Insights from category creators and the investors who believe in them.

2023 VC Predictions: Cybersecurity M&As Can Be the Beginning, Not the End

December 15, 2022

In 2021 alone, investors poured close to $30 billion into 1,000-plus cybersecurity deals—making it a record-breaking year for cybersecurity startups. Suddenly, every other company was funded like the next CrowdStrike, with rounds in excess of $100 million becoming the new norm

But 2023 starts on a starkly different note. With a recession looming, the landscape is changing for cybersecurity startups. The pursuit of acquiring new customers and expanding is becoming more challenging in this new macro environment: IT budgets are receiving more internal scrutiny than in previous years, and all leaders and departments are being impacted, including chief information security officers (CISOs). 

Even so, companies still understand that cybersecurity is unique: it has zero tolerance for mistakes, and cyber criminals are not holding back in times of global difficulties. So it’s no surprise that cybersecurity spend is estimated to increase amid recessionary headwinds, with Gartner predicting global spending on security and risk management to grow 11.3% in 2023. But at the same time, CISOs need to justify decisions and articulate benefits more than ever before. Therefore, we predict buyers in 2023 will prefer integrated platforms versus point solutions, since these allow them to avoid lengthy (and costly) deployments, maintenance, and staff specialization.

When M&As mark a fresh entrepreneurial start

As CISOs defend their budgets, larger security players will be looking to purchase products of smaller players to extend their offering and eventually become long-lasting independent players. In the past, large public companies have done a great job of scooping up startups (most notably Palo Alto Networks).

In a recession, every new customer win will become more difficult for cybersecurity startups, as buyers will apply mounting pressure to reduce deal costs. Not all cybersecurity startups will prevail. Therefore, it might make sense for some startup founders to seek the M&A route: they can keep running their company within a larger organization, effectively continuing the entrepreneurial journey under a new umbrella. 

Under the right leadership, startup founders can run a semi-independent product unit that will allow the smaller org to stay nimble and innovate while benefiting from the huge support of marketing and distribution of the incumbent. We’ve seen this come into play with Orca Security’s* acquisition of RapidSec, which keeps shipping products as a startup within a startup. In turn, Orca benefits by providing customers with an API protection offering that would’ve otherwise taken a long time to develop.

After many boom years in cybersecurity and a fragmented security solutions market, consolidation of the cybersecurity space is inevitable in 2023 and beyond. This can be a good thing for CISOs who want to do business with several platform providers versus many point solutions and a good thing for larger security players. It also could be beneficial for startup founders and their teams, since it provides them with a path to keep innovating and spreading their solution in more streamlined ways. 

*Represents a company in GGV’s portfolio

Read more VC predictions: