24 July 2023

The Convergence of Cybersecurity and Everything

Cole Grolmus

"So, you're working for the FBI?" This was the exact response I got from my grandpa 15 years ago when I told him I was going to work in security after graduating from college. You've heard your own version if you've worked in the industry long enough.

Cybersecurity hasn't been well understood by the public for long. It's hard to pinpoint exactly when this started to change. Anecdotally, awareness seems to have grown alongside the rise of large data breaches regularly sweeping across news cycles.

Broader public awareness of cybersecurity is a side effect of an industry trend that's been building for years: the convergence of cybersecurity and everything. What used to be a narrow and (relatively) isolated domain now seems to be everywhere in tech and society.

We've all noticed individual instances of this phenomenon in passing. You don't start to understand the true magnitude of it until you see how widespread the convergence has become. The qualitative and quantitive impact is even harder to grasp. Movements are easy to feel and difficult to measure.

There are a few rare occasions when you strike a chord and realize you've found a topic people are interested in. This is exactly what happened to me when I tweeted about the convergence of cybersecurity and broader tech last year:

These companies aren’t successful because they’re cybersecurity companies. They’re successful because they took something that wasn’t inherently secure and made security a core feature. A movement this profound deserves a deeper look.
Convergence with core tech markets

The convergence of cybersecurity and core tech markets is relatively intuitive. Its impact is not. The best way to understand the magnitude is to look at the breadth of domains convergence is touching, along with some relevant anecdotes and data about its impact.
Networking

The convergence of networking and cybersecurity is far along the maturity scale. What began as plan old "networking" has evolved into multiple markets — including Secure Access Service Edge (SASE), estimated by Gartner to be a $15 billion market with a 36% CAGR by 2025.

Roughly half of the SASE market is related to security:

Source: KuppingerCole – SASE Market Overview

Traditional networking companies have fully evolved and converged into major players in the cybersecurity industry. The path towards convergence is an interesting one, nicely illustrated by RBC analyst Matt Hedberg:

Source: RBC – Why the Future of Security Software is “Now”

Cisco and Juniper Networks were early pioneers. Their core networking business (routers and switches) was more than enough to propel both companies to IPOs and establish them as icons of the technology industry.

Fast forward to today, and both companies have made a measurable impact on the cybersecurity industry. Cisco's End-to-End Security business segment now generates $4 billion in annual revenue at a 20% growth rate (as of Q4 2022). It's at the core of the company's growth strategy. From Cisco's Q4 2022 earnings call:

…we shared our strategy to help our customers connect their entire security architecture with our new platform, Cisco Security Cloud, which will be a game changer for them as they look to secure their multi-cloud environments with a single cloud-delivered security platform. This is just one part of our broader security innovation cycle. Building on the double-digit growth we saw in security this quarter, we are investing across our security business, focusing on cloud based offerings, best-in-class AI driven threat detection and end-to-end security architectures. These innovations position us well for leadership in the security market.

The impact of Juniper Networks is more derivative. As Ross Haleliuk pointed out, alumni of the company have founded some of the top companies in cybersecurity. The list includes Palo Alto Networks (the highest valuation among cybersecurity companies today), Netskope (a company in cybersecurity's IPO pipeline), Illumio, Versa Networks, and more.

Cloudflare, Fortinet, Palo Alto Networks, and Zscaler headline a newer generation of companies built from the ground up with network and security convergence in mind. These companies now have a combined $178 billion valuation. They're among the most respected public companies in both cybersecurity and all of tech.

Dev Tools

Convergence between dev tools and cybersecurity is growing by the day. DevSecOps is now common parlance among both developers and security practitioners. The impact of GitHub, GitLab, and others on driving this trend forward is immeasurable.

GitHub and GitLab began as source code repositories and have since evolved into comprehensive application development platforms. Security is one of the major components. Both companies continue to add major security features, tightening the integration between software development and security.

GitHub has added an impressive set of security features since being acquired by Microsoft, primarily under the GitHub Advanced Security banner. Features like Dependabot alerts for vulnerable packages are available to all users, while others are part of enterprise licenses. Their velocity of shipping security-related features might be more impressive than any one announcement. A quick scan through the security category of GitHub's blog shows a consistent cadence of security releases, both large and small.

Bigger picture, GitHub is one of the most successful technology industry acquisitions of all time, eclipsing $1 billion ARR in late 2022. Growth metrics haven't been shared publicly by Microsoft, but it's safe to assume their advancements in security were a major factor in enterprise growth.

