There Are Way Too Many Cybersecurity Startups. Some Won’t Survive A Recession.

As economic conditions worsen, some security startups will have to face a stark reality: ‘The market cannot absorb all the innovation,’ Check Point Software Technologies co-founder and CEO Gil Shwed tells CRN.

Compared to their peers in the broader tech industry, the cybersecurity sector has seemed pretty sturdy since the economic travails that began last year. Of the thousands of vendors in the cybersecurity market, for instance, just a fraction have done major layoffs .

More cracks in the facade are likely to appear in the coming months, though.

[Related: 10 SASE Companies Making Moves: Q1 2023]

The cybersecurity industry benefits from some unique demand drivers that’ve helped keep many vendors more or less intact during the economic slowdown. Those forces include the ever-growing list of requirements from government regulators and cyber insurers — not to mention those pesky issues of ransomware, data extortion and nation-state threats.

But while some level of demand for cybersecurity tools is essentially built-in at this point, there’s one distinctive factor that puts certain security startups at greater risk of failure than their counterparts in other sectors.

Namely, there are just way too many of them .

The online cybersecurity database CyberDB tallies 3,000 security vendors at present, a small number of which are large, “platform” companies. The rest offer a more-limited set of product capabilities.

Among other things, the glut of companies in the space has exacerbated the widely felt issues of cybersecurity complexity and “tool sprawl .”

Now, as fears of a full-blown recession escalate, so do the concerns that a whole lot of cybersecurity vendors may be vulnerable.

Without a doubt, there is an “overload” of vendors in the market right now, according to Gil Shwed, who ranks among the key entrepreneurs that made the cybersecurity industry a thing in the first place. For those who aren’t familiar, Shwed played a chief role in bringing the modern firewall into existence and, in 1993, co-founded Check Point Software Technologies. (He remains CEO at Check Point, whose alums have contributed to the preponderance of security vendors by launching dozens of them over the past three decades — Palo Alto Networks and Imperva among them.)

Shwed, who has seen a wave of cybersecurity startups burst on to the scene in Israel, recently told CRN that the challenging economic environment, plus the overabundance of security vendors, equals trouble.

“I think we will see some rationalization of the market,” he said. “And unfortunately, we’re already starting to see some of that — companies that don’t survive or have a hard time surviving because they didn’t build a business model that would make them a viable vendor.”

In other words, when some security vendors are forced to turn a profit to stay in business, they may be unable to. And not everyone will necessarily be able to find an acquirer.

“Some companies [won’t] survive it,” Shwed contended.

R.I.P. Good Times

At least one cybersecurity vendor folded in recent months and placed the blame, in part, on economic pressures.

Israeli email security vendor Cyren announced on Feb. 22 that it would cease operations and pursue liquidation of its assets. The 32-year-old, publicly traded company cited “current market conditions and associated challenges with raising additional capital,” as well as its inability to find a buyer.

Shwed is not alone in thinking there may be more of this to come.

Andrew Morris, founder and CEO of threat intelligence firm GreyNoise, put it bluntly in a tweet last week: “Lots of cyber security companies are going to fail this year.”

“They will close their doors from running out of money or go to private equity asset sales,” Morris wrote in the tweet.

This will no doubt be painful in the short term, but “a good thing for the industry in the mid to long term,” he wrote. Many of these companies have subsisted on cheap or free outside capital, Morris wrote, including from a “new wave of more naive VCs [who] are incredibly inexperienced at diligencing cybersecurity technologies”

In recent years, far too many cybersecurity companies have been built with no actual “product” to speak of, said Patrick Dyer, co-founder and CEO of DigitalEra Group, a Miami-based provider of solutions and services in security and networking.

“They just build a feature of a product, and then they become a company,” Dyer lamented.

All in all, “there’s just too many players right now.”

Notably, VC funding for cybersecurity companies plunged 37 percent in 2022 from the record highs of the year before, which is arguably a welcome change.

Prior to the economic slowdown, many cybersecurity startups that “shouldn’t necessarily have been a company” managed to raise VC funding, said Morgan Kyauk, managing director at venture firm NightDragon, in a previous interview with CRN.

‘Too Much Innovation’

In speaking with CRN, Shwed said he certainly feels for anyone who ends up at a failed startup.

“I’m an entrepreneur, so I never like to see an entrepreneur lose their dreams. I hate to see people lose their jobs. It’s not that I look at it in the positive way,” he said. But the fact remains, Shwed said, that the cybersecurity industry has gotten to a point where there has simply been “too much innovation.”

As it stands right now, “the market cannot absorb all the innovation,” he said. “There are good ideas, good people, good technologies. But if you’re a customer, you cannot review 300 technologies every year.”