Top Banner
Security industry overview December 2016
29

Security industry overview

Jan 07, 2017

Download

Technology

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security industry overview

Security industry overview

December 2016

Page 2: Security industry overview

Agenda

2

Security overview

Current technologies

Startup landscape

Industry regulation

Page 3: Security industry overview

Data breaches are here, and they’re not going away anytime soon

“We believe that data is the phenomenon of our time. It is the world’s

new natural resource. It is the new basis of competitive advantage, and it

is transforming every profession and industry. If all of this is true – even

inevitable – then cyber crime, by definition, is the greatest threat to every

profession, every industry, every company in the world.”

– IBM chairman, CEO and President Ginni Rometty

3

Page 4: Security industry overview

These trends get us most excited about security

4Source: Morgan Stanley

• Targeted attacks: sophisticated malware attacks are avoiding traditional firewalls and seeking vulnerable entities

• Nation-state involvement: nation-states are increasingly funding attacks, driven by not only economic incentives but also political motives

• Dynamic malware: attackers can now sense potential environment detection and manipulate appearance

With the increase in the number of breaches in recent years, there is a growing perception amongst CISOs that the current security paradigm isn’t effective enough.

Increasingly malicious threat environment

Expanding surface area

Current security ineffectiveness

• Cloud apps and infrastructure: we’re witnessing a rise in vulnerability from the increased adoption of cloud-based applications

• Mobility: enterprises are looking to secure mobile applications, as bring-your-own-device (BYOD) becomes the new standard

• Internet of Things (IoT): rapid growth in the number of connected devices is evident

• Incident count: number of security incidents occurring annually is at an all-time high

• Incident cost: as it becomes more and more costly to remediate hacks, enterprises will continue to allocate a higher portion of their IT budget on superior security products

Page 5: Security industry overview

0

10

20

30

40

50

60

2009 2010 2011 2012 2013 2014 2015

5

Cybersecurity is a growing problem, despite increased spend on technology & services

Source: Morgan Stanley, press

Total number of cybersecurity incidents, worldwide

Recent high-profile hacks

September 2016

May 2016

March 2016

September 2016

August 2016

Page 6: Security industry overview

$3.0

$3.1

$3.2

$3.3

$3.4

$3.5

$3.6

$3.7

$3.8

$3.9

$4.0

2013 2014 2015

6

The cost of cyber breaches has increased significantly as well

Source: Morgan Stanley

Average cost of a data breach (US$m)

Page 7: Security industry overview

Typical attack life cycle

7

Step 1Research:

Hackers want PII, PHI

and PEI.

Step 5Monetization:

They sell the data to

people who want it.

Step 4Capture:

They take the data & store

it away slowly.

Step 2Infiltration:

They attack.

Step 3Discovery:

They’re inside. They find what

they are looking for.

Page 8: Security industry overview

$0

$20

$40

$60

$80

$100

$120

$140

2015 2016E 2017E 2018E 2019E 2020E

8

The security market is poised for robust growth

Source: Morgan Stanley

$55B marketin 2015

$128B marketby 2020

Security market (US$B)

Page 9: Security industry overview

$10.3

$12.7 $13.1

$14.0

$19.0

$10.0

$11.0

$12.0

$13.0

$14.0

$15.0

$16.0

$17.0

$18.0

$19.0

$20.0

2013 2014 2015 2016E 2017E

9

U.S. federal spending in security is expected to grow 35% YoY in 2017…

Source: Morgan Stanley, FISMA Annual Report to Congress

Federal cybersecurity budget (US$B)

Page 10: Security industry overview

…while non-government security spend is also on the rise

10Source: Forbes

$500m $400m $300m $250m

$1.5B spent on cybersecurity annually between these four alone…AND THAT NUMBER IS EXPECTED TO GROW

The U.S. financial services cybersecurity market reached $9.5B in 2015, becoming the largest non-government cybersecurity market.

