The End of ZIRP for the Cybersecurity Industry

The Zero Interest Rate Policy (ZIRP) era transformed cybersecurity from a modest industry into a venture capital darling. But when the Federal Reserve began raising rates in 2022, the party ended abruptly.

What followed was a market correction that revealed which companies had built sustainable businesses and which had merely been riding the wave of cheap capital.

The ZIRP Boom: Easy Money, Easy Growth (2008-2021)

For over a decade, historically low interest rates created a perfect environment for cybersecurity companies to raise capital and grow rapidly. With borrowing costs near zero, investors poured money into the sector, chasing growth at any cost.

The numbers tell the story of excess. Cybersecurity funding peaked at unprecedented levels during 2020-2021, with companies raising massive rounds based on growth metrics rather than sustainable unit economics. Unicorn valuations became commonplace, and even early-stage companies commanded premium prices.

This environment bred a specific type of company: high-burn, high-growth organizations that prioritized market share over profitability. The assumption was simple: capital would always be available to fund the next stage of growth.

The Reckoning: When Capital Became Expensive

When the Fed began raising rates in 2022, the cybersecurity industry experienced its first real economic stress test since the post-9/11 boom. The impact was swift and comprehensive.

Capital Markets Froze

For both private and public deals, the cost of capital for cybersecurity founders and investors soared. What had been favorable borrowing conditions became prohibitively expensive. Tech company valuations across all sectors dropped to less than half of previous years' levels, making it dramatically harder to raise money on favorable terms.

Significantly fewer cybersecurity companies achieved unicorn status, and IPOs became virtually non-existent (though this wasn't unique to cybersecurity).

Investor Behavior Shifted Dramatically

Investors increased their level of due diligence and became far more cautious with capital deployment. Early-stage deals essentially stopped until midway through Q3 2022, when some semblance of price discovery returned to the market.

Perhaps most tellingly, opportunistic investors who had flocked to cybersecurity in 2021, searching for returns, pulled back entirely. The sector lost its appeal to generalist investors, leaving only specialized funds and strategics in the market.

The Human Cost

The broader tech sector saw over 150,000 layoffs according to data from Layoffs.fyi, and cyber companies were not spared. Companies that had raised over $1 billion in funding and doubled or tripled their staff between 2020 and 2021 were forced to make significant layoffs to curb their burn rates.

Unlike the boom years of 2020-2021, fewer cybersecurity companies emerged from stealth in 2022. Those that did had more defensible positioning and solid product-market fit rather than just compelling growth stories.

The Customer Side: Budgets Under Pressure

The end of ZIRP didn't just affect vendors; it fundamentally changed buyer behavior. CISOs and security teams were forced to make budget concessions and consolidate their security stacks for the first time in years.

This represented a stark reversal from the previous five years, when security budgets seemed immune to economic pressures. However, the impact wasn't uniform. Smaller companies were hit harder than larger enterprises, which had more resilient budgets and established security programs.

Sales Cycles Extended

Cybersecurity vendors experienced longer sales cycles with each customer they won, as well as extended deployment timelines. The focus shifted from acquiring new customers to maintaining relationships with existing ones. Customer success became critical as new logo acquisition became more challenging and expensive.

SME Market Pressure

The small to medium enterprise (SME) space, already underserved in cybersecurity, saw additional pressure as vendors attempted to push further upmarket. With enterprise deals taking longer to close, many vendors abandoned lower-value segments entirely.

Federal Focus: A Bright Spot

One notable exception to the downturn was federal spending. Large, publicly-traded cybersecurity vendors put significant focus on the US federal sector, riding the wave of zero-trust initiatives and efforts to secure critical infrastructure.

This focus was heightened by increased public-private partnerships from agencies like CISA and the urgent need to address cyber-physical attacks stemming from the Russia-Ukraine war. Public sentiment for cybersecurity reached new heights, even as macroeconomic forces created headwinds for the private sector.

The Shift to Operational Efficiency

As I discussed on Daniel Miessler’s podcast, the most significant change was the industry's shift from growth-at-all-costs to operational efficiency. This wasn't just about cutting costs; it was about building sustainable business models.

