The Reaper Comes For Cyber Unicorns
It looks like cybersecurity vendor unicorns will follow tech companies as they begin to prepare for macroeconomic headwinds and a much more conservative investor environment. Just 12 months ago, the cybersecurity startup ecosystem seemed fine, with more funding coming in and valuations continuing to skyrocket. In November of 2021, Lacework raised $1.3 billion on a valuation of $8.3 billion, bringing it to $1.9 billion raised in total. Cybereason raised $275 million in July 2021 and $750.6 million total, and OneTrust raised $926.4 million in total. But in June 2022, Lacework cut 20% of its workforce, Cybereason cut 10% of its workforce, and OneTrust cut 25% days after RSAC 2022.
Lacework, Cybereason, OneTrust — three vendors, over $3 billon dollars in funding, and over a thousand out of work.
The economic downturn is in its early stages, but it certainly appears as if the hypergrowth phase of the cybersecurity vendor party has come to an end — abruptly. It turns out that when the spigot of easy investor capital shut off, some vendor leaders discovered that they were “not optimized as a business,” as Cybereason CEO Lior Div commented. With turbulent times ahead, the tech world signaled that cuts were coming, and cybersecurity vendors followed. The cuts are happening for a few reasons:
- Cheap, available capital disappeared faster than cybersecurity startups expected.
- Everything regresses to the mean: Hypergrowth takes a back seat to profitability in turbulent times.
- Investors prefer companies with product market fit, not subsidizing those still searching for it.
- Headcount reductions are an easy way to cut costs, and remaining employees are asked to do more with less.
As sales cycles start to lengthen and attach rates diminish, expect more announcements … and more personnel to become available. This blog covers what security leaders and practitioners should know about these conditions and how to endure trying times … as we enter an entirely different set of trying times.
As The Gilded Age Of Cybersecurity Unicorns Ends, An Era Of Opportunity Begins For CISOs
Security leaders can rely on externalities to help preserve their budget. After all, security matters. Cybersecurity vendors, however, are not so lucky as the investor ecosystem that subsidized their mega-growth initiatives goes to ground. The staffing and skills shortage still very much exists, and security leaders’ next great hire might come from those let go by a security vendor “optimizing its business.” As you watch the next several quarters unfold and more announcements fill your LinkedIn and Twitter feeds, take the following actions:
- Recruit from vendors the way they recruit from customers. Vendors often hire cybersecurity practitioners from nonvendor organizations, but practitioners do so less often. Do not ignore vendor talent because they haven’t worked on a corporate cybersecurity team before. The talent that vendors will let go as they trim costs will come with diverse backgrounds and experiences from working with dozens to hundreds of other organizations. Use this to your advantage by hiring this talent and learning from experiences that come from other regions, verticals, and people.
- Look for skill sets that you may have previously ignored. Consider how sales engineers could make excellent security architects — especially in customer-facing roles such as product security for revenue-generating products and services. Think about how product marketers, marketers, and account team members could join to drive security awareness and training initiatives and help with a security brand internally.
- Protect your people…by retaining them. Shiny, new security tech vendors offering elevated titles, anywhere-work models, and stock options were appealing destinations for those engineers and security analysts looking to make a change during the “great resignation.” But recent announcements will give your team members pause. Take the time to reinforce your commitment to your employees by increasing flexibility (if you haven’t already), delivering market adjustments to salaries, promoting skip-level meetings and job rotations, and funding and providing time for training and upskilling within normal working hours. Make it clear that the path for advancement is with your organization.
- Expect your vendor relationship to worsen. Job cuts hurt morale. Seeing friends and colleagues depart for reasons entirely out of their control makes everyone nervous. The personnel let go might be redundant in the eyes of company leaders, but they may have played a vital role in a process or function that you depend on from that vendor. The current personnel will have more added to their plates on a day-to-day basis, as the company needs the remaining personnel to do more with less. Pay close attention to fluctuations in vendor performance, and start evaluating replacement vendors.
- Put the pressure on vendors now. Security matters — we know that and your peers on the executive team know that, as well, but if companies do start cutting costs, cybersecurity will not escape unscathed. If vendors are cutting as a proactive measure, use that as leverage to start reducing your costs — in terms of what you spend with them. Slowing sales cycles will make vendors want to renew sooner — and with multiyear contracts — so use this time to negotiate aggressively to maximize your position. If you can shrink spending with vendors by exploiting their concerns about economic turbulence, it may result in you saving your own headcount. And … if you just so happen to migrate from a vendor that raised a billion or more in funding only to cut hundreds or thousands of jobs months later because leadership that does that is leadership you have some concerns about … I doubt your security team would complain.