Security industry overview December 2016
Data breaches are here, and they’re not going away anytime soon
“We believe that data is the phenomenon of our time. It is the world’s
new natural resource. It is the new basis of competitive advantage, and it
is transforming every profession and industry. If all of this is true – even
inevitable – then cyber crime, by definition, is the greatest threat to every
profession, every industry, every company in the world.”
– IBM chairman, CEO and President Ginni Rometty
3
These trends get us most excited about security
4Source: Morgan Stanley
• Targeted attacks: sophisticated malware attacks are avoiding traditional firewalls and seeking vulnerable entities
• Nation-state involvement: nation-states are increasingly funding attacks, driven by not only economic incentives but also political motives
• Dynamic malware: attackers can now sense potential environment detection and manipulate appearance
With the increase in the number of breaches in recent years, there is a growing perception amongst CISOs that the current security paradigm isn’t effective enough.
Increasingly malicious threat environment
Expanding surface area
Current security ineffectiveness
• Cloud apps and infrastructure: we’re witnessing a rise in vulnerability from the increased adoption of cloud-based applications
• Mobility: enterprises are looking to secure mobile applications, as bring-your-own-device (BYOD) becomes the new standard
• Internet of Things (IoT): rapid growth in the number of connected devices is evident
• Incident count: number of security incidents occurring annually is at an all-time high
• Incident cost: as it becomes more and more costly to remediate hacks, enterprises will continue to allocate a higher portion of their IT budget on superior security products
0
10
20
30
40
50
60
2009 2010 2011 2012 2013 2014 2015
5
Cybersecurity is a growing problem, despite increased spend on technology & services
Source: Morgan Stanley, press
Total number of cybersecurity incidents, worldwide
Recent high-profile hacks
September 2016
May 2016
March 2016
September 2016
August 2016
$3.0
$3.1
$3.2
$3.3
$3.4
$3.5
$3.6
$3.7
$3.8
$3.9
$4.0
2013 2014 2015
6
The cost of cyber breaches has increased significantly as well
Source: Morgan Stanley
Average cost of a data breach (US$m)
Typical attack life cycle
7
Step 1Research:
Hackers want PII, PHI
and PEI.
Step 5Monetization:
They sell the data to
people who want it.
Step 4Capture:
They take the data & store
it away slowly.
Step 2Infiltration:
They attack.
Step 3Discovery:
They’re inside. They find what
they are looking for.
$0
$20
$40
$60
$80
$100
$120
$140
2015 2016E 2017E 2018E 2019E 2020E
8
The security market is poised for robust growth
Source: Morgan Stanley
$55B marketin 2015
$128B marketby 2020
Security market (US$B)
$10.3
$12.7 $13.1
$14.0
$19.0
$10.0
$11.0
$12.0
$13.0
$14.0
$15.0
$16.0
$17.0
$18.0
$19.0
$20.0
2013 2014 2015 2016E 2017E
9
U.S. federal spending in security is expected to grow 35% YoY in 2017…
Source: Morgan Stanley, FISMA Annual Report to Congress
Federal cybersecurity budget (US$B)
…while non-government security spend is also on the rise
10Source: Forbes
$500m $400m $300m $250m
$1.5B spent on cybersecurity annually between these four alone…AND THAT NUMBER IS EXPECTED TO GROW
The U.S. financial services cybersecurity market reached $9.5B in 2015, becoming the largest non-government cybersecurity market.
