The K-Shaped Recovery of the Cybersecurity Industry
The K-Shaped Recovery of the cybersecurity industry will be unequally distributed and have impacts for years to come.
We're in the thick of the Q1 2023 earnings season, and everyone has eyes on the cybersecurity industry.
With all the talks about an economic "soft landing" vs. "hard landing" vs. "no landing," I noticed a trend shaping up in 2023 that I think is worth exploring more.
Recovery of the tech sector will be unequally distributed, even in the cybersecurity sector.
But before diving into what 2023 holds and this theory, it’s important to look back at what changed in 2022 and what happened years prior.
If you want to stay updated on all the puts and takes behind the cybersecurity industry, be sure to sign up below:
The Before Times
The cybersecurity industry experienced significant growth, funding, and M&A activity between 2015 and 2021. During this period, the tech world, in general, witnessed tremendous growth, largely due to historically low-interest rates.
The cybersecurity industry became a particular favorite of investors and one of the few industries considered "recession-resistant."
That record-setting growth can be attributed to several factors:
The rise of and easy access of digital technologies and cloud computing
The increasing reliance on data and the concept of "data gravity"
A continued escalation of cyber-attacks has made companies more vulnerable to cyber attacks
The increased importance of regulation and compliance around the world
COVID-19 and a global push for remote working
Overall, the cybersecurity industry experienced significant growth and investment over the past few years, and this trend will continue into the future.
The Second Half of 2022 Came in Rough
Then 2022 happened, and the tech sector got punched in the mouth.
"Everyone has a plan until they get punched in the mouth"
The Fed Hiked Rates
Raising interest rates was one of the tools that the Federal Reserve frequently used in 2022 to try and curb a recession.
When the Federal Reserve aggressively hikes interest rates, borrowing money becomes more expensive for individuals and businesses. The goal was to slow down inflation and the economy so people and companies would be less likely to take out loans or invest in projects.
Money Was No Longer Free to Borrow
As a result of the interest rate hikes, money was no longer free to borrow.
Rate raising affected businesses, especially tech businesses, and startups, that essentially borrowed money from Venture Capital investors to fund and grow their operations.
With higher interest rates, it becomes more expensive for startups to borrow money to invest in growth opportunities. This can lead to a slowdown in the pace of growth for these companies.
Investors Looked a Bit Harder
Capital allocators got cautious.
Due to economic conditions, VCs are starting to consider investing in companies that “produce revenue” (yes, this is a technical term)
— Troy Osinoff 🕺 (@yo)
Jan 3, 2023
Since interest rates were higher, investors had to look a bit harder and be more thoughtful about their investments. Momentum investing, which largely propelled the rocketship growth in cybersecurity funding for 2020-2021, took a nose dive.
Fewer new venture funds got created or delayed their launch, so there was less capital to deploy
Investors pushed founders to right-size and cut their own spending. Tech and cybersecurity companies now had to be more than a "cool idea" they also had to be profitable and have a good product-market fit (PMF).
Investors had to increase their due diligence cycles and evaluate fewer opportunities more closely.
Startup Valuations Went Down
Higher interest rates and cautious investors led to decreased startup valuations. Startup valuations refer to the estimated worth of a company based on its potential for future growth.
Investors were less willing to invest in startups due to the higher cost of borrowing and the lesser likelihood of seeing the returns they expected. This led to a VC-led correction in the estimated value of startups and left many tech companies scrambling.
At the same time, many businesses, especially in the tech sector, had to tighten their operational spending. What'sWhat's the easiest way to cut burn for a company?
Layoffs. Lots of layoffs.
And this trend started an avalanche.
With layoffs happening, companies needed fewer seat licenses and bought less software. This meant renewal prices decreased instead of the standard 5-10% annual increase (not including license true-ups).
Additionally, after companies do layoffs, they take their time buying more software with that newfound cash. Companies stop, take stock of how all the costs shake out after making the cuts, and generally pause or stop non-essential purchases across the whole business.
Reducing or delaying software buying at companies meant longer sales cycles, fewer customers in pipelines decreased sales bookings, and weaker revenue overall.
This combination of forces had a dramatic effect on technology and cybersecurity companies.
I wrote more at length about 2022 here in my first-ever annual review if you want to read more:
What About 2023?
So this brings up to the current time.
After a year like 2022, investors in 2023 were cautious and wanted to wait to see if the other shoe would drop.