For GitLab, GitHub's open source competitor, security has become a central part of their strategy. It's literally the company's main goal:

…our strategic goal is to be the leading complete DevSecOps Platform.

A deeper dive into their product vision (which is, fittingly, open source) talks about their objectives for building a converged DevSecOps platform and estimated timeline for accomplishing it:

…we expect to continue rapidly maturing our DevSecOps platform so that GitLab is able to replace any DevSecOps point solution.

To replace any DevSecOps solution will require most of our categories to be lovable, which is likely a 10 year journey. To ensure rapid progress, we have a 3-year goal to have 50% of our categories at lovable maturity by the end of 2023, and this three year product strategy articulates our current focus. Once we achieve that goal, there will still be more work to do, but having half our categories lovable will mean most DevSecOps tools are replaceable by GitLab.

GitLab's $7.64 billion market cap speaks for itself — it's one of the best technology IPOs in recent years, despite a valuation decline along with the broader tech markets. Their strategy for building a converged DevSecOps platform was the headline for the company's IPO.

The convergence story isn't all about GitHub and GitLab. Products like ngrok are classic examples of dev tools where security is a major component of the product's overall value. There are far more companies than can be mentioned here — a testament to the momentum behind convergence in this market.

Application Performance Monitoring (APM) and Observability

Log management, APM, observability, and SIEM were destined to be together. Strictly speaking, the Venn diagram for these markets isn't a perfect circle. However, the overall process of collecting performance and log data lends itself to specific use cases. Security happens to be a large one.

Splunk began as a data analytics company focused on application performance and operations. Its product portfolio had a minimal security footprint at the time of its IPO in 2012. Their $190 million acquisition of Caspidia in 2015 was a milestone for Splunk and cybersecurity — their unoffical entrance into the market. The product brought behavioral analytics to the Splunk platform, giving customers the ability to detect suspicious behavior from security logs.

Just over a decade from their IPO, Splunk now has $3.6 billion in annual revenue and is a widely recognized leader in both observability and security. Their product portfolio includes several security operations (SecOps) focused products:

Source: Splunk Investor Relations

They don't break out revenue by business segment, so it's unclear how much revenue is generated by their security portfolio. Specifics aside, the convergence between security, operations, and observability is clear.

In Gartner's latest Magic Quadrant for Application Performance Monitoring and Observability, 16 of the 19 companies included also have significant security product portfolios. I added red dots to the diagram for each company with security products:

Source: Gartner – Magic Quadrant for Application Performance Monitoring and Observability

My classification of "security products" is admittedly broad — only a few companies have a full SIEM, for example. However, the direction is clear: APM companies are becoming major players in cybersecurity.

Infrastructure

The convergence between infrastructure and security gained serious credibility when HashiCorp went public in December 2021. HashiCorp pioneered a new approach for building infrastructure products by focusing on workflows and domains, not tools. Their process-focused approach spans multiple domains. In their own words:

…critical processes involved in delivering applications in the cloud: infrastructure provisioning, security, networking, and application deployment.

The company (formally) started in 2012 and didn't offer a pure security product until Vault in 2015. The company doesn't disclose revenue by segment, so we don't have enough information to attribute exactly how much revenue is being generated by its security products. As I noted when writing about HashiCorp's IPO, the details don't really matter:

Even though HashiCorp only classifies two of its products as pure security offerings, all of their products support security in important ways. That's the type of future we want — one where security is an inherent part of how we build and deliver tech, not an afterthought.

HashiCorp's breakthrough is building a fully integrated infrastructure platform where security is a core part of everything. A successful IPO helps validate the trend.

Teleport is an earlier stage company (kind of—it's a unicorn) focused on infrastructure security that has the potential to follow a similar trajectory. Their product helps developers securely access cloud infrastructure without requiring passwords, tokens, or other authentication factors which are easy to compromise.

Just as dev tools and security are converging to make code more secure, infrastructure management and security are converging to do the same for cloud workloads. The success of standalone companies like HashiCorp and Teleport, along with native security features from cloud providers, is a driving force behind the migration of workloads from on-premise to cloud.
IT Service Management (ITSM)

IT Service Management (ITSM) and security have always had areas of overlap for necessities like access requests, change management, and other user-related security workflows. However, ServiceNow is pushing the traditional boundary even further. The convergence of ITSM, security operations, risk and compliance, and more into the ServiceNow platform is one of the company's main growth drivers.

ServiceNow's platform has way, way more security and GRC features (more like full-blown products at this point) than many people realize. It's a surprisingly useful aggregator of security processes and data.

Workflows for core security processes like vulnerability management, incident response, and configuration management invariably end in a ticket that someone needs to act upon and remediate (…someday, maybe). ServiceNow makes this handoff natural, both by integrating with other security tools and threat intelligence sources and by developing native features of its own. On the GRC side, it's used for risk management, business continuity management, vendor risk management, and anything else that needs a workflow for ongoing tracking and monitoring.

ITSM and its adjacent ticket-based security workflows are perfect candidates for automation and centralization. ITSM is a necessary capability for any organization with more than a few people. Operationally, it makes sense for many companies to centralize workflows (including security) instead of having workflows all over the place in domain-specific tools.

Similar to other hybrid companies, ServiceNow doesn't break out revenue by product segment in its earnings releases. However, this stat from CEO Bill McDermott in their Q4 2022 earnings call is a nice data point about the role security plays in driving growth:

Security and Risk Solutions were at 13 of the top 20 [largest deals for the period], with 9 deals over $1 million.

Strategically, it makes sense for ServiceNow and other ITSM products to accelerate the security convergence customers are asking for.

Emerging areas of convergence

The convergence of security and traditional tech markets is just the beginning. Magic is going to happen once convergence reaches the long tail of less obvious markets. This section highlights a few of the many examples where security is converging into previously uncharted territory.

Cloud Data Platforms

Cloud data platforms have recognized cybersecurity is a major set of use cases and area of opportunity. Intense competition across verticals between Snowflake, Databricks, and others has been ongoing for years.

Snowflake has developed a massive partner ecosystem across data integration, business intelligence, data science, and (you guessed it) security (red highlight mine):

Source: Snowflake – User Guide

Beyond basic data integrations, an entire ecosystem of cybersecurity startups have been building high growth businesses on Snowflake's platform:

Momentum Cyber – Cybersecurity Almanac 2022

The level of interdependence varies by company, but each has established itself as a significant technology partner for Snowflake. It's still unclear if these companies will remain partners or emerge as future acquisition candidates.

Both Snowflake and DataBricks made their first cybersecurity-related acquisitions in 2023. Snowflake acquired LeapYear, a data privacy platform for sharing sensitive data between parties. DataBricks acquired Okera, an AI-focused data governance and privacy platform.

Each acquisition brought a complimentary set of security features for to the data platforms — they weren't additive products focused specifically on cybersecurity. LeapYear helped add security capabilities to Snowflake's third party data rooms. Okera brought a set of AI-focused data classification and privacy capabilities to DataBricks, augmenting their rapidly growing set of use cases for LLMs and AI. I expect more acquisitions like these (security features for core data platform use cases) near-term before either company starts acquiring pure cybersecurity companies.

In addition to partnerships and acquisitions, Snowflake has been building cybersecurity-focused features into its platform. Its cybersecurity workload announcements in 2022 are a recent example, with security log ingestion and analysis as the primary focus.

We're still in the early days of convergence between cloud data platforms and cybersecurity. Cloud data platforms have definitely arrived — Snowflake is a high performing public company with a $60 billion market cap, and DataBricks is a top candidate in tech's IPO pipeline despite debates about its current valuation. A combination of factors, including the need to fuel growth and shifting markets for SIEM and XDR mean cybersecurity is going to be increasingly more important for both companies.

Human Resources

In the game of corporate politics, human resources has traditionally been one of the arch nemeses for security teams. Turf wars develop over access to people data, integrations with HR systems, and more. HR data is oxygen for workforce identity systems, which rely on timely updates about hiring, job changes, terminations, and more to manage access to corporate systems.

Rippling is bringing these worlds together by combining traditional HR functions with closely related security and IT service management processes. Rippling CEO Parker Conrad described the platform like this in an interview with Stratechery:

Rippling builds a bunch of things that historically would not have been thought of as belonging to the same system. Payroll, HRIS, a bunch of related systems around HRIS but then also identity, single sign-on user management, security services, device management, and the unifying theme is that each of these systems are reservoirs of employee data in their own right.

Convergence among this set of related processes is inevitable — especially as both leaders and employees care more about employee experience. Newer companies born in the cloud don't have time for infighting between HR and security teams. They also don't have the technical burden of displacing legacy HR systems.

For many companies, the way forward is an integrated approach like Rippling. When basic employee administration processes just work like they should, people can focus their time on solving value-creating problems on the product side.
FinTech and Fraud

Massive progress in FinTech is driving convergence between cybersecurity and fraud. It's also creating a new set of issues. People have wanted to steal money since money was invented. As the internet becomes the default mode for delivering financial services, crime follows suit.