Annual budget:
Access control
12Source: IDC, Morgan Stanley, Gartner
1) Identity & access management (IAM):• Captures user identities and controls access to resources by checking user rights
and restrictions• Is an area of increasing focus for enterprises as a number of recent high profile
breaches have resulted from insiders gaining access to critical files• $5.5B market in 2015
2) Virtual private network (VPN):• Creates secure connections between users at home or in remote offices and the
corporate network• Creates a virtual tunnel using encryption and authentication protocols• $0.5B market in 2015
3) Data loss prevention (DLP):• Makes sure that users do not send critical information outside a corporate network,
with a dedicated administrator controlling what data users can transfer• $0.9B market in 2015
Selective restriction of access to a place or other resource. Technologies include:
Endpoint threat prevention
13Source: IDC, Morgan Stanley, Gartner
1) Consumer endpoint:• Includes personal firewalls and anti-virus
protection• Also now beginning to prevent malware,
secure mobile devices and safeguard against identity theft & online transactions
• $4.8B market in 20152) Corporate endpoint:
• Protects corporate devices from the installation of malicious software that seeks to disrupt business processes and / or steal confidential data
• Multiple layers of protection, aiming to identify, prevent, block and contain known and unknown threats on devices themselves
• $4.4B market in 2015
Aims to protect the perimeter of the company. Technologies include:
Network threat prevention
14Source: IDC, Morgan Stanley, Momentum Partners
1) Firewall / unified threat management (UTM):• Firewall: assesses traffic over a network and subsequently allows or denies network
access based on previously determined specifications and policies• UTM: integrates a number of security features into one device, namely a firewall, network
intrusion detection & prevention as well as the securing of web / email gateways• $7.7B market in 2015
2) Intrusion detection & prevention (IDP):• Monitors the network continuously, informing IT teams when detecting security
violations or information leakage• $2.2B market in 2015
3) Email / messaging security:• Scans emails for spam, malware, viruses and phishing attempts; encrypts outbounds• $2.0B market in 2015
4) Web security:• Employs anti-malware to protect employees from accessing malicious websites, while
using web application firewalls (WAFs) to protect against external users attempting to gain access to internal systems
• $2.0B market in 2015
Seeks to prevent unauthorized access to the corporate network. Technologies include:
Monitoring / forensics
15Source: IDC, Morgan Stanley, Gartner
1) Security information & event management (SIEM):• Aggregates, standardizes and stores all of the data from network &
security devices• Allows greater visibility into user activity, enabling enterprises to more
quickly identify malicious behavior• $1.9B market in 2015
2) Vulnerability assessment:• Scans enterprise infrastructure to identify vulnerabilities and remediate
exposure to threats• Employs penetration testing products, which simulate attacks to find
potential areas of weakness • $1.7B market in 2015
3) Forensics & incident investigation:• Captures how an intrusion affects a company’s files & systems• Uncovers historical vulnerabilities, which may have caused breaches, to
remediate future attacks• $0.5B market in 2015
Aims to detect potential breaches quickly, remediate the problem and prevent future occurrences. Technologies include:
Other
16Source: IDC, Morgan Stanley
1) Policy & compliance:• Helps companies remain compliant with the increasingly complex set
of security regulations• Involves writing reports, providing audit information and establishing
security policies• $1.2B market in 2015
2) Security system & configuration management:• Increases visibility over enterprise perimeter security products, such as
firewalls and web security• Used to configure and monitor the health of security systems• $0.1B market in 2015
3) Security services:• Include IT consulting and systems integration• Help enterprises design their security architecture, deploy software
and integrate security products• $19.4B market in 2015
Essentially anything else that hasn’t already been covered but falls within the larger cybersecurity umbrella. Technologies include:
Network threat prevention, 25%
Endpoint threat prevention, 17%
Access control, 13%Monitoring /
forensics, 7%
Other, 38%
Security industry by use case
17Source: Gartner
$55B market in 2015
Network and endpoint protection lead the way, with the $19B security services market
captured in “other”
Global security market breakdown, 2015
Note: “Other” bucket is comprised of policy & compliance, security system & configuration management and security services.
