As a battery Partner of Ventures in 1999, I spent my nights highlighting real magazines called Red Herring, InfoWorld and The Industry Standard, as well as my personal favorites StorageWorld and Mass High Tech (because other VC associates rarely scanned them).
At 23, I circled the names of much older CEOs who worked at companies like IBM, EMC, Alcatel or Nortel to find out more about what they were doing. Companies were building mainframe-to-server replication technologies, IP switches, and emerging web / security services on top of it.
Flash forward 22 years and somehow nothing has changed. We have gone from the command line to the GUI to now the API as an interface innovation. But humans still need an interface, which works for more types of people on more types of devices. We’re not talking about the OSI stack anymore – we’re talking about the decentralized blockchain stack. We are no longer talking about computing, storing and analyzing data on a mainframe, but rather on the cloud.
The problems and opportunities have remained fairly similar, but the markets and opportunities have become much larger. Cloud companies AWS and Azure alone added $ 23 billion in revenue over the past year, with growth of 32% and 50% respectively – high growth on an already massive basis.
The size of the cybersecurity market has grown immeasurably larger as software is eating the world and more and more people can sit and feast at the table from anywhere on Earth (and, soon enough, in the space).
The size of the cybersecurity market, in particular, has grown immeasurably larger as software is eating the world and more and more people can sit and feast at the table from anywhere on Earth (and , early enough, in space).
Over the past few months, my colleague Spencer Calvert and I have published a series of articles explaining why this market opportunity is growing so rapidly: the rise of multicloud environments, with data being generated and stored faster than anyone can. follow, SaaS applications powering virtually every function of an organization and increasing political power and strategic accountability of CISOs.
This all adds up to an estimated – and we think it prudent – value of $ 100 billion of new market value by 2025 alone, bringing the total market size to nearly $ 280 billion.
In other words, the opportunities are ripe for massive business value creation in cybersecurity. We believe that many unicorns will be built in these spaces, and while we are still in the early days, there are a few specific areas where we are looking to make bets (and a global area, still in development). More specifically, Upfront is actively seeking companies in the following areas:
- Data security and data abstraction.
- Zero trust, widely applied.
- Supply chains.
Data security and abstraction
Data is not a new thesis, but I’m excited to examine the evolution of data stacks from an initial cybersecurity goal. What set of opportunities can emerge if we look at security at the bottom of the stack – fundamental – rather than an application on the top or on the side?
For example, data grows faster than we can secure it. First we need to know where the data is (structured and unstructured), what data is stored, confirm an appropriate security posture, and prioritize fixing the most important issues at the right speed.
Doing this at scale requires intelligent passive mapping, as well as heuristics and rules to extract signal from noise in an increasingly data-rich (noisy) world. Open Raven, an Upfront portfolio company, is developing a solution to discover and protect structured and unstructured data at scale in cloud environments. New large platform companies will be built in the data security space as the point of control moves from the network layer to the data layer.
We believe that Open Raven is poised to be a leader in this area and will also fuel a new generation of “exit” companies or applications yet to be funded. These companies can be as big as Salesforce or Workday, built with data pulled and managed differently from the start.
If we look at security data as it is created or discovered, new platforms like Open Raven can lead to the emergence of a whole new ecosystem of applications, ranging from the ones Open Raven is the most. likely to create internally, such as compliance workflows. – to entirely new businesses that are rebuilding the applications we’ve been using since the dawn of time, which include everything from people management systems and CRMs to product analytics and your marketing attribution tools.
Platforms that lead with a fundamental security-focused lens have the potential to power a new generation of application businesses by laser-focusing on the customer engagement layer or the ‘exit’ layer, leaving Data cataloging, smart data models and third party data applications that manage data mapping, security and compliance.
Put simply, if full stack applications look like layers of the Earth, with UX as the crust, that crust can get better and deeper with fundamental horizontal companies meeting all the requirements for personally identifiable information and the GDPR, which are imposed on companies that currently have data all over. This can free up time for new app companies to focus their creative talent even more on the human-software engagement layer, creating superhuman apps for every existing category.
Zero trust was first invented in 2010, but applications are still being discovered and large companies are building around this idea. Zero trust, for those in the know, is the assumption that anyone who gains access to your system, devices, etc., is a bad actor.
It might sound paranoid, but think about the last time you visited a Big Tech campus. Could you walk past reception and security without a guest pass or name badge? Absolutely not. Ditto with virtual spaces and access. My first in-depth zero-trust security course was with Fleetsmith. I invested in Fleetsmith in 2017, a young team building software to manage applications, settings and security preferences for organizations powered by Apple devices. Zero trust in the context of Fleetsmith was about device configuration and permissions. Fleetsmith was acquired by Apple in mid-2020.
Around the same time as the Fleetsmith acquisition, I met Art Poghosyan and the Britive team. This team is also deploying zero trust for dynamic permissions in the cloud. Britive is built on the principle of trustless just-in-time (JIT) access, whereby users are dynamically granted ephemeral access rather than the legacy process of “verifying” and “registering” users. credentials.
By granting temporary privileged access instead of ‘always-on’ credentials, Britive is able to significantly reduce the cyber risks associated with over-privileged accounts, time to manage privileged access and workflows. to streamline privileged access management in multicloud environments.
What’s the next step in zero-based trust (ZBT)? We see device and access as the new perimeter as workers adapt devices and locations for their work and have invested around that with Fleetsmith and now Britive. But we still believe there is more ground to cover for ZBT to permeate more mundane processes. Passwords are an example of something that is, in theory, zero trust (you have to continually prove who you are). But they are woefully insufficient.
The most common path to data breaches is phishing attacks to steal passwords. But how do you get users to adopt password managers, password rotation, two-factor authentication, or even password-less solutions? We want to support simple and elegant solutions for integrating ZBT elements into common workflows.
Modern software is assembled using third party and open source components. This assembly line of public code and third-party API packages is known as the supply chain. Attacks that target this assembly line are called supply chain attacks.
Some supply chain attacks can be mitigated by existing application security tools such as Snyk and other SCA tools for open source dependencies, such as Bridgecrew to automate security engineering and correct configuration errors. and Veracode for security analysis.
But other vulnerabilities can be extremely difficult to detect. Take the supply chain attack that took center stage – the SolarWinds hack of 2020 – in which a small snippet of code was changed in a SolarWinds update before spreading to 18,000 companies different, all of which relied on SolarWinds software for network monitoring or other services.
How do you protect yourself from malicious code hidden in a version update from a trusted vendor that has passed all of your security integrations? How do you maintain visibility across your entire supply chain? Here we have more questions than answers, but securing supply chains is a space we will continue to explore, and we anticipate that large enterprises will be built to safely control, integrate, monitor, and disconnect. third-party vendors, modules, APIs, and other dependencies.
If you are building in one of the spaces above, or adjacent spaces, please reach out. We gladly recognize that the cybersecurity landscape is changing rapidly, and if you agree or disagree with any of the above arguments, I want to hear from you!