Annual budget:

Page 11: Security industry overview

Agenda

11

Security overview

Current technologies

Startup landscape

Industry regulation

Page 12: Security industry overview

Access control

12Source: IDC, Morgan Stanley, Gartner

1) Identity & access management (IAM):• Captures user identities and controls access to resources by checking user rights

and restrictions• Is an area of increasing focus for enterprises as a number of recent high profile

breaches have resulted from insiders gaining access to critical files• $5.5B market in 2015

2) Virtual private network (VPN):• Creates secure connections between users at home or in remote offices and the

corporate network• Creates a virtual tunnel using encryption and authentication protocols• $0.5B market in 2015

3) Data loss prevention (DLP):• Makes sure that users do not send critical information outside a corporate network,

with a dedicated administrator controlling what data users can transfer• $0.9B market in 2015

Selective restriction of access to a place or other resource. Technologies include:

Page 13: Security industry overview

Endpoint threat prevention

13Source: IDC, Morgan Stanley, Gartner

1) Consumer endpoint:• Includes personal firewalls and anti-virus

protection• Also now beginning to prevent malware,

secure mobile devices and safeguard against identity theft & online transactions

• $4.8B market in 20152) Corporate endpoint:

• Protects corporate devices from the installation of malicious software that seeks to disrupt business processes and / or steal confidential data

• Multiple layers of protection, aiming to identify, prevent, block and contain known and unknown threats on devices themselves

• $4.4B market in 2015

Aims to protect the perimeter of the company. Technologies include:

Page 14: Security industry overview

Network threat prevention

14Source: IDC, Morgan Stanley, Momentum Partners

1) Firewall / unified threat management (UTM):• Firewall: assesses traffic over a network and subsequently allows or denies network

access based on previously determined specifications and policies• UTM: integrates a number of security features into one device, namely a firewall, network

intrusion detection & prevention as well as the securing of web / email gateways• $7.7B market in 2015

2) Intrusion detection & prevention (IDP):• Monitors the network continuously, informing IT teams when detecting security

violations or information leakage• $2.2B market in 2015

3) Email / messaging security:• Scans emails for spam, malware, viruses and phishing attempts; encrypts outbounds• $2.0B market in 2015

4) Web security:• Employs anti-malware to protect employees from accessing malicious websites, while

using web application firewalls (WAFs) to protect against external users attempting to gain access to internal systems

• $2.0B market in 2015

Seeks to prevent unauthorized access to the corporate network. Technologies include:

Page 15: Security industry overview

Monitoring / forensics

15Source: IDC, Morgan Stanley, Gartner

1) Security information & event management (SIEM):• Aggregates, standardizes and stores all of the data from network &

security devices• Allows greater visibility into user activity, enabling enterprises to more

quickly identify malicious behavior• $1.9B market in 2015

2) Vulnerability assessment:• Scans enterprise infrastructure to identify vulnerabilities and remediate

exposure to threats• Employs penetration testing products, which simulate attacks to find

potential areas of weakness • $1.7B market in 2015

3) Forensics & incident investigation:• Captures how an intrusion affects a company’s files & systems• Uncovers historical vulnerabilities, which may have caused breaches, to

remediate future attacks• $0.5B market in 2015

Aims to detect potential breaches quickly, remediate the problem and prevent future occurrences. Technologies include:

Page 16: Security industry overview

Other

16Source: IDC, Morgan Stanley

1) Policy & compliance:• Helps companies remain compliant with the increasingly complex set

of security regulations• Involves writing reports, providing audit information and establishing

security policies• $1.2B market in 2015

2) Security system & configuration management:• Increases visibility over enterprise perimeter security products, such as

firewalls and web security• Used to configure and monitor the health of security systems• $0.1B market in 2015

3) Security services:• Include IT consulting and systems integration• Help enterprises design their security architecture, deploy software

and integrate security products• $19.4B market in 2015

Essentially anything else that hasn’t already been covered but falls within the larger cybersecurity umbrella. Technologies include:

Page 17: Security industry overview

Network threat prevention, 25%

Endpoint threat prevention, 17%

Access control, 13%Monitoring /

forensics, 7%

Other, 38%

Security industry by use case

17Source: Gartner

$55B market in 2015

Network and endpoint protection lead the way, with the $19B security services market

captured in “other”

Global security market breakdown, 2015

Note: “Other” bucket is comprised of policy & compliance, security system & configuration management and security services.

