Why the World Needs More Cybersecurity Startups (Yes, It's Because of AI)
By Joseph Lau, Chief Information Security Officer at Sagard
As a CISO in the financial sector, I’m usually the designated Grim Reaper who scares people about security risks (and I take that part of my job very seriously!). But over the past year the roles have reversed, and I’ve become increasingly concerned as visionaries like Dr. Geoffrey Hinton (the Godfather of AI) and Elon Musk (co-founder of startup Zip2) have started ringing alarm bells about the profound risks of AI and the impending existential threat to humanity.
All of this uproar has got me really worrying about how AI is going to drastically change cybersecurity. Think superintelligent AI launching nearly perfect phishing campaigns, undermining democratic institutions with extremely believable misinformation, and crippling critical infrastructure (energy, telecommunications, finance) with sophisticated malware attacks. This train of thought is certainly alarmist, but it’s not completely off-base.
While it won’t end the world overnight, generative AI will increase the speed and volume of cyber attacks faster than institutional players can respond. The FBI has already issued AI cyber warnings, and credible estimates project a 5-10x increase in attacks in the next 12 to 24 months. While bad guys have the advantage of adopting this new technology quickly and without any rules, big cyber players are not always incentivized to innovate at the same pace. Seriously, just compare their operating expenses: cyber incumbents are spending up to twice as much on sales and marketing as they are on R&D.
To counter the threats posed by AI, the world needs cyber startups to do for security what fintechs did for the financial sector. Like cybersecurity, finance is a trust-based business where startups can find it hard to get traction. But by choosing specific problems and doing a much, much better job solving them, fintechs have disrupted large financial institutions and delivered far better services to clients. We need cyber startups to do the same thing: set new industry standards with best-in-class products. There couldn’t be more important problems to solve at a more opportune time.
To get a broader perspective on how the cybersecurity landscape has changed and how startups can drive innovation, I sat down with three cybersecurity experts: Gray Powell, Managing Director at BTIG; Adam Mattina, Managing Director and Deputy CISO at Blackstone; and Asaf Kochan, founder of cybersecurity startup Sentra and former commander of the Israel Defence Forces’ Unit 8200. Together we shared insights and brainstormed about how startups are best positioned to meet the AI cyber threat head-on.
A brief cybersecurity history lesson
So how did we get there? As sudden as the generative AI revolution is, it’s only the latest challenge we’ve faced in the cybersecurity profession. The past twenty years have completely changed how we do our job. Put simply, as everyone and their dog (with an Instagram account) logs on to the Internet, and every business moves their data to the Cloud, the bar for cybercrime has been drastically lowered, the pace of attacks has accelerated, and the cyber threat surface -- systems open to attack by hackers -- has dramatically increased.
Think back to a far-off time: the mid 2000s, circa the first iPhone 2G. “Fifteen years ago, all of your data used to be on your server, in your data center,” says Gray. “90% of protection was on-premise, and once traffic was in your perimeter, you could control it.” The Cloud changed all that -- for better and for worse. The Cloud has enabled collection and storage of massive amounts of data, a digital goldmine for data-driven companies. But cybercriminals are looking to break into the goldmine, too. “At the end of the day, all breaches have to do with data,” says Asaf. "With companies using an increasing number of technologies," Adam points out, "the attack surface has grown exponentially."
As the Internet has become more accessible, so has the ability to commit crimes. “Twenty years ago, nation states had unique advantages in terms of resources to launch attacks,” says Asaf. “Now, we have very sophisticated private criminal groups, some of whom receive support from states.” “The bar for launching a cyber attack has been lowered immensely,” says Adam. Not only are there more criminals, the nature of crime has changed. “Attacks are far more flagrant and damaging. If you think back to 2003, cybercriminals used to attack for personal credibility or accomplishment. Now attackers are looking to monetize, and once they get into an environment, they can do so within weeks.”
The (not so clear) future of cyber
So what’s the outlook for a startup looking to disrupt the cybersecurity market? While cyber is a fast-moving landscape, there are a few trends that seem likely to emerge in the next few years.
After the stagnation from COVID and the economic slump, we’ll finally see more spending on cybersecurity in the medium term. “It used to be that you could get whatever you wanted from the CFO,” says Gray. “But now money isn’t free anymore. Realistically you’re looking at flat to low-digit growth in enterprise security budgets in 2023.” But cyber budgets can’t stay flat forever. “We don’t know the exact timeline that generative AI will be monetized by cybercriminals. Enterprises are regulated, bad guys are not.” By some estimates, the cost of losses from cybercrime will hit $10.5 trillion by 2025. And with that kind of threat increasing from automated, AI-generated attacks, security budgets will have to increase as well.
As inertia pushes companies to buy a suite of solutions from just one vendor, decision-makers will need to take some chances and look at best-in-class cybersecurity products. “These days we see companies skewing more towards platform solutions versus stand alone best-in-class vendors,” says Gray. Part of this is due to economic pressure. “There is massive pricing competition from big players in the space that want to win and keep business,” says Adam. “CFOs are thinking: Why should I get the best-in-class product when I’m already paying for the suite?”