Unsurprisingly, financial motives were overwhelmingly the top driver of breaches identified in Verizon's 2023 Data Breach Investigations Report. They were a factor in 94.6% of breaches studied in the past year, and a consistent leader for many years now.

In response, cybersecurity and fraud features are becoming a core component of FinTech product offerings. There is a whole category of companies focused on fraud. From a convergence standpoint, the interesting development is FinTech platforms building and acquiring cybersecurity and fraud products.

Stripe now has products for identity verification and fraud protection. Shopify's enterprise commerce components include fraud protection, identity, customer data management, vaulting of card data, and other security and compliance features. PayPal offers risk management and fraud features for businesses. The list goes on.

Traditional financial services companies are also making moves. Mastercard has been a particularly active buyer of cybersecurity and fraud companies. Recent acquisitions and investments include Baffin Bay Networks, Enveil, RegGenome, Bitfy, CipherTrace, and Ekata. They now offer a full suite of cybersecurity products for business customers.

FinTech companies are also a major driver of adoption for consumer security technologies. Identity includes many examples, with financial services companies nudging customers to adopt MFA long before the idea was widely accepted as good security practice.

Today, FinTech companies are one of the main drivers for passwordless authentication. Mercury is an early adopter of passkeys for MFA. Finance is one of the top categories on Passkeys.directory, a site tracking adoption of passkeys. Notable FinTech companies supporting passwords include Robinhood, PayPal, Binance, and others.
Storage and Databases

Security has historically been a secondary feature in storage and database products. We've had full disk encryption, field-level encryption, and an entire category of database security tools for years. The convergence with cybersecurity is now making these features front and center — including companies where security is the core value proposition. I went deep into this topic with Ryan Cooke, the founder and CEO of JumpWire.

A new generation of security-focused storage and database companies for developers includes Evervault, SkyFlow, Cape Privacy, JumpCloud, and more. AWS offers similar functionality natively with its Nitro Enclaves product. Approaches vary, generally falling within a range from enhancements to existing data stores to dedicated infrastructure for data storage (secure enclaves).

Privacy is also a driving factor for convergence. AI, ML, and LLMs are driving adoption for a new set of privacy-focused companies. Blyss, Zama, Ravel, Duality, Sarus, and other early stage companies are behind the advancements in this space. Homomorphic encryption is the emerging approach many of these companies are using. I analyzed Blyss and Sarus as part of my coverage for their respective Y Combinator batches.

We're in the early stages of a new wave of activity for secure storage and databases. This area is well positioned to be a beneficiary of larger tech trends like AI/ML, privacy regulations, and more — all of which have a need for security as a central part of their value proposition.
Domains

Convergence has even reached domains, of all things. Unstoppable Domains, a Web3 startup, raised a $65 million and became a unicorn with its 2022 Series A round. Let's put our Web3 skepticism aside (we're in the "emerging" section of the article, after all) and look at the practical benefits of converging domains and identity.

Unstoppable Domains is the company behind the .eth domain extension, which was seemingly everywhere in tech during the latest peak of crypto hype. Status was undoubtedly a motive, but identity-focused domains have a more practical purpose. From Matthew Gould, founder and CEO of Unstoppable Domains:

For too long, companies have controlled people’s digital identities, and Unstoppable Domains is putting that power back into the hands of people. As the digital economy becomes a larger part of our lives, it’s time for people to own their identity on the internet.

We’re thrilled to partner with Pantera and other investors who share our vision of onboarding billions of people onto Web3 through NFT domains that unlock user-owned, private, and portable identities.

One of the biggest rough edges in crypto-powered commerce is sharing wallet addresses. These long and gnarly character strings are conceptually similar to navigating the internet using only IP addresses. Nobody would use the internet this way, which is why standard DNS is a game changer.

Verifiably linking domains to identities is a massive improvement for Web3. It reduces the friction of moving money while simultaneously reducing fraud and improving security. A win-win if there ever was one. Throw in the added benefit of authentication and portable identities, and we're really on to something.

Time will tell if this approach gains traction. For now, it's an interesting example of the convergence between commerce, identity, and privacy.
National Security

The convergence of cybersecurity and national security has the highest stakes of all. The link between cybersecurity and national security isn't new, but its rising level of importance among more traditional forms of warfare definitely is.

As information warfare gains popularity among nation states and organized crime groups, multi-domain operations become critical. In the MDO model, cyber warfare is a sector of its own, cross-cutting domains like land, air, and water. On a practical level, offensive cyber operations are now part of the playbook for countries like the United States.

Palantir is the company most synonomous with the convergence between national security and cybersecurity (and technology in general). From a private sector standpoint, Palantir is almost single-handedly driving the convergence. The financial outcome was a $20 billion direct listing to the NYSE in 2020. Their market cap has nearly doubled since then (currently at $38 billion) despite steep valuation declines across the technology sector.

This convergence story has two important dynamics. Cybersecurity is a battleground of its own, which is important but now obvious. The second dynamic is the interesting one going forward: technology and AI are going to augment warfare across every domain. From Marc Andreessen's recent essay about AI:

I even think AI is going to improve warfare, when it has to happen, by reducing wartime death rates dramatically. Every war is characterized by terrible decisions made under intense pressure and with sharply limited information by very limited human leaders. Now, military commanders and political leaders will have AI advisors that will help them make much better strategic and tactical decisions, minimizing risk, error, and unnecessary bloodshed.

The future is widespread use of technology and AI for the benefit of national security. Again from Marc Andreessen:

…let’s mount major efforts to use AI for good, legitimate, defensive purposes. Let’s put AI to work in cyberdefense, in biological defense, in hunting terrorists, and in everything else that we do to keep ourselves, our communities, and our nation safe.

That's exactly what companies like Palantir are doing, and is certainly happening within nation state military branches. Progress in national security is one of the best possible outcomes of convergence.

What does all of this mean?

I'm certain there are more examples of convergence than I mentioned here, even at nearly 5,000 words. The convergence of cybersecurity and "everything" is hyperbole, but the broader point is undeniable.

Not everything needs security, of course. However, as the examples in this article demonstrate, the surface area for convergence is broader than you might expect — even if you already recognized it's happening. This means a few things.

We're likely to see more acquisitions of cybersecurity companies by strategic buyers outside the industry. Acquisitions will happen more often and at higher dollar volumes than in the past. A couple recent examples help illustrate the point.

Alphabet (Google) acquired Mandiant for $5.3 billion — its second largest acquisition of any kind, and likely more than the total value (disclosed and undisclosed) of its 11 other cybersecurity acquisitions combined. The acquisition price was high because of cybersecurity's strategic importance in driving growth for Google Cloud.

HPE's acquisition of Axis Security is a recent example of a strategic buyer outside the industry. HPE is a diversified enterprise tech company, not a pure cybersecurity company. HP's current and former entities, including both HP and HPE, have made six cybersecurity acquisitions among 46 total transactions, according to CapIQ and Momentum Cyber data. Axis Security is the company's first cybersecurity acquisition since 2019 and it second largest cybersecurity acquisition after ArcSight.

Bigger picture, convergence leads to a larger overall TAM for cybersecurity sub-sectors and the overall industry. Greater strategic importance in the broader technology sector means both expansion of existing markets and the creation of new ones.

During downturns like we're in right now, it's easy to think with a fixed mindset — things like "the cybersecurity market is stagnant, and the only way to grow is by taking market share from competitors." While partly true for mature sub-sectors of the industry, this point of view is more about industry consolidation than convergence. Convergence with other markets is one of several reasons cybersecurity is a growth market. It's about growing the pie, not reallocating the existing one.

Any market where security is an inherently valuable property is a candidate for convergence, at least to some degree. We're going to see deeper integration of security into everything. Widespread convergence may blur the lines of what the cybersecurity market even is. We can already see that happening with hybrid companies like Cloudflare, Palantir, Synopsis, and others — are they in the cybersecurity industry, or not?

The industry's periphery is becoming less clear, but in a way, that's what we've always wanted. Cybersecurity is moving from an afterthought to a fast follower, if not (gasp) a full-blown influencer.

On a micro level, we have examples like DevSecOps moving security earlier in the development lifecycle and password managers reaching mass adoption. On a macro level, security will play a role in technological shifts sooner. It took people a long time (relatively speaking, in technology terms) to realize that operating systems for PCs need to have good security. Security wasn't absent, but it also wasn't a core part of the value proposition or something buyers prioritized when making purchasing decisions. Mobile was faster. The current wave of AI is faster still. We're making progress.

A transformational shift in thinking is well underway now — one where cybersecurity is inherent to many types of businesses and a driver of growth.

*** This is a Security Bloggers Network syndicated blog from Strategy of Security authored by Cole Grolmus. Read the original post at: https://strategyofsecurity.com/the-convergence-of-cybersecurity-and-everything/

No comments: