Despite the more than $100 billion spent each year fighting cybercrime, when we do an end-of-year look-back and ask, “How did we do,” the answer is invariably the same: worse than last year.

Pre-pandemic, the picture was disheartening. But since March of 2020 the situation has only worsened as cybercriminals have become increasingly sophisticated, better-funded and more brazen. Security operations pros continue to fight, but unlike conventional wars, this one has no end. The flip side, of course, is that markets continue to value cybersecurity firms at significant premiums because this huge opportunity will continue to grow by double digits for the foreseeable future.

In this Breaking Analysis, we share our quarterly look at the state of cybersecurity, with a focus on 2021 and beyond. We’ll update you with the latest survey data from Enterprise Technology Research and convey the fundamentals that have investors piling into the security space like never before.

Cybersecurity remains the No. 1 priority for CIOs and CISOs

The latest ETR survey once again asked information technology buyers to rank their top priorities for the next 12 months. In the last three polling periods, dating back to March 2020, cybersecurity has outranked every top spending category including cloud, data analytics, productivity software, networking, AI and automation/robotic process automation.

This shouldn’t surprise anyone, but it underscores the challenges organizations face. Not only are they in the midst of a nonoptional digital transformation, but they have to also fund a cyberwar that has no ceasefires, no truces… and no exit path.

Ransomware has become a household word

There’s much more going on in cybersecurity than ransomware, but that certainly has the attention of executives. And it’s becoming more and more lucrative for attackers. Below a snapshot of some of the more well-documented attacks this decade, many which have occurred in recent months.

CNA financial got hit earlier this year and paid a $40 million ransom. The Health Service of Ireland got hit this year and refused to pay the ransom. It’s estimated that the cost to recover and the damage to the organization exceeded half a billion dollars. The JBS Meat Company hack: $11 million paid. CWT travel: $5 million. The disruption from the Colonial Pipeline Company was widely reported and it paid more than $4 million, as did Brenntag, the chemical company. The NBA got hit and so did computer makers Quanta and Acer.

More than 2,000 ransom attacks were reported to the FBI in the first seven months of 2021, up more than 60% from 2020.

As we’ve said many times, you don’t need to be a genius to be a ransomwarist today. Anyone can go on the dark web and tap into ransomware as a service. Attackers have insidious names such as DarkSide, REvil, the Cobalt Crime Gang, Wizard Spider, the Lazarus Gang and numerous others. Criminals have established negotiation “desks” as most typically the attackers demand a specific amount of money but are willing to compromise in an exchange of cryptocurrency for decryption keys.

As mentioned, it’s not just ransomware. Supply chain attacks such as the Solarwinds hack hit organizations within the U.S. government and companies such as Mimecast Ltd. Although these attacks often do end up in a ransom situation, the attackers sometimes find it more lucrative to “live off the land” in stealth fashion and exfiltrate sensitive data. This data can be sold or – as is often the case with many financial institution attacks – surveillance information from a chief investment officer can provide signals for an upcoming trading strategy, which attackers can front-run.

Of course, phishing remains one of the most prominent threats, only heightened by the work-from-home trend as users bring their own devices and less secure home networks.

A silver lining for investors

If there’s a problem, entrepreneurs and investors will be there to solve it. Below is a LinkedIn post from one of the top investors in the business, Mike Speiser. He was the founding investor in Snowflake Inc. and helped get Pure Storage Inc. to escape velocity and many others. His company, Sutter Hill Ventures, co-led a $1.3 billion Series D round on an $8.3 billion valuation.

Lacework Inc. is a threat detection software company that looks at security as a data problem and monitors exposures across clouds. So watch for that company to soar.

VC money pours in

The right-hand chart shows venture investments in cybersecurity over the past several years. You can see it exploded in 2019 to $7.6 billion – and people thought the market was peaking at that point. But investments rose a bit to $7.8 billion in 2020 in the middle of a lockdown. The hybrid work, cloud and new normal thesis kicked in full gear this year with nearly $12 billion invested in the first half of 2021 alone.

No shortage of choices for buyers and investors alike

The money keeps coming as the problems gets worse. And the market gets more and more crowded. We like to show the slide below from Optiv. Its security taxonomy will make your eyes cross. There are many companies in different sectors of the market.

