From Code to Cloud: Security Themes for 2022 and Beyond
Last year was a brisk one for many B2B tech companies, with valuations soaring, and cybersecurity companies were no exception. Security software saw a huge amount of fundraising activity, with companies pulling in $25 billion in VC funding, up 130% year over year. The six highest-valued cybersecurity startups that raised money in 2021 (below) are now worth nearly $50 billion combined. And public security companies, like SentinelOne and Crowdstrike, at one point in the year saw their shares trading at 100 times revenue.
As we begin to navigate a more unpredictable 2022, security remains one budget line item that enterprises likely won’t skimp on. Last year marked a prolific year of cyberattacks. From the SolarWinds breach that may have been by downloaded 18,000 customers (though the company says fewer than 100 were likely hacked), to the Colonial Pipeline cyberattack that threatened a major oil pipeline to the U.S. East Coast, to the Log4j vulnerability that impacted 89% of all IT environments, cybersecurity was front and center in 2021. These threats are only magnified by the risks associated with hybrid and remote work; the ever-increasing adoption of third-party software; and new toolchains around machine learning, crypto, and blockchain, which are expanding the attack surface area. Compounded by significant geopolitical unrest, we believe that the stakes are higher than ever, which increases the importance of IT investments heading into 2022, with security near the top of priority lists.
Below, we synthesize five themes and predictions that we believe will drive security software forward in 2022, and we hope this sparks a dialogue with founders, investors, and operators in the sector.
2022 Security Software Themes & Predictions
- Security evolves to cover four major categories that resemble the software stack.
- Remediation moves to three models: workflows, policies, and triaging.
- Cloud security matures from workloads to pipelines and processes.
- New security attack vectors and toolchains emerge in machine learning and crypto.
- CISOs get their place in the boardroom.
Theme 1: Security evolves to cover four major categories that resemble the software development stack.
The global security-software market exceeded $150 billion in 2021, growing at 12%, according to Gartner. This accounted for spending in categories like Cloud Security Posture Management (CSPM), Cloud Identity Entitlement Management (CIEM), Secure Access Service Edge (SASE), and Static Application Security Testing (SAST). While security software has a long history with acronyms, we believe 2022 will finally be the year that security software evolves from individual, point-products into full-fledged security platforms that map to the broader software-development process.
At its core, software development consists of infrastructure, applications, people, and data. Security software will ultimately be governed by these same four mega categories: infrastructure, identity, applications, and data.
This means CISOs will buy into a cloud-infrastructure security platform, like Wiz or Orca Security for example, instead of stitching together CSPM, CIEM, and CWPP point-products. Approaches like Data Loss Prevention (DLP) will be subsumed by data-security platforms. Vulnerability management will become embedded in platforms across the stack, as every platform adopts detection and remediation capabilities. And network security rightfully becomes a core pillar in identity security. While these seem like obvious transitions that the cybersecurity market needs, we believe the impacts will be profound.
We expect this evolution to drive more M&A to create these platforms. As a result, we believe that there is a $100 billion market-cap company to be built in each of these four categories. More importantly, we believe that in this shift, DevOps, developers, and engineers—who were sold on the promise of developer-friendly security tools—will finally be put in a position to be both the users and buyers of security platforms, expanding the budget and responsibility of security across enterprises.
Theme 2: Remediation moves to three models: workflows, policies, and triaging.
One trend we have been investing in for the last two years has been the shift to security becoming more developer-centric and user-context aware. Alerts are now consumed by users with the most context within an organization, whether they’re developers or working in DevOps, IT, or security. This led to our investments in Bridgecrew* (acquired by Palo Alto Networks), Styra*, and Contrast Security*. One learning from these investments is that successful developer-centric security software pairs both detection and remediation capabilities into the developers’ workflow.
Today we hear the term “remediation” in a lot of company pitches, and it is important to highlight that not all remediation is created equally. The process of remediation is moving away from lists of vulnerabilities with different risk ratings to three main approaches: workflows, policies, and triaging.
