Concerns are growing that a wider economic slowdown will come in the next year or two, prompting a number of tech companies to preemptively freeze hiring or lay off employees. No sector within the tech world can be expected to be completely immune to deteriorating economic conditions, of course. But for many reasons, the cybersecurity industry is likely to survive more than most, according to industry experts.
As many in the industry gather this week in San Francisco for the return of the personal RSA Conference, the question of what is in store for security budgets will certainly be a popular topic of discussion. History isn’t very helpful when considering the impact of declining spending on cybersecurity, because security budgets were larger than during the Great Recession in 2007 to 2009, said Jeff Pollard, a vice president and chief analyst at Forrester.
However, if a global slowdown is ahead, “I think cybersecurity spending will be more resilient than in other areas,” said Pollard, a specialist in security budgets and the role of chief security officer. of information (CISO).
Some well -known cybersecurity vendors rely on the same. On Thursday, CrowdStrike and Okta said they are each raising their revenue guide for their current financial years (which both run until the end of January 2023). CrowdStrike and Okta raised their fiscal 2023 guidance by approximately 2% and 1%, respectively, from previous guidance disclosures in March.
The benefits of regulation
The confidence felt by security sellers, Pollard says, comes from the fact that large amounts of cybersecurity spending have essentially generated, due to regulatory and market forces that did not exist at the same level in the last major slowdown.
And in addition to existing regulations, the SEC’s newly proposed rules on cyberattack disclosure could provide another incentive for public companies to refrain from reducing their security budgets, the former CISA director said. Chris Krebs, who is now a founding partner at cybersecurity consulting firm Krebs Stamos Group.
If adopted, the rules would require “material cybersecurity incidents” such as ransomware attacks or data theft to be disclosed within four business days. While pressures on security budgets may grow, “the requirements aren’t going away,” Krebs said.
Along with the need for many businesses to meet regulatory and compliance standards around data security and privacy, many cyber insurance policies also require some level of cybersecurity spending, Pollard said.
Companies that cut excessively in security spending could see a negative impact on revenue, as well, because it could prevent potential customers from doing business, he said. There is now a “higher bar” for the cybersecurity posture that customers expect from their suppliers during security reviews, such as demonstration of data security and privacy capabilities, and data response capabilities. incident including notice of violation.
“You have to spend money on cybersecurity,” Pollard said, “because it will cost you deals if you don’t.”
A board level concern
Meanwhile, cybersecurity is now a higher priority at the C-suite and board level than ever before, due to the growing threat landscape, said Steven Weber, a professor at the University of California, Berkeley, who specializes in international business. and information. security. Specifically at the board level, the mindset has dramatically changed over the past few years, says Weber, who also serves as an advisor to boards at several publicly traded companies.
There is now a “disease of vulnerability and responsibility at the board level” that did not exist before, he said. Following incidents such as the SolarWinds breach and a series of high-profile ransomware attacks in 2021, 88% of boards now see cybersecurity more as a business risk than a technology risk, a survey found. from Gartner found in the fall.
Signage of the RSA Conference at RSA 2020.
Photo: RSA
For leadership in many companies, cybersecurity is now seen “as something we need to protect – and that [may require] cutting elsewhere to protect it, ”Weber said.
With the transition to digital, businesses can no longer afford to make the distinction between “doing the job” and “doing the job safely,” said William MacMillan, a senior vice president at Salesforce and former CISO for the CIA.
“It no longer works to say,‘ We can reduce security as long as we finish the business, ’” MacMillan said. “Because you can’t finish the business if you don’t prioritize doing it safely.”
That means security is likely to be “more recession-proof than perhaps any other field of technology,” said Jay Leek, managing partner at cybersecurity-focused VC firm SYN Ventures and former CISO of The Blackstone Group. Just because there’s a recession, that “doesn’t mean the threats to cybersecurity will disappear,” he said.
There may be other implications for security teams, however. There may be growing pressure on CISOs to show return on investment from security spending, which is seen as more difficult in cybersecurity than in most other fields of technology, experts say.
Measuring the effectiveness of a cyberattack detection tool, for example, is notoriously difficult. “You can’t always say,‘ Hey, we’ve seen everything, ’” Pollard said. “That’s hard to prove.”
It’s also likely that some businesses will look to reduce security spending by combining more of their tools into a single vendor, to take advantage of the discounts associated with doing so, he said.
Impact on startups
The massive influx of venture investment in cybersecurity in recent years also means that some security startups – especially those that have made a lot of hiring behind limited profits – are likely to see a bigger impact than to more stable players during an economic downturn, Pollard said.
VC funding for security companies increased from $ 12.4 billion in 2020 to $ 29.3 billion in 2021, according to advisory firm Momentum Cyber. And 30 cybersecurity startups achieved billion -dollar valuations last year, compared to six in 2020.
“Companies with a solid foundation, with great customer relationships, doing great things from a security perspective – I think we’ll see them thrive,” Pollard said.
But for other security startups, “I think we’ll see a bit of computation,” he said.
Right now, the security industry doesn’t see hiring freezes or removals on a wide scale. The two exceptions in recent weeks are cloud security firm Lacework, which laid off 20% of its staff, and attack detection firm Cybereason, which cut its staff by approximately 10%.
Lacework leaders revealed layoffs in response to what they called a “seismic shift” in “both public and private markets” recently. The company raised a $ 1.3 billion round of funding in November, which it called a record for the security industry, and previously reported having more than 1,000 employees in March.
Cybereason, which raised $ 325 million in funding last year, cited its inability to go public in the near term as the driver for its layoffs, which affected 100 employees. “As bullish tech market conditions turn and the tech IPO market is essentially closed, companies like ours must now practice stricter financial discipline and prioritize profitability over the top line of growth, “said the company in a statement.
On the whole, however, today’s business realities and cyberthreat environment suggest that cybersecurity will not see the worst in spending cuts, Protocol experts said. “I think it’s going to be less than we see in other places,” Pollard said.
Veronica Irwin contributed to this report.
.