Plugging the Gaps: New Priorities in Cybersecurity

The urgent need to shore up cybersecurity capabilities spells opportunity for investors. The question is: Where is that need the greatest and what capabilities will providers need to deliver the best solutions?

New paradigm, new priorities

Cybersecurity has always been top of mind for organizations, many of which have had to deal with data breaches, ransom attacks, phishing scams and other forms of intrusion. The pandemic has brought that concern into even greater focus: According to a recent ESG survey, 62% of companies expect to step up spending on cybersecurity this year, with a focus on threat detection and securing their networks, clouds and data.

Unfortunately, those priorities are almost missing the point of today’s reality. Companies can no longer rely on these forms of security alone, with networks serving as the boundary for access rights and sensitive data. The rise in the remote workforce and the proliferation of access points mean that organizations will need to extend their cybersecurity priorities beyond protecting their networks (see Figure 1).

We believe there are three underinvested areas today that are, nonetheless, critical for secure remote working:

• Identity and access management (IAM)
• Endpoint protection
• Application security

But we don’t expect that underinvestment to last. As vulnerabilities are exposed, organizations will begin to shift their spending, and vendors with solutions that address these vulnerabilities in an efficient manner, without undermining the user experience, will receive increasing attention. Investors who take note of where the biggest cybersecurity gaps are during the current pandemic will be one step ahead as the recovery begins.

Identity and access management

Employees who once accessed data and applications from within the walls of the organization are now doing so from remote locations outside the network. This has been the case for some time, but the COVID-19 pandemic has made remote working the rule rather than the exception. As a result, IAM is more critical than ever. At the same time, it is under increasing stress from the sheer volume of remote users requiring access. With greater volume comes not only greater complexity but also the need for greater fluidity, as many policies and access rights are forced to change to account for the new paradigm. In some instances, organizations whose systems did not allow remote access previously are scrambling to implement new tools and procedures.

Historically, many companies have preferred to manage IAM as an add-on to broader solutions. Major software vendors such as Microsoft, IBM and Oracle all have strong products in this space that integrate well with their other solutions, offering advantages to companies that already use a product suite from these vendors. But increasingly, companies are looking to specialized vendors to upgrade their capabilities. This is driving growth in IAM as a stand-alone market and creating opportunity for investment. A number of specialized vendors offer highly competitive solutions. For example, Okta, Centrify and OneLogin all possess certain features and usability advantages that set them apart. 

As companies consider vendor selection in the IAM space, the most important features they will be looking for are usability and consistency. If their employees become frustrated — for example, by a cumbersome login process or multiple levels of verification — they will seek workarounds and undermine the security benefits of whatever solution is in place. Reducing friction for users will maximize compliance and result in the most value from access management tools and procedures. Vendors that can offer users such a seamless access experience are also likely to be the most promising investment targets.

Endpoint protection

Never before have companies had to rely on so many devices outside their networks to access secure applications and data. As people adjusted to a work-from-home paradigm, the sale of computers and computer accessories grew by double digits in the first two weeks of March alone, according to market research firm NPD.  For companies, this means a proliferation of endpoints accessing their network, all in need of protection.

Endpoint protection solutions serve the simple purpose of enabling access while blocking malware. They assist with data encryption and data transfer between a large number of endpoints from a centrally managed system and rulebook. They can also help ensure that devices (particularly user-owned devices that are not controlled by the company) have up-to-date operating systems, applications and web browsers, reducing the risk of vulnerabilities.

Investment opportunities among the leading vendors in this market are limited in the near term. Big hitters such as Microsoft and Symantec are competing at the high end with Crowdstrike (which had its initial public offering in 2019) and SentinelOne (which has already raised $120 million in Series D and $200 million in Series E funding in the past year). However, this market remains both highly fragmented and international, with a number of smaller European vendors making gains, including Sophos (U.K.), ESET (Slovakia), Bitdefender (Romania) and many more. 

With the scope of endpoint protection continuing to evolve, the successful vendors will be those that can keep pace. In particular, securing virtual compute nodes in cloud environments is a key battleground that expands on previous market definitions. Containerization will drive further evolution and create new opportunities for vendors to differentiate. It will also shift the market toward closer adjacency (or even overlap) with network security, which could enable new platform strategies across these markets.

Application security

Another ramification of the move to remote working is that more organizations are purchasing, integrating and developing new applications to manage the shift. It is essential that robust application security testing be in place to identify and manage vulnerabilities in these applications.

Development is an area for particular attention, and security features need to be built into applications at the beginning of the software development life cycle (SDLC). At the same time, the SDLC, particularly under a DevOps model, will feel particular strain with so many employees working from home. To ensure the SDLC is producing secure applications while minimizing friction in workflows, companies should be evaluating best-in-class tools across multiple categories of application security testing (AST) — both static and dynamic/interactive.

The winners in this space are most likely going to be vendors that offer the most developer-friendly tools and those that support higher-growth programming languages, such as Checkmarx, Snyk and WhiteSource. It is worth noting that some AST vendors still operate with primarily on-premises models, which may make implementation more difficult at this time. Many smaller or less mature organizations adopting AST for the first time will opt for a managed service approach, which will favor vendors such as Veracode and WhiteHat.

Investing where it counts the most

There is little doubt that hostile actors will view companies’ rapid transition to remote working as an ideal opportunity to ferret out new vulnerabilities. It is therefore critical that organizations be on their toes and adjust the focus of their cybersecurity efforts accordingly — especially since increased remote working is likely here to stay. This means concentrating on areas that have received relatively little — or certainly uneven — investment to date, including IAM, endpoint protection and application security.

As companies shift to securing their activities beyond the boundaries of their networks, vendors with innovative solutions that can deliver a seamless user experience will emerge as the new winners in cybersecurity — a clear opportunity for investors at the forefront of this evolving area.