Enterprise cybersecurity technology research that connects the dots.

Famine to Feast and Back: Startups Adjust to Economic Realities

Cybersecurity is a hotbed of startup activity, and with good reason. Startups typically look for an IPO or acquisition, but right now IPOs are off the table.

6 Min Read
Two people shaking hands
Source: Naor Eliyahu via Pixabay

As many readers will be aware, cybersecurity is Startup Central, or perhaps even Startup Heaven. Cyber is, after all, the only inherently adversarial segment of the IT industry, where a vendor's "competition" isn't just the half a dozen other companies that make something similar but the thousands of threat actors trying to circumvent their product for their own nefarious ends. This in turn creates an imperative to innovate that goes far beyond other sectors of IT, simply because the bad folks are busy innovating on their side.

To keep up with this "Need for the New and Different," established cyber vendors cannot rely on their internal resources, which are already tied up keeping large customer bases happy on their existing products. As such, it is a long and well-established practice for them to outsource innovation, and the accompanying development work it entails, to a hyperactive startup community, spread primarily across Silicon Valley, southern Massachusetts, and Israel (the Unit 8200 connection). Indeed, according to Omdia's Cybersecurity Funding Tracker (subscription required), reviewing startups founded since 2019, of the 557 vendors we looked at in the latest edition, 48% were US-based, with the next largest location being Israel, with 10% of the companies.

They adopt what might be called the Mao Zedong horticultural approach to fostering change, as outlined in a speech he made in Beijing in 1957:

"Letting a hundred flowers blossom and a hundred schools of thought contend is the policy for promoting progress in the arts and the sciences…"

Of course, in Mao's case that policy led to the disastrous excesses of the Cultural Revolution. In the world of cyber, on the other hand, it enables the Big Beasts at the top of the vendor food chain to observe multiple startups as they address a new tech challenge, then at the right time, pursuing the flower analogy, to pick the one that best suits their needs. A round of M&A then ensues.

Technology Land Grab

This approach to developing new technology frequently leads to what tech analysts and journalists refer to as a land grab, in which half a dozen or more startups disappear in quick succession into the belly of those larger vendors, with the latter urged on by their own research departments and Wall Street analysts. Just in the last two decades, we've had land grabs in:

  • data leak prevention (DLP) in the mid-2000s, when a month barely went past without a major player in cyber picking up a DLP startup that was often barely 3 years old, and

  • cloud access security brokers (CASBs) and cloud security posture management (CSPM) in the second half of the 2010s, when the same sort of process took place, with big names snapping up specialist minnows to fill out their cyber portfolios.

Expect more to follow. And if you're interested in where the next gold rush (excuse the mixed metaphor here) might take place, Omdia's Funding Tracker can provide some pointers, at least in terms of which sectors have received the most VC money of late: While network security is a hardy perennial, we find that data, cloud, and application security all come close behind (bearing in mind that the last two categories are also converging nowadays).

For the startups themselves, and more particularly for those that are VC-funded, there are effectively two exit routes, by which their investors get their money back. They either go for a flotation on the stock market (aka the IPO route), or they are acquired by a larger vendor (the M&A route).

The IPO route enables the original founders to retain control over their creation, not to mention appearing in photos ringing bells to start the day's trading when the IPO is on the NYSE. The M&A route, on the other hand, keeps them in "golden handcuffs" for a couple of years, working for the new owners and swapping the title of CEO for something like Head of Product Marketing at the larger entity. Not surprisingly, most of them move on as soon as it is legally possible and, nine times out of 10, found another startup.

Hard Road Through a War-Torn Landscape

While IPOing (IPO used as a verb here, a neologism that is common in cyber) clearly has its attractions, it is also a harder road, in that it depends directly on the market, and ultimately broader economic, conditions. If investors are bearish, as when the short-to-midterm prospects for the economy are gloomy, the IPO market tends to shrink, if not dry up for a while. That is the situation we find ourselves in now, which explains why a company like EDR vendor Cybereason was obliged to postpone plans for flotation in mid-2022, laying off around 10% of its staff as it did so. Cloud security vendor Lacework went even further, reducing its headcount by 20% around the same time.

With the ongoing war in Ukraine, a trade war brewing with China, and inflationary pressure coming out of the pandemic, the immediate future is decidedly uncertain, and Omdia does not expect the IPO market to switch back from famine to feast mode any time soon. As such, it is a buyers' market for cyber startups, in that there are multiple young companies with interesting technology and no route to IPO for the time being, making them natural acquisition targets for Big Beasts with a checkbook. Any number of them are definitely in the shop window right now.

Cheap Deals to Come?

Today's macroeconomic conditions are definitely showing an impact on investments in the cybersecurity industry. Most visible are the layoffs going on since last year in the tech world, which may in turn have affected the amount of investment in mergers and acquisitions. Looking at the past nine quarters starting with 1Q21, we saw 1Q23 was the first quarter to have negative year-over-year growth in investments. The 1Q23 number of deals was down to almost half of what we saw in 1Q22.

Post-pandemic M&A activities gained pace from the second half of 2021. From a number-of-deals perspective, the first quarter of 2022 was the highpoint. Meanwhile from a deal-size perspective, the second quarter of 2022 showed the highest recorded investment in the last three years, even excluding the largest single deal, namely Broadcom's $61 billion acquisition of VMware.

According to the Cybersecurity Mergers and Acquisitions Tracker (subscription required), there were 141, 187, and 249 M&A deals in 2020, 2021, and 2022, respectively. It will be interesting to see how 2023 plays out, as in 1Q23 we recorded only 53 deals, with $1.4 billion of investment, which is the lowest of the last two years. In other words, if prospective buyers were being more cautious with their money in the early part of this year, will that caution continue, or were they just holding back until later in the year, when deals may be cheaper?

About the Authors

Rik Turner

Senior Principal Analyst, Cybersecurity, Omdia

Rik is senior principal analyst in Omdia's IT security and technology team, specializing in cybersecurity technology trends, IT security, compliance, and call recording.  He provides analysis and insight on market evolution and helps end users determine what type of technology and which vendor they should be pursuing.

Rik has also worked in Omdia's financial services technology team, with a specialization in capital markets technology. Prior to joining Omdia, he worked as an IT journalist, specializing in networking and security, and as a foreign correspondent in Brazil, where he worked, among others, for the Financial Times and The Economist.

Ketaki Borade

Senior Analyst, Omdia

Ketaki supports Omdia's Infrastructure Security research practice. She is responsible for qualitative and quantitative analysis of the key vendors in the service. She provides insights into technology, market trends, and the competitive landscape.

Ketaki brings her 9 years of experience in consulting and syndicate research to this role. Ketaki has researched the Semiconductor market for 3 years with MarketsandMarkets. Prior to joining Omdia, she worked with Canalys for 5 years as a Cybersecurity Analyst. She was leading the North American security practice for Endpoint security, Network security, Email and Web security, and Vulnerability management with Channels insights. Ketaki has a Bachelor in Electronics and Telecommunications and Master’s degree in Operations.

Besides being an Analyst, she is passionate about dancing. Ketaki is a trained classical dancer in multiple dance forms and has been performing professionally for the last 20 years.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights