Nick Hayes, Rick Holland, Heidi Shey, Merritt Maxim and Christopher McClean, Forrester Research Inc.
2015 spooked customers, citizens and others worried about financial and medical identity theft. Anthem, Ashley Madison, the US Office of Personnel Management and Sony all became household names for the wrong reason: devastating cyberattacks. S&R pros now know that protecting both the firm’s customer data and intellectual property is central to brand, growth and profitability. The brief described here details the six most significant changes coming to security economics, government policy, the role of business in 2016 and what you should do about them.
Key takeaways
Don’t prioritize cyber insurance over prevention, detection and response
In 2016, S&R pros will realize they can’t fall back on cyber insurance coverage—it won’t be enough to cover breach costs, and insurance firms will look for ways to avoid paying. It also won’t cover the significant damage to the firm’s CX score or save the CEO from a forced resignation.
Prepare for the cybersecurity investment bubble and political circus
Venture capitalists and private equity firms are pouring billions into cybersecurity startups, hoping to capitalize on increased security spending. Invest based on your needs and priorities, not market hysteria. Politicians are not immune to the hysteria, so expect privacy and cybersecurity policy to become hot topics in the U.S. presidential race and in the U.S. Congress. Customers will expect your firm to have a stance on controversial policies like government surveillance.
A unicorn will die: a startup will have a failed IPO or down round
The continued cavalcade of high-profile consumer data breaches has fueled investors’ interest in funding cybersecurity startups during the past two years, pouring nearly $5B into cybersecurity startups since 2013. In addition, membership in the security unicorn club (firms with a valuation greater than $1B) has been growing. Although this influx of capital helps catalyze innovation to address enterprise demand for security solutions, it also suggests that cybersecurity startups are entering a private equity speculative bubble.
This speculative bubble will collapse in 2016 in the form of either: 1) a security IPO not receiving its expected offer price or dropping over 25% from IPO pricing within six months, or 2) a $1 billion security unicorn suffering a down round or valuation correction in the private markets. In light of this expected change in the security vendor landscape, S&R pros must remember the following tips:
- Don’t let lofty valuations of security vendors blind you. Lofty valuations often reflect inflated market expectations that are not always grounded in reality. S&R pros need to evaluate the financial health of their publicly traded security vendors or those that have filed an S-1 to go public beyond just the valuation. You must assess the financial maturity of a given supplier. Is the firm profitable? What percentage of revenue goes to marketing and sales versus R&D? Are they cash flow positive? Most early-stage firms spend twice as much on marketing as on R&D. While this is a proven model to build market share, worsening economic conditions create greater financial stress that can have significant impacts on road maps and enhancements. You must be prepared to develop contingency plans.
- Watch out for vendors simply pivoting their message for funding. The influx of available capital for cybersecurity has led some firms to readjust their positioning and product strategy to help them catch the cybersecurity funding wave. While repositioning is often necessary due to changing market conditions and customer requirements, be wary of suppliers pivoting to new areas without a corresponding pivot of the product road map. As an example, data loss prevention (DLP) has reemerged as “exfiltration prevention.” In many cases, the technology hasn’t changed and the issues that plagued it are still present. S&R pros who witness a vendor pivot need proof that new technical capabilities accompany the pivot to deliver on new promises. Otherwise, the vendor is likely to have stability issues.
Register for the rest of the 11 page report here.
Filed Under: Cybersecurity