The Cyber Industry Was a Breakout Winner in 2023

It's been a banner year for the overall cyber market, as reflected in the stock prices of three of the largest players (Palo Alto Networks, Zscaler, and Crowdstrike), which are all up more than 120% YTD compared to 42% for the NASDAQ. Palo Alto Networks, where I spent some of my formative years, is closing in on a $100 billion market capitalization, a first in our industry and a tremendous milestone for all of us to bear witness to. Despite their market dominance and obvious commercial success, I question whether these infrastructure security incumbents have their focus on what matters most to retain their lofty status in the years ahead. 

I’ve said on numerous occasions that I believe data security is the final frontier in cyber. As endpoint, network, and cloud security become increasingly commoditized, forward thinking CISOs are adopting a data-centric approach to security, including Dan Walsh, formerly at VillageMD, Dean Perrine at Fox, Prabhath Karanth at Navan, Arlan McMillan at Kirkland & Ellis, Eric Johnson formerly at SurveyMonkey, Mike Santos at Cooley, Richard Rushing at Motorola Mobility, Zack Willis and Michael Traski at IVP, and Chris Payne at VaxCare. These leaders recognize that data is the only corporate asset with terminal value, as all other assets will be rented, shared, and commoditized in the long run, and their approach to securing data needs to be transformed with a modern solution. 

Human Supply Chain Risk in Focus

There has been so much activity over the past three years focused on addressing supply chain risks in our software, catalyzed by the events at Solarwinds, but I wonder if there is a larger risk looming in the era of fractional work and ephemeral employment. 

Think about every partner, supplier, agency, service provider, SaaS vendor, and cloud platform where your data flows. Now think about all of the people who work for these organizations, including their contractors and loosely affiliated labor force who have access to your data, and how little visibility or control you have over their actions. Any of these individuals could steal and sell your data, causing your organization irreparable harm, but you have limited ways to monitor or govern their activity. This human supply chain risk could be at least as prominent as software supply chain attacks but the level of attention on this problem is nascent to non-existent. 

Insider risk is a growing concern for many organizations but very few have formal insider risk management programs with adequate tooling. Furthermore, it’s not always malicious employees who create risk to your data. Employees who are “overemployed” or working multiple jobs remotely unknown to their employers, often work on multiple tasks for different employers simultaneously, making it incredibly easy to send the wrong data to the wrong person.

Some employees simply want to use all available resources to increase their productivity while unknowingly putting your data at risk. Cyberhaven Labs found 11% of data employees pasted into ChatGPT was confidential. Counterintuitively, we also found full-time office-based employees were 77% more likely to take sensitive data than remote counterparts, but when they do take data they are more likely to be physically at home at night or on the weekends where there are fewer corporate security controls (and eyes looking over their shoulder).

Lastly, we must recognize the growing threat of corporate espionage. In October, the heads of the FBI and Britain’s MI5 convened an unprecedented summit with technology companies in Silicon Valley, warning them about Chinese espionage targeted at western companies including semiconductors, AI technology, pharmaceuticals, and defense.

The Data Security Market is Evolving Rapidly 

Data Security Posture Management (DSPM) has attracted massive amounts of venture capital funding along with generous analyst and media attention in recent years, but spending in the category remains modest and vendors are already consolidating. The question remains if DSPM in the long-term is a standalone product category or a feature of Cloud Native Application Protection (CNAPP) platforms like Wiz and Orca. When I talk with CISOs, it’s clear they demand a data security platform that covers all of their data, wherever it goes, and even the most digital native companies recognize their data doesn’t reside exclusively in the cloud.   

Major infrastructure security incumbents like Crowdstrike and ZScaler have dipped their toes into the market with new products they’ve built internally or with acqui-hired teams, while others like Palo Alto Networks are making strategic acquisitions (Dig Security and Talon). Crowdstrike recently GA’d their Falcon Data Protection product, which provides local (single device) file lineage tracking. Despite its obvious limitations, it’s terrific validation of the approach we’ve been advocating for at Cyberhaven for the past 5+ years. 

It used to be that large incumbents offering complete platforms nudged out startups offering best-of-breed point solutions through bundling and other commercial tactics. But now, startups are delivering comprehensive platforms built from the ground up, combining multiple products into one seamless user experience and shipping these products at unprecedented velocity. Startups have the opportunity to disrupt the big players and their multiple, poorly integrated point solutions assembled via acquisitions. In data security, startups will continue to win because of superior coverage, accuracy, and simplicity. 

The Need for Common Data Security Language and Framework

At Cyberhaven, we believe there is a pressing need for a better framework to discuss data security, one that provides a common language for boards and C-suites. Frameworks and benchmarks are essential to calibrate the goals and efficacy of data security programs while also helping security teams establish aspirational roadmaps. 

We are starting to see early traction around the Data Security Maturity Model (DSMM), a new security framework that focuses on data released at RSA this year, and we invite everyone in the community to adopt and contribute to the DSMM in the new year.

Cybersecurity and AI: A Complex Intersection

The intersection of cybersecurity and artificial intelligence (AI) makes the landscape both more challenging and promising. Attackers will leverage AI to launch more sophisticated and personalized attacks but AI will also drive huge innovation on the detection and response side. Arguably, every cybersecurity company is already an AI company, yet the application of AI will vary significantly across product categories. 

In data security, we believe that Cyberhaven's initial breakthrough innovation in building enterprise-scale data lineage is significant, but the 10X opportunity is coming soon with the application of AI atop this foundation. In early 2024, we will release our next big innovation, one that will transform how companies protect data and enable automated, policy-free data protection.

Looking Forward to 2024

As we look to 2024, I predict several key developments that will shape the data security market:

The CEOs of major technology, semiconductor, and AI companies will be called to testify in front of the U.S. Congress about the risk of Chinese espionage and IP theft.

1. There will be an IPO of a pure-play data protection company, even if that company has its roots in data resiliency.
2. Insider risk will become a top 3 priority for CISOs at the majority of Global 2000 companies. 
3. As the number of potential DSPM acquirers whittles due to lackluster market demand, some DSPM startups will be shut down or acquired at fire-sale prices.
4. Gartner will take the initial steps toward creating a Magic Quadrant for the successor category emerging from and combining DLP and insider risk management. 
5. We will stop saying data is the new [insert your favorite metaphor] because it’s anything and everything that matters. 

Cyberhaven will continue to maniacally pursue our mission of building pioneering solutions that restore power and ownership to creators and innovators by protecting their data. 

Thank you for your continued trust and partnership. We deeply appreciate you being part of our story and journey. Here's to a successful and secure 2024!