Comparing cybersecurity peer companies

Let’s reduce the list down a bit and bring up some ETR data.

The chart above is based on survey data from October that shows Net Score or spending momentum on the vertical axis and Market Share or pervasiveness on the horizontal axis. That’s a measure of mention share, if you will. This is the information security sector within the ETR taxonomy with no filters in terms of the number of responses. In other words, this represents every company ETR picks up from its buyer surveys and is obviously a subset of the Optiv graphic.

Companies above the red line are considered to have highly elevated spending momentum on their products. And you can see there are a lot of companies that in this map and several above that magic mark.

The momentum of Microsoft Corp. and Palo Alto Networks Inc. is most impressive because of their pervasiveness in the study, with Cisco Systems Inc. and Splunk Inc. quite prominent as well. And you can see the companies that have been real movers in the market lately, such as Okta Inc., CrowdStrike Holdings Inc., Zscaler Inc., CyberArk Software Ltd., SailPoint Technologies Inc., Auth0 Inc… companies we’ve extensively covered in previous episodes as the up-and-comers.

And it’s interesting that Datadog Inc. is showing up on the vertical axis as it’s becoming more and more competitive to Splunk in this space. The lines are blurring between observability and log analytics and security… and as we’ve previously reported, backup and recovery.

Further narrowing the field

Let’s simplify this picture even more and filter the data to those companies with more than 100 responses in the ETR data set. The chart below shows the same XY view, but we require more than 100 responses to be displayed here. In other words, the companies must have a notable market presence to make the cut.

It’s perhaps a bit less crowded but still very much packed, isn’t it? You can see firms that are less prominent in the space like Datadog fell off. The big companies we mentioned are still in — Microsoft, Palo Alto, Cisco and Splunk.

And then those with real strong momentum that are somewhat smaller but gaining in the market – Okta with Auth0, which Okta acquired, as we discussed earlier this year – both showing strong. As are CrowdStrike, Zscaler and CyberArk, which does identity in competition with Okta. And there’s SentinelOne Inc., which went public in June. The company uses AI to do threat detection and has been doing well. SailPoint and Proofpoint Inc. are right on that red elevated line and then there’s a big pack in the middle.

This is not an easy market to track as virtually every company plays in security. For example, Amazon Web Services Inc. has some of the most advanced security in the business and it’s not in this chart. Yet Microsoft is. And it’s because much of AWS’ security is built into services and Amazon customers leverage the ecosystem and often associate their security with partner products.

And you’ll see networking companies such as Juniper Networks Inc. in the ETR data; and players such as VMware Inc., which has been acquisitive (such as Carbon Black); and many legacy players such as McAfee Corp., RSA Security LLC and IBM Corp.

So virtually every company has a security story and that will only become more common in the coming years.

Charting the top 10 and beyond

Below is another look at the ETR data. It’s in a raw form but will give you a sense of two things: 1) How the data from the previous chart is plotted; and 2) A time series of this data.

The data lists the top companies in the ETR data set sorted by the October Net Score in the rightmost column. Again, that measures spending momentum. To make the cut here, you had to have more than 100 mentions shown on the left as Shared N – that is, shared accounts in the data set. And you can track the data from last October, July 2021 and the most recent October survey.

We drew the red line at just about the 40% Net Score mark and coincidentally there are 10 companies over that figure. We sometimes call out the four-star companies as those with both the top 10 in spending momentum and the top prominence (Shared N) in the data set. So some of these 10 would fit that profile by that methodology. Specifically Microsoft, Okta, CrowdStrike and Palo Alto Networks would be four-star companies.

A couple of other things to point out here: Distributed denial-of-service attacks are still a real threat and a company such as Cloudflare Inc., which is just above the red line, plays in that market.

Now, we’ve also shaded the companies in the fat middle. Many of these, such as Cisco and Splunk for example, are major players in the security space with strong offerings and customer affinity. So this is what makes the security market so interesting: It’s not like the high-end disk array market, where literally every single company in the Gartner Magic Quadrant is in the upper right.

This market is diverse with many segments and subsegments and it’s such a vital market and there are so many holes to fill… with an ever-changing threat landscape as we’ve seen these past two years.