A few things made up this proverbial shoe:
Investors wanted to see how AWS, Azure, and GCP came through earnings season
Investors wanted to see the Fed respond to rate hikes and to see the jobs report
Investors wanted to hear from the major public cybersecurity players to see how their Q4 2022 faired
So far, most of these things have come back at least on par with expectations with investors, or even slightly better.
By all accounts, the start of 2023 has shown signs of a recovery for the industry, but not in a uniform way.
A consistent trend I have noticed related to the Q1 2023 earnings calls for cybersecurity companies is a concerted, focused effort on moving more to upmarket customers.
While that is typically the goal of most tech companies to sell upmarket, this recent trend feels different given the macroeconomic headwinds we've lived through since mid-2022.
The K-Shaped Recovery
This got me thinking about the concept of a "K-Shaped" recovery.
A K-Shaped recovery happens when some parts of the economy recover faster and better than others after a recession. It means that while some people or businesses may do well, others may struggle.
Here's a view of how it looks in economic terms:
Those already at the top before the headwinds will move further up, and those at the bottom will move further down. The "middle" disappears, and you get pulled up or pushed down.
This will likely happen to the cybersecurity industry in 2023 and possibly in 2024. It will affect cybersecurity companies and businesses that use their products and services.
The Top Part of the "K"
There is an intense movement toward "enterprise" and "required spending" in the cybersecurity industry.
"Required spending" is a term I'm using to describe customers who have to spend on technology regardless of economic factors. This can be due to legal, regulatory, or even national security reasons.
These companies must spend on tech and hire people to run it. These companies are also large, in critical sectors like financial services and federal agencies, and have plenty of budgets to spend.
The Bottom Part of the "K"
Smaller companies in the SMB space have been the first to cut or delay technology and cybersecurity spending, which you can hear in every earnings call.
Every publicly traded cybersecurity company, except for CrowdStrike, saw a decline in the SMB space regarding net new customers and expansion.
Here is how the K-Shaped Recovery will look for the cybersecurity industry:
As macroeconomic issues morph and change over time (not even including the recent SVB debacle), more cybersecurity companies will be looking to capture that larger "required spend" segment over the SMB segment.
The height of the "security poverty line" will continue to get higher, and more companies will fall below it.
The security poverty line broadly defines a divide between the organizations that have the means and resources to achieve and maintain mature security postures to protect data, and those that do not.
Why spend your time and resources trying to sell to a group that has to say "no" more often than not right now?
Larger, more established cybersecurity companies who already have traction in the Fortune 2000 and up stand to gain the most traction and benefit the most from this uneven recovery.
As there has been an increasing focus on securing critical sectors and public-private partnerships, cybersecurity companies that have a foothold or focus in the critical infrastructure space or those serving national agencies stand to gain even more.
For the companies without that focus or market size, there will be an inflection point: change your core customer makeup or try to make it work with what you've got.
Expect the venture capital backers of these companies to more heavily influence the direction of the companies in this position to get a better return on their investments.
This phenomenon will affect product roadmaps, hiring, fundraising, and customer segmentation for years to come.
What about the middle pack of businesses that rely on these cybersecurity services? They will also experience the pushing down or pulling up effects, but one thing is for certain:
The price for risk reduction will go up significantly.
What Comes Next?
So what will the outcomes of this K-Shaped recovery be?
For the pack in the middle that has the most to lose or gain, I expect a few things to happen:
The Price Hike - Early-stage and pre-revenue cybersecurity startups will have to increase prices to attract investors and show operational runway. As a result, these types of companies will have to exclude the smaller customers and look to move further upmarket and more "enterprise."
The Narrowing - Small to Medium Businesses (SMBs) will take the brunt of this phenomenon (more so than they already are). Now, these businesses will have even fewer cybersecurity options to protect themselves. And the ones they do have? They'll be even more expensive.
The Roll-Up - Early-stage cyber security startups that came out between 2020-2022 without product-market fit will either close up shop or get acquired. Look for "strategic" acquisitions that are disconnected from historical revenue multiples.
This recovery effort is going to squeeze all but the largest cybersecurity companies and all but the largest customers.
How will companies on both sides of the equation respond and adjust to this recovery?
This remains to be seen, but it's likely to have large impacts for years to come and will affect many startups that we won't fully understand until much later.
What else might be true as a result of this kind of recovery, or what do you think I missed?