With Latest Layoffs, Is The Cybersecurity Startup Bubble Bursting?

Industry officials brace for a slowdown but say demand for security should remain strong

As industry leaders gather this week for the annual RSA Conference in San Francisco, economic storm clouds are potentially on the horizon for the cybersecurity sector.

There’s still strong investor enthusiasm for all things cybersecurity, as evidenced by the almost daily announcements of large venture-capital deals involving promising young companies. Last Thursday, Cambridge, Mass.-based Devo Technology announced that it had raised another $100 million, boosting its valuation to $2 billion.

But on the same morning of Devo’s announcement, Cybereason, an endpoint-security firm that raised $325 million in funding last year, was confirming that it was laying off 10 percent of its workforce, citing deteriorating market conditions.

Meanwhile, Lacework, a cloud-security startup that raised $1.3 billion last year, announced late last month that it was laying off 20 percent of its workforce, blaming a “seismic shift” in the public and private markets.

With Wall Street pounding stocks in general and the IPO market drying up as result, other technology companies have been slashing their payrolls, with TechCrunch estimating that 15,000 tech jobs were eliminated in May alone in the U.S.

In general, market conditions have grown dire enough for Y Combinator, the Silicon Valley-based startup accelerator, to recently warn company founders that they better “plan for the worst” when it comes to rough economic times ahead.

Brittany Greenfield, founder and CEO of Wabbi, said her firm and other young security companies are definitely being told by investors that they better batten down the hatches.

“Everyone is getting the same guidance – be prepared to ride it out,” said Greenfield, whose Boston-based application security orchestration and correlation (ASOC) firm raised $2 million in funding late last year.

The most recent venture-capital data related to cybersecurity is a little mixed. According to Crunchbase, VC funding for cybersecurity startups hit nearly $6 billion in the first quarter of 2022, up almost 50 percent from the first quarter of 2021. But first quarter funding was down from the $8.2 billion raised in the fourth quarter of 2021, according to Crunchbase.

Mark Hatfield, a founder and general partner of Ten Eleven Ventures, said cybersecurity remains a solid long-term bet for investors, based on the strong demand for cybersecurity products and services in general.

In fact, last week Ten Eleven, whose focus is entirely on cybersecurity firms, announced it has raised $600 million for its third generation fund to invest in the next wave of security companies.

Still, Hatfield acknowledged that cybersecurity startup valuations reached their peak about five or six months ago and have been falling ever since.

Part of the reason for the valuation fall is that a number of crossover funds, or large investment houses that invest quickly and heavily in hot sectors, have recently pulled back from cybersecurity and other tech spaces, Hatfield said.

Among the major investors in retreat is Tiger Global Management, the giant hedge fund that the Financial Times recently reported had lost $17 billion due to the tech sell-off on Wall Street.

Alex Doll, a founder and managing partner of Ten Eleven Ventures, said a pronounced “bi-furcation” in the cybersecurity sector emerged about two years ago – between passive investors, or large players betting on data trends, and active investors, who spend more time working with founders and who have longer-term goals.

With the onset of the pandemic in early 2020 and the rise of remote work, the demand for cybersecurity products skyrocketed – and that demand attracted more passive investors looking for shorter-term gains, said Doll.

Now those passive investors are pulling back.

“Large funds are leaving the (cybersecurity) field a little bit,” he recently told CRN. “We just had a sort of Covid bubble that is going to unwind a bit, in terms of non-cyber-related investors leaving the space.”

Ofer Schreiber, senior partner at YL Ventures, the Silicon Valley and Tel Aviv-based VC firm focusing on cybersecurity, said a market shift is clearly under way.

“Market fluctuations are hitting the entire tech industry hard, and cybersecurity companies and investors should not ignore the current market climate,” he said in a statement to CRN. “As early-stage investors, we have always urged our portfolio companies to build solid foundations and maintain fiscal responsibility in order to secure their runway throughout any market conditions. Cybersecurity startups must focus on the fundamentals in order to succeed despite the market downturn.”

Still, Schreiber expressed long-term confidence in the industry as a whole.

“The cybersecurity sector has traditionally been resilient to market fluctuations due to the constant and escalating threats it seeks to mitigate,” he said. “As cyber threats grow, we can anticipate continued growth in the demand for innovative and groundbreaking cybersecurity solutions.”

Kyle Hanslovan, co-founder and CEO of MSP threat researcher Huntress, said he sees a slowdown in cybersecurity investing, as evidenced by falling valuations and recent layoffs.

“I do think there will be less investments,” he said. “But while there may be fewer (deals), I think there will still be higher-quality investments.”

As for the recent layoffs at firms like Lacework and Cybereason, Hanslovan said they’re often necessary moves to control spending in anticipation of leaner times ahead. “I absolutely expect other companies to pull back if they’ve (overextended) themselves,” said.

It‘s not just startup CEOs and their investors who are reacting to market pressures of late.

In a recent interview with CRN, Andre Durand, CEO of publicly traded Ping Identity, said his Denver cybersecurity company is closely monitoring economic conditions and assessing potential market scenarios moving ahead.

“We’re talking about it,” he said. “You hate to (see) things become kind of self-fulfilling, where everyone worries about it and then they create it. But there is a lot of uncertainty that the market is projecting right now, both on the inflation side and then rising interest rates. In management, you’re always trying to anticipate what‘s going to happen to make sure that you are prepared.”

But Durand made clear he thinks cybersecurity firms should weather a downturn better than other tech companies.

“I do think that security is not a ‘nice to have,’ even in market downturns. It‘s a ‘must have’ in this environment,” he said. “So I do think security in general makes the cut. But the size of deals and how fast companies are willing to take on projects, all of that stuff could get elongated.”

Rick Smith, founder and CEO of Renactus Technology Inc., a Union, N.J.-based MSP, said stock market and venture-capital investment concerns are not what channel players are paying attention to these days.

When it comes to economics, it’s all about high inflation, he said.

“We’re being impacted most by price increases that are passed down to us (from vendors) and our price increases are passed on to customers,” he said. “Everyone is bearing the brunt of inflation.”

While there’s widespread concern about the economy, Smith said customers “are not pulling back on security spending at this point.” The reason: they consider cybersecurity as vital to their future.

“But they’re more conscious of their cybersecurity dollars and how they’re spent,” he said, noting that channel players have to be cautious about losing clients to others who are charging less.