Wall Street has rewarded the opportunities

The growth and diversity in the cybersecurity market make it good hunting ground for investors. There’s plenty of room for more growth, and not just from stealing market share – that opportunity is there – but things such as cloud, multicloud, shifting endpoints, edge and so forth just make this market ripe for investments.

To underscore this point, we put together the above chart of some of the pure-play security firms to see how their stock has done recently.

The chart shows stock performance and current valuations with the crosshairs at March 1, 2020 – just before lockdown. It’s not hard to see that Okta, CrowdStrike and Zscaler on the left have been big movers. SentinelOne went public in June, so we don’t show pre-pandemic data for it, but it’s quite obvious that since the lockdown, these six companies have been on a tear. And the most powerful fundamental is that hybrid work-from-home has created a shift in spending priorities for chief information security officers.

No longer are organizations just spending on hardening a perimeter. That perimeter has been blown away. The network is flattening. Work is what you do — it’s no longer a place. As such, threats are on the rise, and cloud, endpoint and identity access tools have become increasingly vital.

So it’s no surprise that the players we’ve listed here – which play quite prominently in those markets – are all on fire.

The half-full scenario

In summary, we want to stress that although the picture is sometimes discouraging, the entire world is becoming more and more tuned into the threat. And that’s a good thing. Money is pouring in. Technology got us into this problem and technology is a defensive weapon that we’ll use to continue this fight.

But it’s going to take more than technology.

We get dozens and dozens of inbounds this time of year because we do an annual predictions post, so folks want to help us out. Now most of these predictions are just observations, or nonpredictions that can’t be measured – as in “Were you right or wrong?” For the most part, we like predictions that are binary.

For example, last December we predicted that IT spending in 2021 would rebound and grow at 4% relative to 2020. That appears to be a prediction that was off. We think it’s going to grow more like 7%. Not to worry… plenty of our predictions came true, but we’ll leave that for another day.

At any rate – we got an email recently from Dean Fisk of Fisk Partners, a public relations firm representing Lyndon Brown, chief strategy officer of Pondurance, a security consultancy. And the email had the standard “Hey, in case you’re working on a predictions post this year-end….” But instead of sharing a bunch of nonpredictions, the note said, “Here are some trends in cybersecurity that might be worth thinking about.” And there were a few predictions sprinkled in.

So we want to call out a couple from Brown – whom we don’t know, never met the guy — but we thought his trend analysis was thoughtful.

First we’ll share a stat that the United Nations reports cybercrime is up 600% because of the pandemic. Ugh.

OK, but Brown’s first point was that the hybrid workplace will be the new frontier for cyber. Yes, we totally agree – there are permanent shifts taking place and actually we predicted that last year. But he further cited that many companies went from zero to full digital transformation overnight. And many are still on that journey. And his point is that hybrid work will require a complete overhaul of how we think about security. Very true.

The other point that stood out is that governments are going to crack down on bad behavior. We’ve seen this where cybercriminals have had their infrastructure dismantled by governments – no doubt the U.S. government has the capabilities to do so.

But this is tricky, as Robert Gates, former Defense Secretary told us on theCUBE a few years back. He said although we have the best offense, we also have the most to lose, so we have to be very careful and judicious. But Lyndon’s key point was that you are going to see a much more forward and aggressive public policy and new laws that give crime fighters more latitude. Again, this is tricky – like the Patriot Act was – but it’s coming.

Another call-out from Brown we’ll share is his assertion that natural disasters will bring increased cyber risk. This is an astute point. Natural disasters are on the rise and when there’s chaos, there’s cash opportunities for criminals.

We’ll add that the supply chain risk is far from over. This is going to be a continuing theme this coming year and beyond. And one of the things Brown said in his note is essentially you can’t take humans out of the equation. Automation alone can’t solve the problem – but some companies operate as though it can. Just as bad human behavior can trump good security, good human education and behavior will be a key weapon in this endless war.

The last point we would make is we expect to see continued escalation. Government crackdowns will bring retaliation and, to Gate’s point, the U.S. has a lot at stake. So expect insurance premiums to go through the roof – assuming you can even get cybersecurity insurance. And so we should hope for the best, but for sure we must plan for the worst. Because the enemy is coming on strong and they won’t stop.

Deploy technology aggressively, yes. But people and process will ultimately be the other key ingredients that allow us to live to battle for another day.

Keep in touch