Companies began focusing on:

• Unit economics and customer acquisition costs

• Sustainable growth rates and paths to profitability

• Operational efficiency metrics beyond just revenue growth

• Customer lifetime value and retention rates

Private equity firms, with their focus on operational improvements, gained influence over traditional venture capital. Roll-up strategies became more common as firms looked to consolidate fragmented markets.

A Year of Contradictions

2022 was indeed a year of contradictions for the cybersecurity industry. Public sentiment for cybersecurity had never been higher, and the risks of poor security had never been more apparent. Cyber attacks continued to make headlines, and regulatory pressure increased across all sectors.

Yet at the same time, macroeconomic forces provided strong headwinds. Companies that had thrived in the ZIRP environment found themselves struggling to adapt to a world where capital efficiency mattered more than growth metrics.

Predictions for 2023 (And What Actually Happened)

In early 2023, as the industry was still reeling from the ZIRP correction, I made several predictions about what the post-ZIRP landscape would look like:

• ✓ More early-stage deals with reduced valuation pressure

• ✓ Additional layoffs as companies continued right-sizing operations

• ✓ Down rounds for later-stage companies needing capital

• ✓ Focus on net revenue retention over new customer acquisition

• ✓ Continued IPO drought making private markets the primary exit

• ✓ Wave of PE leveraged buyouts and industry consolidation

All of these predictions materialized in 2023, validating the fundamental shift in market dynamics.

The K-Shaped Recovery

The post-ZIRP recovery followed a distinctive K-shaped pattern that fundamentally split the cybersecurity industry. As I analyzed in The K-Shaped Recovery of the Cybersecurity Industry, this wasn't just a temporary market fluctuation but a permanent restructuring of the market.

Top of the K - Enterprise Segment Thriving:

• Large organizations with substantial, resilient budgets

• Financial services and federal agencies with mandatory spending

• Focus on "required spending" where cybersecurity remains non-negotiable

• Vendors gained pricing power due to the critical nature of security

Bottom of the K - SMB Segment Struggling:

• Small to Medium Businesses faced constrained budgets

• Reduced technology and cybersecurity spending across this segment

• Vendors abandoned lower-value customers to focus resources upmarket

• Fewer product options and reduced support for price-sensitive customers

Market Bifurcation Accelerated: As I noted at the time, "The price for risk reduction will go up significantly," and this prediction materialized through premium pricing in the enterprise segment while SMBs faced reduced options and higher per-seat costs.

This K-shaped pattern wasn't just about recovery timing, it created permanent changes in market structure that persist today.

Lessons Learned

The end of ZIRP taught the cybersecurity industry several lessons:

• Unsustainable Conditions Create Bubbles: ZIRP created a decade of easy money and inflated expectations that couldn't last forever.

• Market Forces Override Sector Enthusiasm: Despite the growing importance of cybersecurity, macroeconomic conditions ultimately determined capital availability and company valuations.

• Fundamentals Endure: Companies that maintained reasonable burn rates and focused on unit economics weathered the storm better than high-growth, high-burn organizations.

• Product-Market Fit Cannot Be Faked: In a capital-constrained environment, only companies with genuine product-market fit can maintain growth trajectories.

• Different Eras Require Different Strategies: The growth-at-all-costs playbook of the ZIRP era became a liability in the post-ZIRP world.

• Timing Matters More Than We Admit: Success during ZIRP didn't guarantee survival after it ended.

The cybersecurity industry emerged in 2022 more mature, more focused on sustainable business models, and better prepared for future economic cycles. While the easy money era was over, the companies that survived built stronger foundations for long-term success.

Looking Forward

The post-ZIRP cybersecurity industry looks fundamentally different from its predecessor. Growth remains important, but sustainable growth backed by strong unit economics has become the new standard. The industry has learned to operate in a capital-efficient manner while continuing to drive innovation and address evolving threats.

This maturation may actually benefit the industry in the long term, creating more sustainable companies that can weather future economic storms while continuing to protect our increasingly digital world.