Although security needs around software development, applications and data remain, cybersecurity startups likely will continue to battle against a new fundraising reality as 2023 dawns.
Industry experts expect a continued softening of the fundraising market in cyber — despite 2022 easily being the second best year ever in terms of raising venture capital in the industry.
“I think we are going back to normal,” said Alberto Yépez, co-founder and managing director at Forgepoint Capital — which specializes in cybersecurity and infrastructure software investments. “You are already starting to see that.”
2021 set a record for the sector, with more than $23 billion raised by VC-backed startups in network, cloud and cybersecurity, per Crunchbase data. While 2022 will only see around $16 billion, that is still nearly double from 2020.
“Across the board, you are just seeing much more realistic valuations,” said Stephen Ward, managing director at Insight Partners, who invests in cybersecurity. “I think in 2023 you will see the same type of thing we have been seeing the last six months.”
The days of a cybersecurity startup generating less than $1 million in revenue seeking a $300 million pre-money valuation are over, said Yépez. The market is normalizing, he said, especially as more “tourist investors” — those who do not focus on the sector — have left.
That is not to say funding is not available.
“Good companies will get funded,” Ward said. “They always do.”
Dino Boukouris, founding director of San Francisco-based financial advisory firm Momentum Cyber, said while considering VC funding in general it is important to remember there is a record high amount of dry powder — estimated at more than $300 billion for U.S. VCs alone — that needs to be deployed.
“Additionally, cybersecurity spending and budgets continue to rise, even in the midst of a recession,” he said. “As such, given the underlying strength of the industry, coupled with an accelerating amount of dry powder, I expect to see much stronger investment activity [in 2023] as this capital is deployed.”
Looking for an exit
For those cyber startups that have trouble raising cash, more exits may become available, but maybe not the much-dreamed-about IPO.
“With the overall deterioration of the economy — interest rates, supply chain issues, etc. — I don’t see the IPO market opening soon,” said Yépez, adding it could be in late 2023 at the earliest.
However, Boukouris said he believes as soon as the public markets recover, the IPO window will naturally reopen.
“We’re already hearing of companies who are prepping filings for 2023 in anticipation of a market recovery,” he said.
While companies like Snyk, Netskope, Arctic Wolf and others are at the top of the list for IPO hopefuls, a number of them have run into trouble during 2022, with mass layoffs, and other challenges maintaining growth.
“It will be interesting to see which companies will resume IPO preparation and which may seek other alternatives,” Boukouris added.
That alternative could be M&A.
“Right now people have money because of what they raised in 2021,” Yépez said. “But you will see an increase in M&A. Right now, acquirers are sitting on the sidelines … as startups have trouble raising, you will see them act.”
Some of the same things — or offshoots of them — will continue to drive cybersecurity trends in 2023, experts say.
“I think data is the next frontier,” Yépez said. “People do not know where their data even is.”
Startups that can help with assessment, security posture management and data rights and privilege will continue to be looked at by investors, he said.
Also, while the term “shift left” — the practice of moving testing and performance evaluation up in the software development process — will continue to be in vogue, so will “shift up.”
Shift up is the attempt to streamline protections of your clouds, containers, laptops and servers all on one platform. Doing so allows companies to move from more siloed cyber tools and lets them apply rules, privileges and entitlements across the whole operation.
Yépez invested in one such startup — Massachusetts-based Uptycs. There likely will be others that join the market, including larger players like CrowdStrike and Palo Alto Networks.
In general, chief information security officers want fewer single-use tools and more platform plays as they try to stretch their dollars further in a slowing economy, said Ward.
“Tool fatigue is a very real thing,” he said.
“Companies have to ask, ‘What do CISOs want?’ “ he added. “They don’t want long six- to 12-month rollouts. Companies need to be able to show their value proposition quicker.”
Stay up to date with recent funding rounds, acquisitions, and more with the