Cloudy with a sign of hope

Few of us think of cybersecurity spending as discretionary. In other words, with the number of reported ransomware attacks, emergency directives from CISA, and Executive Orders, you would think that rising inflation, a stock market crash, and dire warnings from prognosticators like Harry Dent,  would not impact demand for cybersecurity

Yet the stock market obviously thinks spending is going to plummet based on the dramatic fall-off in cybersecurity stock valuations. Okta is down 71% from last summer. Zscaler is down 65% even though revenue jumped 64% the last quarter they reported. Even the legacy firewall vendors Fortinet, Palo Alto Networks, and Check Point Software, are down dramatically: 25%, 23%, and 17% respectively.

Yes, we have seen decreases in enterprise spending on security in past recessions. While they generally do not stop spending altogether (they can’t) they can delay projects and put off revamping their architectures. Perhaps they put their digital transformation plans on hold—anything to weather the storm.

But does a general recession justify pulling back from venture investments in cybersecurity companies? Perhaps:

-If you have a large portfolio of investments at recent record setting valuations, you are going to be faced with many of them missing their target numbers for the quarter. You will be advising them to slow hiring and spend less on events and other marketing activities to conserve cash.

-If your portfolio is suffering why would you add to the pain by making new investments in seed or Series A/B startups? You would certainly not jump in on a pre-IPO mezzanine round since many unicorns are going to wait out the stock market for another year.

On the other hand, lower valuations should be an opportunity to invest, both in public markets and private. There is no question in my mind that the security industry is definitely a long term buy. Most venture investments have a 5-10 year expectation of either M&A or IPO. Now has got to be one of the best times ever to invest in the next solution that reduces complexity, counters the latest attack scenarios, and reduces the cost of security operations.

Yet there is a massive risk on the horizon for the entire industry, one I don’t think the stock market is positioned to recognize: the collapse of Russia.

I have often pointed out that the cybersecurity sector is different from all technology sectors because it has an outside driver: threat actors. If Putin is deposed there is a likelihood that Russia will immediately try to improve its relations with the West. Part of that would be to shut down the cybercrime gangs that operate with impunity within the current regime. By cooperating with international law enforcement they would roundup and prosecute their cyber criminals. The ransomware scourge that is driving headlines and pushing security spending to SMBs, hospitals, and local government agencies, would drop dramatically. Carding, mules, business email compromise, and fraud in general, would diminish measurably.

What is the possibility of this outcome? A Russia that pivoted away from its rogue-state behavior would be good on much more important levels than just a decrease in cybercrime. I see three possibilities. Two could go either way.

1.The oligarchs could arrest (or kill) Putin. They have strong motivation to end the war in Ukraine and get back into the good graces of the West. They would get their yachts and bank accounts back. Sadly, Russia has a long history of deposing one dictator and replacing him with another.

2.The military could revolt and stage a coupe. Also likely that they would install a new dictator.

3.The long hoped for popular rising could happen followed by the creation of a democratic government. This seems to be the least likely, but would have the highest chance of creating a Russia that would be a good world citizen and would therefore stop protecting cyber criminals.

A rational Russia would not mean the end of cybercrime, just a dramatic reduction in successful ransomware attacks and other breaches. That would leave Iran, DPRK, and a few other countries to focus on. And of course, even the United States is home to cybercriminals, so the battle will continue. On top of that, the most serious cyber incidents are caused by intelligence agency hacking. Sure the Russian agencies behind Notpetya and Solarwinds would curtail their activity, but there are plenty of other governments that will continue to be a threat.

A new Russia could indeed cause a drop-off in cybersecurity spending growth. But cybersecurity is part of every new technology shift and will continue to grow with the cloud, new advances in med-tech, fin-tech, and manufacturing. Still a long term buy.

Don’t forget to order Security Yearbook 2022 to get a complete picture of the entire cybersecurity landscape. Shipping this week!

Also checkout the Analyst Dashboard for cybersecurity research, a new service from IT-Harvest.