As networks have evolved beyond traditional network perimeters, enterprises have realized a need to manage a rapidly growing attack surface with a greater number of devices and applications.

Cybersecurity initiatives tend to lag digital transformation initiatives. Secular tailwinds driving recent growth include enterprise workloads migrating to cloud, the increasing sophistication of cyber attacks, greater adoption of zero trust architectures, security budget expansion, initiatives to secure more distributed networks, and more consolidation.

The security space has a fast velocity of disruption cycle, which makes it complex and crowded. The red queen hypothesis applies here as hackers are becoming more sophisticated at a fast pace too. Continued focus on innovation is a necessary but not sufficient condition to win the space.

So far we have seen three types of winners emerging: (1) innovative platform vendors who expand into adjacent tools, excel in cross-sell and demonstrate strong net dollar retention, e.g. crowdstrike; (2) mega-caps who excel in enterprise sales, e.g. Microsoft. (3) best-in-class solutions get acquired by traditional vendors to boost their next-gen product suites.

Endpoint security is one of the most important subsegments within security and the top spending priority for CIOs. Endpoint security provides protection to laptops, phones, which may become potential gateways for hackers.

Gartner estimates endpoint security to be a $6.4B market, with an 8% CAGR. Endpoint platforms, such as Crowdstrike, SentinelOne saw high double digit growth in 2020.

Two growth drivers are (1) higher numbers of mobile devices from the shift to remote working; (2) next-gen platforms gaining market share from traditional endpoint protection systems.

Traditional signature-based antivirus systems lack efficacy against increasingly sophisticated cyber-attacks. Enterprise customers increasingly favour advanced AI/ML-based detection and response technologies to detect malicious activities.

The risk here is the difficulty of sustaining growth as endpoint growth decelerates post- COVID and competition from new vendors at lower price points ramp making market share gains more challenging.

Identity and access management refers to a continuous process of managing the identities and privileges of users in an organization.

With increasing complexity in enterprise working environment (on-premise or cloud-based workload, BYOD, SaaS application, etc), compromised credentials can serve as an entry point for hackers to breach an organization’s security system.

Gartner classifies IAM into the following four sub-segments:

Access management tools provide authentication, SSO, session management and authorization for applications. Leading players include: Okta, Microsoft, OneLogin, RSA, SecureAuth, Ping Identity.

Identity governance and administration (“IGA”) tools manage digital identities of an organisation’s employees, customers and supplies to ensure that right users have access to the correct data and for legitimate business reasons. Leading players include Okta, SailPoint, Saviynt, Oracle, Microsoft, IBM, One identity.

Privileged access management. Leading players include Thycotic, CyberArk, Centrify, BeyondTrust, ManageEngine, Broadcom.

User authentication. Leading players include Duo security, Microsoft, NortonLifeLock (Symantec), Imprivata, Okta, Centrify.

Gartner estimates IAM would reach $14B by 2023, with a CAGR of 9%. IAM is an initial component of Zero Trust Network Access (“ZTNA”) adoption. Growing interests in Zero Trust can drive meaningful demand for IAM. Recent growth drivers also include remote working, stricter compliance and regulatory requirements.

Vulnerability assessment tools help companies to assess how well their organisations are protected against threats and remediate potential vulnerabilities.

Growth: Gartner projects that the vulnerability assessment market will grow at a low double-digit over the next couple of years, to $1.8B by 2022. The VA market is also fragmented. IDC data suggests that Qualys, Rapid7 and Tenable comprise approx. 25% of the VA market. Beyond security, Alert Logic, Tripwire, Balbix and Arctic Wolf Networks are smaller players in this segment.

Security information and event management (“SIEM”) solutions collect, store and correlate security incidents from endpoints, servers and network devices. Anomalous 6 events will be flagged to provide greater visibility into an organisation’s security posture.

SIEM technology analyses data in the cloud using AI/ML and behavioural patternmatching. The threat graph looks for correlation across the entire dataset, it can detect threats and stop security breaches that on-premise legacy security solutions find hard to replicate.

Growth: The SIEM market is estimated to surpass $6B by 2023, with a CAGR of 13%. Growth in this segment is mainly driven by organisation’s need to detect threats and respond to incidents in real-time. The market was dominated by Splunk, IBM and Micro Focus, that own 50% of the market in 2018

The overall security industry remains relatively fragmented, north of 3,000+ companies in the space.

Network and endpoint security markets remain the largest segments. Endpoint markets are undergoing significant disruption as legacy incumbents face disruption from cloud- native new entrants. Remote working accelerated adoption, the top four enterprise security spending priorities are endpoint, identity, vulnerability assessment (“VA”), security information and event management (“SIEM”).

The endpoint security market is relatively fragmented. The market is still dominated by traditional signature-based vendors. Legacy vendors, e.g. NortonLifeLock (formly, Symantec), Trend Micro and McAfee, account for c.45% of the market. Nevertheless, vendors with next-gen endpoint detection and response (“EDR”) and AI/ML capabilities are taking share.

Barriers to entry tend to be high in IAM because high investment is required upfront to create a comprehensive platform that integrates seamlessly with different IT systems.

In addition, the switching costs for identity solutions tend to be high since they require extensive integration to provide full coverage of digital identities.

Therefore, deployment can be sticky, which could drive pricing power for vendors. IAM is also a focus of large platform vendors, e.g. Cisco acquired Duo Security, Allstate acquired InfoArmor. Microsoft is also expanding into this space, with Azure Active Directory, which offers authentication, access management and governance solutions

A growing distinction between vendors is whether they are point solutions or platform providers. For example, Tenable has remained largely focused on the VA space, partnering with other vendors for network access control as the company views these complementary functions as commodities in nature.

In contrast, Qualys has shifted its focus towards expanding its platform to encompass adjacent functions (e.g. cloud container security, web application firewalls, etc); Rapid7 has extended its capabilities beyond vulnerability management to offer SIEM solutions.

As vendors become more mature, they tend to move into adjacent markets to expand TAM, drive more growth and become more platform-oriented solutions. There is an increasing convergence across subsegments, particularly as vendors in vulnerability assessment, SIEM, and endpoint security extend into adjacent markets.

Security data analytics makes SIEM compatible with other security needs, such that SIEM can provide natural portfolio expansion opportunities. E.g. Splunk, Elastic and Rapid7 moved into SIEM from tangential markets; existing SIEM vendors can also expand into adjacent security segments, e.g. Elastic acquired Endgame to enter endpoint security; Secureworks began offering threat detection and response, combining SIEM and endpoint detection and response (“EDR”) capabilities.

The ability to cross-sell into a large installed base and expand from a point solution to a platform could be an important driver for growth. Gartner recently reports that an average enterprise has ~75 security solutions and almost half of them want to consolidate security vendors in the next 2–3 years.

Key questions for management:

Product: Where do you sit in the value chain? Where do you sit in the network? do you have agents that you deploy throughout the network? How can we think about the architecture

Expansion: How many different products do you have on your platform? How do you think about your roadmap, product expansion and market share gain?

Growth: What are the most prevalent verticals across your platform?What technology, sales effort can leverage across your customer base?