond that, most start-ups are running low on cash. Finally, public companies have done better than private ones and are trading at much healthier valuations. In the cyber market, the median trading of cyber multiples is about 6x enterprise value over next twelve months revenue, while for high-growth companies it’s at around the 16x level. Most of those high-growth companies have more than enough cash that they could use to make strategic acquisitions.

Last question: What’s your outlook for cyber in 2024 and beyond?

I’m very bullish on cyber. The opportunity ahead for the category has only increased. I’ve been in this market for the last 12 years and it’s been going up and to the right almost that entire time. That’s partly because there’s lots of distribution, a view around best of breed in the customer base, and a very educated customer base that spends a lot of time trying to understand technologies, is very innovative, and wants to try new solutions. And the broader venture, M&A, and IPO landscape remain very healthy. For founders and investors alike, 2024 will be about figuring out how to navigate the market most effectively to take advantage of all of the opportunities.

Thanks for your insights, Sid. We appreciate it!