Selection criteria & analysis of sub segments
19Source: PitchBook
Tier 1:
1) Vertical: cybersecurity
2) Stage: incubator / angel (limited to Bay Area deals including either Y Combinator or 500 Startups), seed, series A
3) Deal date: last two years
4) Headquarters: California, Texas, Washington, Oregon, Colorado
Tier 2:
1) Vertical: cybersecurity
2) Stage: seed, series A
3) Deal date: last two years
4) Headquarters: New York, Massachusetts, D.C. area
PitchBook screen employing the following criteria:
Note: Data as of October 28, 2016.
19
109 9
87
65 5
4 4 4 43
2 2 21 1 1 1 1 1 1
0
2
4
6
8
10
12
14
16
18
20
Tier 1 – led by infrastructure and cloud security
20Source: PitchBook
Note: Data as of October 28, 2016.
Security investments by type
110 companies total
10
3 3
2 2 2 2
1 1 1 1 1 1 1 1
0
2
4
6
8
10
12
Tier 2 – east coast led by infrastructure, email / messaging and mobile security
21Source: PitchBook
Note: Data as of October 28, 2016.
Security investments by type
32 companies total
Areas we will be exploring for future security investments
22Source: Forbes, IDC, Gartner, TechEmergence, Grand View Research
IAM Infonomics
Cloud
securityIoT
IAM: $25B market projected
by 2022
Infonomics: “are all these
products worth their cost?” –
every CISO ever
IoT: over 25% of identified
attacks in enterprises will
involve IoT by 2020
Cloud security: 15% of
enterprise spend today, rising
to 33% by 2018
AI & machine learning
Verticals:
Horizontaltechnology:
AI & machine learning: 22%
cyber intelligence market share
(#1 end market)
Prominent players within our focus areas
23Source: Morgan Stanley, PitchBook, Gartner, press
IAM Infonomics
Cloud
securityIoT
AI & machine learning
(Blue Coat & Elastica)
(Palerra)
Where our portfolio companies fit in all of this
24
Cloud / CASBEndpoint – AI &
machine learningNetwork
206 190 197
159
194
149
340 356
440 462
405
0
50
100
150
200
250
300
350
400
450
500
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016E
Security VC investments will likely see a slight dip in 2016, but still well above median
25Source: Pitchbook
Note: Data as of October 18, 2016.
Total security venture investments globally
Projected
Median = 206
Top security investors – last three years
26
28
23
2120 20
1918
1716
14 14 14 14 14
0
5
10
15
20
25
30
Source: Pitchbook
Note: Data as of October 18, 2016. Excludes accelerator & pre-seed rounds. Excludes individuals.
Top investors by # of security investments
Not considered top investor in last 12 months
13
9
7 7 7
6 6 6
5 5 5 5 5 5
0
2
4
6
8
10
12
14
Top security investors – last twelve months
27Source: Pitchbook
Note: Data as of October 18, 2016. Excludes accelerator & pre-seed rounds. Excludes individuals.
Top investors by # of security investments
Only recently considered top investor in last 12 months
Regulations within the security industry have seen increased attention in recent years
29
Among other things, mandated that healthcare organizations, financial institutions and federal agencies
protect their systems & information. However, some argued the language
within was too vague
1996 1999 2002 2003 2012 2013 2013
Health Insurance
Portability and Accountability
Act (HIPAA)
Gramm-Leach-Bliley Act
Federal Information
Security Management Act (FISMA);
part of Homeland
Security Act
President’s National
Strategy to Secure
Cyberspace (Bush)
Made Dept. of Homeland
Security responsible for
national security guidance & solutions
Aimed to create standards for
protecting vital infrastructure
Cybersecurity Act of 2012
(failed to pass through Senate)
Improving Critical
Infrastructure Cybersecurity (White House-
issued)
Allows the Executive Branch
to share information
about threats with companies
& individuals
Protects against lawsuits aimed at companies that disclose
breach information
Cyber Intelligence Sharing and
Protection Act (CISPA)
2015
Cybersecurity National
Emergency Declared (Obama)
Executive order to include $14B for cybersecurity
spending in 2016 budget