Why The Merging Of The DevOps Driven Cloud And Cybersecurity Will Create Dozens Of New Category Leaders
By Kara Nortman
As an associate at Battery Ventures in 1999, one of my first VC mentors told me that he would only fund companies that were creating a new category and that could be valued at $1 billion or more, a fairly radical idea in 1999. He went on to say (only somewhat tongue in cheek) that if the company was in an existing category,
I should make up a new category before I pitched him on the investment or else it would never be worth $1Bn+. Twenty years later, this notion of funding the “category creator” is old news in venture, simply by looking at what Tesla (market cap of $185B) did for electric cars, what Stripe (est. valuation of $36B) did for payments, and Qualtrics (purchased by SAP for $8B in 2019) did for experience management. Companies that become synonymous with a new category typically capture 76% of total market capitalization.
Even given all of this lip service (real and cliche) paid to “category creators,” the opportunity being created around data and cybersecurity in the cloud has to be one of the single biggest category creation opportunities I have seen in my venture career. Because as we experience this accelerated shift to the cloud, everything about how businesses work – and spend – have to change.
The shift to the cloud requires new tools and processes, fast.
The massive paradigm shift to cloud requires a very different skill set than on premises. Whereas once IT and DevOps were considered the foundation and cybersecurity was “a final ‘check the box’ for compliance”, this model simply can’t exist in a dynamic cloud-based world. The acceleration with which remote and distributed activity is happening requires these two disciplines to mesh even faster. Everything that was once done on premise must now be done in the cloud and must be done using tools built and optimized for the cloud environment. That puts cloud-based cybersecurity innovators in a unique and valuable position of being revenue-generating quickly relative to other new categories, while simultaneously creating and defining a new space (cloud-first security products).
Category leaders will need to think cybersecurity first while also playing well with existing tech titans.
Because of this migration to the cloud and other factors like data legislation and explosion of data generation from users and machines, cybersecurity is not just experiencing massive growth but also is becoming an extension of configuration management and good data hygiene.
Important to note the picks and axes of the cloud will continue to be dominated by a handful of the biggest tech companies in the world. Over the last decade, AWS, Microsoft Azure and Google Cloud Platform have grown to over $80B in annual cumulative revenue. The fast followers trying to take share in this area are not start-ups, but rather IBM, Oracle and Alibaba.
The new generation of cloud-first cybersecurity logos will emerge from companies that enable developers to work on top of these platforms, work across these platforms and consider security from the start. While the large cloud infrastructure providers offer different levels of solutions with built-in security, best practice will be building on top of multiple clouds. Most companies building infrastructure and applications in the cloud are looking to utilize third party software to enable and protect this type of new “multi-cloud” environment versus rely entirely on a single cloud provider’s specific security tools.
“Protect” is the key word here – market data from Gartner and AustCyber predict the global cybersecurity market will be worth $270B, and with a 2020 value of $173B, there is roughly $100B of new value up for grabs over the next 6 years with new attack vectors emerging every day in the cloud. But compared to the $5.2T of cybercrime that Accenture predicts is at risk globally over the next half decade , it is clear security cannot be an after-thought or final check the box, relegated to some separate silo and budget “over there.” Security has to be integrated into workflows for the sake of business agility. Even the most advanced DevOps organizations cannot be both compliant to security protocols and responsive to customer feedback unless there is a unification of IT and Security from the start. This union highlights one of the most important strategic partnerships in the modern enterprise: the CISO and the CTO. We see the convergence of these leaders creating a new category that we believe will be home to multiple Deca-unicorns in the 10 – 15 years.
Company leaders are already figuring this out – and organizing around it.
One of the simplest proof points for the likelihood of new category creators is the rise of a new title or the merging of existing titles, and this is happening. With the emergence of the secure cloud, Architects are now giving way to Cloud Architects, and potentially soon to be called Multi-Hybrid-Cloud Architect or even Chief Cloud Architect, who has a team that encompasses different environments. Another increasingly common role is the business information security officer (BISO), now a position at 35% of enterprises and 21% of mid market companies.
At the same time, titles are extending for developers. While the practice of DevOps became mainstream just over ten years ago, it is increasingly giving way to DevSecOps in the last five. As cloud-first becomes standard and security is closely integrated with development and infrastructure management, I wouldn’t be surprised if titles return simply to Developers and Architects, but for now the longer titles indicate a big change. When companies are organizing and prioritizing around business challenges of getting live and expanding in the cloud, investment in software to help solve these same challenges for a broader set of employees is sure to follow.
For all these reasons, cloud and security are coming together to act as a joint enabler of faster, more scalable business, versus being at odds. In fact, anecdotally we are beginning to see more and more founders building security companies coming out of IT roles and seeing the CIO and CISO role held by the same person in some organizations who are moving aggressively to the cloud.
But unlike many category shifts that elapse slowly, in this case, cloud budgets and analogies to the on-premise world are well understood by the C-suite, making it easier for new security category leaders to emerge not just due to adoption and usage, but more critically, with fast time to budget and real dollars flowing through the P&L. Once business leaders have committed real, recurring dollars to a software category, we know there’s momentum.
Over the last few years, we at Upfront have funded oriented companies that are commanding budgets that for decades were dedicated to on-premise solutions. Each are tackling a different sector of the category, whether securing devices (Fleetsmith, acquired by Apple), securing data (Open Raven) or managing identity and access (to be announced soon!). As I increasingly hear about data centers spun up in the cloud by a single developer with a credit card in seconds and with hundreds of millions of people working from home, it’s clear we are at very beginning of this sea change requiring cybersecurity to become the key enabler of this shift to the cloud.