Cybersecurity is one of the most attractive sectors in Israel, attracting roughly 35% of total global investments in the cyber space. However, with over 450 cybersecurity companies in Israel, investors can become overwhelmed as they attempt to navigate the landscape and understand differences between each company’s value proposition. Additionally, cybersecurity CEOs generally tend to keep their marketing messaging unclear in an effort to veer away from disclosing their proprietary technologies. This crowded and competitive landscape may leave many investors with the concern of “over investment” where startups increasingly compete with one another for clients. Despite this, I believe that this concern is not merited as the market for cybersecurity products is large (circa $150bn) and is expanding at a rapid pace of ~14% per annum.
Cybersecurity Market Dynamics
The cybersecurity market in general remains attractive for most VC investors. Here are a few of the reasons why:
a. Market resilience — even during economic downturns, the demand for cybersecurity products remains relatively unaffected as companies wish to keep high security standards and due to increased regulatory pressures.
b. Shorter sales cycle — the sales cycle for cybersecurity products is shorter compared to other enterprise sales due to the inherent pressures CISOs face to constantly address the dynamic evolution of emerging cyber threats.
c. Bigger clients with higher ACV — larger organizations have more data and assets to protect and tend to be more vulnerable towards cyberattacks. Because of this, it is not uncommon for many Fortune 500 companies to spend $10M+ for each vendor as it is being regarded as “mission critical”.
d. Room for multiple products and low concentration — given the level of importance for cyber products and its impact, CISOs in enterprise organizations tend to have multiple products covering many aspects as they opt for “best of breed” products rather than “best of suite”. This helps with the proliferation of many subcategories of companies that are in their early stages serving diverse customer needs when “scale” is not perceived as a clear advantage. This results in a fairly unconcentrated market where there is yet to be a dominant player that “sets the tone” for overall standards.
e. Security strategy — security is about defense and depth. This way of thinking creates a strategy that takes a layered approach, whereby no layer is perfect and requires mitigations along the way. This allows for the slowing down of threat actors as they break through the layers and provides for the appropriate alerting and monitoring across the security value chain.
While certain cybersecurity markets have undergone commoditization processes, such as areas like antivirus, VPN, email security, and two-factor authentication, this commoditization does not necessarily imply a decrease in their importance. Instead, it signifies the standardization and integration of these features into broader platforms or systems. As cybersecurity companies are among the most profitable and valuable technology firms globally (total spend often accounting for as much as 10% of all IT budgets for mid-sized organizations and 15% for large enterprises), the industry is highly susceptible to acquisitions and mergers.
To step above the crowd, Israeli tech companies are utilizing three generic strategies[1] in their competitive positioning:
1. A new product to a well-established market — these companies offer enhanced products through a product that boasts superior efficiency, accelerated performance, superior integrations, and an overall value proposition that exceeds competitors by >10x. This competitive battleground revolves primarily around the product and its distinctive features.
2. A new product to an emerging market — such companies attempt to address a rapidly trending pain point. Though budget allocations for these sectors may currently be sparse, they are nonetheless gradually increasing year by year. Businesses following this strategy acknowledge that achieving substantial revenue will take longer than those targeting established markets. The critical risk associated with this strategy is the rate at which the market adopts the product. Torq, for instance, is a company that is shaking up the security orchestration, automation, and response (SOAR) market by introducing a new concept of “Hyper Automation”.
3. A new product to an existing market via re-segmentation –
a. Niche creation — the first approach essentially involves creating a niche and meeting the needs of a particular customer group. A company that concentrates on a subsection of more complex organizations in need of “integration and consolidation”, generating a “system of systems” to cohesively manage vulnerability risk across all attack surfaces in a single location.
b. Low cost — the second approach involves offering a “good enough” product at a significantly lower cost, particularly as leading vendors increasingly move upmarket, leaving behind lower-margin market segments. However, this strategy is counterbalanced by the need for these businesses to eventually turn profitable and achieve higher average contract values (ACVs), necessitating a move upmarket for scalability.
I predict that during a market downturn and when equity is constrained, most customers will gravitate towards bundled products that offer cost-effectiveness while still delivering substantial value for their investment. Conversely, in an upswing market characterized by abundant cash flow, companies will tend to prefer unbundled specialized products. They may choose to subscribe to multiple vendors simultaneously, aiming to acquire maximum protection through a “best of breed” approach.
[1] The three strategies are portrayed in the book Four Steps to the Epiphany by Steve Blank (2013).