What’s more, we may need to revisit some problems that we thought were already solved. “Just a few years ago companies made a large push to implement multi-factor authentication to mitigate account takeovers,” says Adam. “Now we’re seeing attackers up their game to defeat MFA in certain cases.” “In this kind of environment, monitoring and situational awareness are no longer enough,” says Asaf. “We need products that are proactive to mitigate and prevent attacks.”
I asked my panelists which cybersecurity problems they would most urgently like to solve. “DHS is working on guidance to improve the security of products companies buy without the need to bolt on a lot of security themselves and that is moving in the right direction.” said Adam, echoing our previous discussion. Gray pointed out the need for automation on the defense side. “Companies don’t have enough people to tackle all the alerts and problems that they get.” For Asaf, it came down to the data -- so much so that he moved to the private sector specifically to tackle this problem with his startup Sentra. “Bad things happen when data leaks out. Developer secrets, encryption keys, financial reports. Data should be the #1 focus.”
Looking to cyber startups
A rough rule of thumb from the fintech world is that the product or service has to be 5-10x better than the incumbent for a customer to make the switch. To get traction with an innovative product, cybersecurity startups really need to focus on how to demonstrate measurable value on a real problem -- not just the cool technical superiority of their novel solution.
Priority number one for cyber startups is to be good at one core thing and dominate that market. “Palo Alto Networks is the perfect example,” says Gray. “In 2012-2013, they had high single digit market share in network security. But they were winning 30-40% of new dollars in the space.” As you grow and tap out the core market, you can start moving into adjacencies. “But you have to stay good at the thing that got you there.”
It can be difficult for founders to hand over the keys, but being acquired can be a major accelerant for a startup with a great product that finds it hard to get traction on its own. “The best example is CrowdStrike buying PreEmpt,” says Gray. “PreEmpt knew they had a great product, but had a problem getting their foot in the door. Banks didn’t know who they were. CrowdStrike had a great go-to-market motion, and the acquisition accelerated their ramp by at least five years.”
Adam sees most successful integrations happen when an established company wants to become more of a complete platform. “If a company wants to enter a new category in cybersecurity, they can either start building from scratch or acquire a smaller, specialized startup.” says Adam. Security threats are always changing because companies regularly adopt new technologies to compete in markets. As technology solutions become critical for a business, securing them becomes a necessity.
And how can governments make a difference?
Startups have a major role to play in protecting against the latest advanced cyber threats. But what about governments? While red tape means that nation states don’t necessarily take the lead in developing new products or companies, they can help spur innovation by making cybersecurity a top priority and developing top cybersecurity talent.
With his many years of experience in Unit 8200, Asaf had unique insights to share. “We need to look at cybercrime as a national security issue, not just a petty crime issue,” says Asaf. “Right now, Western governments shift responsibility for cybersecurity to the private sector. But events like the Colonial Pipeline ransomware incident show us the real danger in this attitude. Incidents like this can cause major damage to Western economies, disrupting critical infrastructure and thriving, important sectors.”
First and foremost, governments should make cybersecurity a priority for not just large companies, but small and medium-size businesses. “When the White House issued guidelines to prevent ransomware after the Colonial Pipeline incident, that made a big difference,” says Adam. “That letterhead carries weight with executives across industries. Gaining buy-in for a security strategy is a critical step for security leaders, and clear guidance from national leaders creates credibility and raises visibility on cyber issues.
Nation states can also help by developing top cybersecurity talent. According to the World Economic Forum, there is a cybersecurity workforce gap of 3.4 million jobs, and this talent gap won’t be addressed easily. “There is conscription in Israel, which is unique in a Western democracy,” says Asaf. “As a result, there was a constant flow of amazingly talented individuals in Unit 8200. In the private sector, it’s much more complicated to find, develop, and retain top tier talent.”
Government service is a unique environment where young people can learn and acquire invaluable experience. “Israel is in a rough neighborhood,” says Asaf. “We need to move and learn fast, to build applicable solutions that work in the real world, not just a PowerPoint. And we need to work in teams. No one’s born with this. It’s something you learn.” According to Asaf, there’s a reason why so many Unit 8200 alums end up founding companies after they leave the service -- including Palo Alto Networks, Waze, Wix, and Viber, to name a few. “Serving means that you spend five years building a strong network and community. You leave resilient and hungry to prove yourself. At age 23, you’ve actually done stuff.”
Conclusion
Working in tech, we are privileged to choose from many different, interesting problems to solve. I want to suggest that we take this opportunity to work on something truly important: keeping individuals, businesses, and critical infrastructure (especially democratic institutions) cyber secure.
Taking my Grim Reaper cloak off for a moment, I am optimistic that AI doesn’t spell the end of the world. While it’s set to completely change the cybersecurity landscape, it’s also created a fantastic opportunity for cybersecurity startups to innovate and set new standards for security. And with cyber budgets set to increase in the near future, there has never been a more opportune time.
So enough with the doom-scrolling! Let’s get to innovating and make the world better.
DISCLAIMER:
- BTIG LLC expects to receive or intends to seek compensation for investment banking services in the next 3 months from: CrowdStrike Holdings, Inc. (CRWD)
- BTIG LLC expects to receive or intends to seek compensation for investment banking services in the next 3 months from: Palo Alto Networks, Inc. (PANW)
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.