Policy-driven remediation enables security products to perform an action in real-time or near real-time by being inline. These can be use-case-centric policies or general-purpose ones. In both cases, the product performs the remediation itself. While we believe the best-in-class platforms will combine both detection with policy-driven remediation, there are other remediation models that continue to generate tremendous value—namely workflows and triaging networks. Workflows such as SOAR (Security Orchestration, Automation and Response) products execute human-defined automated tasks, such as performing daily scans, searching for logs, or blocking emails from a list of malicious URLs. Triaging kicks off a process that is human-assisted. Across the spectrum of remediation options, a product either does the remediation itself or relies on a network or workflow to assist. In the cloud, where there is a shared-responsibility model between cloud vendors like AWS and Azure and their customers, no one model will work for every situation but will require the implementation of policies, workflows, or triaging.
Theme 3: Cloud security matures from workloads to pipelines and processes.
For as long as Gartner coined the term cloud security, it has been focused on workloads and resources: storage, databases, containers, Kubernetes, serverless functions, and cloud environments. Despite the cloud-security market already at $11 billion and growing 20% annually, according to Gartner, it represents less than 10% of total spend on public clouds. With cloud adoption at only about 25% of total IT spend, we believe this just scratches the surface of what a cloud-security platform can be.
In a cloud-native world, resources can be identities, applications, API endpoints, secrets, open-source packages and libraries, or code repositories.
The attack surface is expansive and so much development happens before any code ever touches a production database, S3 bucket, or container cluster. In 2022, we think cloud security will shift away from resources to secure pre-commit workflows, CI pipelines, build systems, dependencies, and artifacts.
In the context of software development, pipelines are a combination of various components that work with each other to provide efficient integration and deployment of code from build-time to run-time. These components consist of code, repositories, artifacts, libraries, build servers, containers, and other third-party tools. Processes represent the act in which these tools and components communicate with each other.
While cloud-native workloads like microservices, containers, and Kubernetes have been leading drivers of digital transformation for many enterprises, they have created easy-to-miss exploits because these systems are now complex sets of third-party software, open-source libraries, dependencies, and configurations all stitched together in pipelines. As a result, the shift to a more-secure cloud involves both workload security and pipeline/process security, and companies like ChainGuard, Cider Security, Garnet, Cycode, and others are leading the way.
Theme 4: New security toolchains emerge in machine learning and crypto.
Most new application toolchains follow a similar evolution. Infrastructure is built to run applications. Observability is applied to monitor the performance, stability, and reliability of the applications. And as the use of these applications matures, and they are adopted by enterprises, security is integrated to ensure safety, risk, and compliance adherence. While new toolchains are defined by new architectural innovations that enable a new set of applications, security is what allows these applications to be consumed by the masses.
Last year brought us the rise of the API economy that emerged with Postman* and the JAM-stack ecosystem at the infrastructure layer, and companies like Noname Security and Salt Security at the security layer. This year may bring forward the rise of machine learning and crypto security. As applications start to be built on a new reference stack, this exposes new attack vectors at the infrastructure layer. Companies like Robust Intelligence and Troj.ai are solving this for machine learning. Similarly, companies like Kurtosis, Chainalysis, and TRM labs are leading the way in crypto and blockchain.
Theme 5: CISOs get their place in the boardroom.
The average tenure for a Chief Security Officer (CSO or CISO) is between 18-26 months. This is one of the shortest in the C-suite, despite this role having immense responsibility. As the decentralization of decisions in security follows the path that led us to SaaS and remote work, the function of a CISO will evolve to one that is strategic, business/outcomes-focused, and visible at the board level. The technical operations of security will be federated to developers, DevOps, and security engineers, while CISOs define security programs, quantify dollar risk exposure, and leverage security, privacy, and trust as a way to build goodwill with customers and partners.
We believe 2022 will be the year cybersecurity finally matures from a group of point-products into platforms, with cloud security leading the charge. Amazon’s AWS, Microsoft Azure, and Google Cloud are cumulatively generating $136 billion in revenue run rate growing at 40%+, according to the companies’ most-recent earnings announcements. With cloud adoption only increasing and driving software’s durable high growth, we believe cybersecurity will be a significant beneficiary. More applications, more migrating workloads, and more data in the cloud only means a larger attack surface area that needs to be secured. Here is to securing 2022 and beyond!