It wasn’t long ago when it seemed like the tide was beginning to turn on ransomware. But 2023 has shown us that’s not the case: We’re only halfway through the year, yet hackers are already claiming more victims than ever before, reaffirming the importance of cybersecurity for every business.
While 2023 has been fruitful for hackers, it has been less so for the startups trying to defend against them. Investment in cybersecurity has fallen well below the record highs recorded in previous years: Security startups saw $2.7 billion in funding the first quarter of the year, a 58% drop from the $6.5 billion recorded in Q1 2022. And just 149 were deals announced in Q1 2023, the lowest total in years and a 45% drop from a year earlier.
We’re looking for founders to participate in a TechCrunch+ survey about the usefulness of various founder-focused events.
If you’re a founder and have something to share about your experiences at such events, fill out this form.
Investors, however, remain optimistic. The explosion of large language models and generative AI has many excited about the technology’s potential in the cybersecurity space. Others believe that the need to secure the cloud and connected devices — coupled with a drop in valuations — makes now the perfect time to invest.
We checked in with some of the leading investors in cybersecurity to hear their thoughts on the funding slowdown, what market trends they are most excited about, and cybersecurity’s ongoing diversity problem.
We spoke with:
- Alex Doll, founder and managing general partner, Ten Eleven Ventures
- Barak Schoster, venture partner, Battery Ventures
- Sheila Gulati, managing director, Tola Capital
- Umesh Padval, venture partner, Thomvest Ventures
- Andreas Calabrese, general partner, Tampa Bay Ventures
- Deepak Jeevankumar, managing director, Dell Technologies Capital
- Mark Kraynak, founding partner, Acrew Capital
- Ariel Tseitlin, partner, Scale Venture Partners
Alex Doll, founder and managing general partner, Ten Eleven Ventures
Funding for cybersecurity startups has flatlined. How has your investment strategy changed to reflect the new market conditions?
We successfully closed our latest cyber-only, stage-agnostic global fund in June 2022 and are actively deploying capital from it. Despite the current environment, our investment strategy is largely the same as it has always been, although, within our cyber-only, stage-agnostic and global mandate, we are always agile and adjusting to look for the stages, subsectors and geographies where we see the most significant opportunity at the best value.
Right now, those subsectors include new approaches in the software supply chain, identity, privacy and trust. We are actively investing across stages where we see market opportunity and compelling tech. Just last week, we announced a seed investment in Silent Push and a Series B investment in Blackbird.ai. We’re still hunting actively, including meeting with several inspiring entrepreneurs at InfoSec in London.
While growth-stage opportunities have decreased at the pre-IPO stage with the downturn in the public market, we’ve found some very exciting prospects at Series B and C, where non-cyber specialist funds have pulled back, and we’ve been able to be strategic in helping those companies on their next chapter.
What advice would you give your portfolios to survive the current challenging market?
During uncertain and potentially scary times like these, leaders must stay close to their teams, communicate an inspired and motivating vision, and give team members time together to solve problems collaboratively. This kind of culture can be challenging to reinforce as we normalize from the pandemic; we are still adjusting to remote work routines and have experienced a lot of shocks (including the SVB crisis) over the last 12 months. But it is more important than ever.
Given that many public cybersecurity companies are posting faster revenue growth than other tech companies, should cybersecurity startups lean more heavily into pursuing revenue growth over cash conservation than the average startup today?
There has undoubtedly been a shift in perspective; investors are now more heavily weighting capital efficiency metrics when making investment decisions for cybersecurity companies raising new rounds. So companies need to keep these metrics in mind, especially early on, and as they approach maturity.
On the other hand, companies should be mindful of not “starving growth” by underinvesting in sales and marketing or, importantly, R&D. Experimentation is still essential when developing the best go-to-market strategy for new products and for new audiences.
There should be more intention around measuring the spending on R&D and looking for leading indicators of success as projects develop. For example, there is always a lot of attention on quantifying the marketing/sales funnels and channels (and for good reason), but I am always amazed at how little time is spent on R&D productivity metrics. R&D productivity stats may be less developed and more subjective to a degree, but that’s “art” that is required learning for every cybersecurity CEO.
Every R&D resource needs to be accountable to the team/business, like sales and marketing are accountable every quarter. For example, measuring innovation release cycles and the number of true “market tests” can be a very predictive but overlooked statistic for early-stage companies. Great companies have an inherent urgency in their innovation cycle times.
Is cybersecurity-focused venture capital in a downturn? Do you expect venture investment in the category to pick up in the back half of the year?
While there has been a decline, cybersecurity investing will accelerate again within the next 12 to 18 months. Cybersecurity spending is still a priority for enterprises, and we are seeing interesting new investment areas — including protecting AI and organizations from the risks of disinformation — that will propel more investment rounds going forward.
Additionally, new funds are being raised right now in the space that will contribute to increased funding levels in the future. Overall, cybersecurity is still seen as a strong growth area, and it is resilient compared to many other sectors.
Valuations have dropped, yet cybersecurity M&A activity remains flat. Are you accelerating your cybersecurity investments to take advantage of lower prices?
We are active where we see well-priced opportunities, of course, and it is refreshing to invest when expectations on valuation are not so inflated. So, yes, we believe it is a good time to invest, and we are actively looking for companies with expectations aligned with today’s environment.
Recent data shows that only 24% of the cybersecurity workforce are women. Are you seeing changes in cybersecurity founder demographics, or do they mirror what we’re seeing among cyber workers more generally?
While most cybersecurity founders we meet are men, we’re seeing increasing numbers of women executives in these companies. Notable examples of innovative CEOs in our portfolio are Poppy Gustafsson, CEO of Darktrace, and Anusha Iyer, founder and CEO of Corsha.
A lot of the research and thought leadership within the portfolio is coming from women, such as Marta Janus, principal adversarial ML researcher at HiddenLayer, or Amanda Berlin, lead incident detection engineer at Blumira, which is exciting. We are actively meeting with new female founders and executives all the time, and would love to meet others who are looking to speak with a cybersecurity specialist investor.
Looking ahead, what cybersecurity trends are you most excited about from an investing point of view?
We think that AI brings several new dimensions to the cybersecurity sector, including augmenting security analysts and making traditional security operations tools easier to use. Also, as you can see with our recent investment in HiddenLayer, machine learning models, including LLMs, must be protected from malicious attacks. We also closely watch new risks emerging from AI-enabled automation, including bots, and symptoms like vast amounts of quickly spreading disinformation.
How do you prefer to receive pitches? What’s the most important thing a founder should know before they get on a call with you?
Historically, we have invited founders to submit via our website or email. The most important details to include are the team’s background, product idea, initial thoughts on early/milestone customers, and some idea of a round size, as well as some thoughts around the “use of proceeds”: Why that amount is required and how the founder would spend it in the next 18 to 24 months to get to the next milestone.
Before they get on a call with us, founders should know that we are cybersecurity specialist investors and already have a lot of knowledge on general dynamics in the space. So beyond general statistics on breaches and industry growth, we would like to know the founder’s unique experience in cybersecurity and how that contributes to the product they are looking to build and grow.
We would like to see early evidence that they are getting early and rapid feedback from potential buyers or design partners. The founding team’s ability to receive and iterate quickly on this feedback is very important. Great companies have inherent urgency in their innovation cycle times, and we think this predisposition can be seen very early in the DNA of a winning founding team.
Barak Schoster, venture partner, Battery Ventures
Funding for cybersecurity startups has flatlined. How has your investment strategy changed to reflect the new market conditions?
Our investment strategy remains consistent. I founded a cybersecurity company before becoming a venture capital investor, and my passion for the sector has not changed. Cybersecurity remains a critical area of focus for Battery, and we have expanded our scope to include other related sectors, including privacy protection, developer tools, cloud computing, data analytics and artificial intelligence. We aim to capture opportunities in adjacent markets that have synergies with the cybersecurity market.
We maintain a long-term perspective and prioritize investments in startups with promising technologies and strong market potential, even if the immediate funding landscape is challenging.
What advice would you give your portfolios to survive the current challenging market?
Focus on the customer: Continue building software that people want, meet customer needs, listen to feedback and proactively address their pain points. Additionally, many cybersecurity companies may need to revisit their go-to-market strategy by exploring different distribution methods (such as direct, managed security service providers, value-added resellers, open source, self-service, etc.); by adapting to the needs and compliance regulations of customers in newly emerging market segments; and by investing in research and development to uncover new opportunities, improve efficiency and differentiate themselves in the market.
It is also critical that companies preserve cash flow and ensure efficient resource allocation. We are advising our companies to closely monitor cash flow and maintain a healthy financial position to ensure sustainability.