Page 18: Security industry overview

Agenda

18

Security overview

Current technologies

Startup landscape

Industry regulation

Page 19: Security industry overview

Selection criteria & analysis of sub segments

19Source: PitchBook

Tier 1:

1) Vertical: cybersecurity

2) Stage: incubator / angel (limited to Bay Area deals including either Y Combinator or 500 Startups), seed, series A

3) Deal date: last two years

4) Headquarters: California, Texas, Washington, Oregon, Colorado

Tier 2:

1) Vertical: cybersecurity

2) Stage: seed, series A

3) Deal date: last two years

4) Headquarters: New York, Massachusetts, D.C. area

PitchBook screen employing the following criteria:

Note: Data as of October 28, 2016.

Page 20: Security industry overview

19

109 9

87

65 5

4 4 4 43

2 2 21 1 1 1 1 1 1

0

2

4

6

8

10

12

14

16

18

20

Tier 1 – led by infrastructure and cloud security

20Source: PitchBook

Note: Data as of October 28, 2016.

Security investments by type

110 companies total

Page 21: Security industry overview

10

3 3

2 2 2 2

1 1 1 1 1 1 1 1

0

2

4

6

8

10

12

Tier 2 – east coast led by infrastructure, email / messaging and mobile security

21Source: PitchBook

Note: Data as of October 28, 2016.

Security investments by type

32 companies total

Page 22: Security industry overview

Areas we will be exploring for future security investments

22Source: Forbes, IDC, Gartner, TechEmergence, Grand View Research

IAM Infonomics

Cloud

securityIoT

IAM: $25B market projected

by 2022

Infonomics: “are all these

products worth their cost?” –

every CISO ever

IoT: over 25% of identified

attacks in enterprises will

involve IoT by 2020

Cloud security: 15% of

enterprise spend today, rising

to 33% by 2018

AI & machine learning

Verticals:

Horizontaltechnology:

AI & machine learning: 22%

cyber intelligence market share

(#1 end market)

Page 23: Security industry overview

Prominent players within our focus areas

23Source: Morgan Stanley, PitchBook, Gartner, press

IAM Infonomics

Cloud

securityIoT

AI & machine learning

(Blue Coat & Elastica)

(Palerra)

Page 24: Security industry overview

Where our portfolio companies fit in all of this

24

Cloud / CASBEndpoint – AI &

machine learningNetwork

Page 25: Security industry overview

206 190 197

159

194

149

340 356

440 462

405

0

50

100

150

200

250

300

350

400

450

500

2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016E

Security VC investments will likely see a slight dip in 2016, but still well above median

25Source: Pitchbook

Note: Data as of October 18, 2016.

Total security venture investments globally

Projected

Median = 206

Page 26: Security industry overview

Top security investors – last three years

26

28

23

2120 20

1918

1716

14 14 14 14 14

0

5

10

15

20

25

30

Source: Pitchbook

Note: Data as of October 18, 2016. Excludes accelerator & pre-seed rounds. Excludes individuals.

Top investors by # of security investments

Not considered top investor in last 12 months

Page 27: Security industry overview

13

9

7 7 7

6 6 6

5 5 5 5 5 5

0

2

4

6

8

10

12

14

Top security investors – last twelve months

27Source: Pitchbook

Note: Data as of October 18, 2016. Excludes accelerator & pre-seed rounds. Excludes individuals.

Top investors by # of security investments

Only recently considered top investor in last 12 months

Page 28: Security industry overview

Agenda

28

Security overview

Current technologies

Startup landscape

Industry regulation

Page 29: Security industry overview

Regulations within the security industry have seen increased attention in recent years

29

Among other things, mandated that healthcare organizations, financial institutions and federal agencies

protect their systems & information. However, some argued the language

within was too vague

1996 1999 2002 2003 2012 2013 2013

Health Insurance

Portability and Accountability

Act (HIPAA)

Gramm-Leach-Bliley Act

Federal Information

Security Management Act (FISMA);

part of Homeland

Security Act

President’s National

Strategy to Secure

Cyberspace (Bush)

Made Dept. of Homeland

Security responsible for

national security guidance & solutions

Aimed to create standards for

protecting vital infrastructure

Cybersecurity Act of 2012

(failed to pass through Senate)

Improving Critical

Infrastructure Cybersecurity (White House-

issued)

Allows the Executive Branch

to share information

about threats with companies

& individuals

Protects against lawsuits aimed at companies that disclose

breach information

Cyber Intelligence Sharing and

Protection Act (CISPA)

2015

Cybersecurity National

Emergency Declared (Obama)

Executive order to include $14B for cybersecurity

spending in 2016 budget