Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m rounding out the year with a pertinent repost because I have been spending time with friends and family. Many of these predictions happened or are happening despite a recession not happening. Maybe people are preparing for one? Who knows. Anyway, hope you enjoyed your holidays!
One last thing! If you have any remaining professional development budget, please consider buying a paid subscription to support me. I am running a 50% off sale until 1/3 for those who don’t have the budget until the new year.
I’m honestly a bit tired of all the speculation on whether there will be a recession. Honestly, the better question is how a contraction in spending or the economy will affect me or my industry. It seems many people are planning for this, but especially in tech, it feels like a healthy contraction. Tech has grown too fast in the past few years and has gotten extremely bloated and inefficient. Almost a decade ago, companies used to do way more with fewer engineers and worse tools. Many didn’t even use the cloud and had to build and maintain their data centers!
Anyway, this newsletter is focused on my cybersecurity predictions for 2023. Having talked to various security organizations and having done our planning, I have five main predictions. The overarching theme for these predictions centers around greater efficiency, leading to lower costs, which should always be the goal. However, given more funds and larger budgets, many times, it’s easy to lose track of this in the name of “growth.”
This will be a great year for security engineers.
As companies look for more efficiency, smart security leaders will look to automate security operations. The biggest expense in security and any company, especially tech companies, is people. This means there will be fewer security operations personnel. They will replace them with security engineers who are capable of building tools and scaling themselves and processes better. We are already starting to see an increase in security as an organization moves under engineering, especially in tech companies. Even companies that have traditionally had operations-heavy security teams will look to re-organize their security team under engineering. This will lead to more efficient security organization management, i.e. fewer layers of management, as well as better alignment and collaboration with engineering.
Honestly, this is long overdue, and I’ve been discussing this trend of more security engineers and having security being part of the engineering organization for a while. However, nothing is a stronger motivator than cost-cutting and recession! Overall, this forcing function will substantially improve the security industry. Finally, most of the hires, similar to the trends in software engineering, will likely be at the senior/staff/principal level. These types of hires require little management and will create a foundation for more junior hires once the economy improves.
Cybersecurity services will have a great year.
Security organizations will look to cut functions that don’t have enough “continuous work.” Security engineers help with this as they tend to be generalists. However, certain functions will be slimmed down through outsourcing. For example, many companies have in-house red teams, pen-testers, and incident response. However, these were likely built with certain growth or scale in mind. That growth is being revised given economic conditions. To keep similar capabilities, companies will retain cybersecurity services or sign larger retainers to do this type of work. This is very similar to how companies hire outside counsel or accountants. As a result, cybersecurity services will see an increase in project work.
Companies will have a smaller security budget but buy more tools.
Budgets will likely not increase overall. Most existing renewals will probably go through with little to no increase. The reason for this is that most contracts are based on usage or seats, and given the lower growth overall, there will be an argument for less usage and fewer seats going forward. It’s also possible the company overcommitted for this year, so the spending might even contract.
To manage a smaller budget, there might be reduced headcount and more focus on tools to automate. As a result, companies will buy more tools, but as I said above, they might want to spend less on current tools so that they can buy more tools to solve additional problems. Similarly, they might reduce headcount and reallocate that budget toward more tools.
There will be substantial consolidation in the various security categories.
As a way to reduce costs and operational effort, i.e. headcount needed to manage tools, security leaders will look to consolidate their tools as much as possible. Security companies that have strong platform plays like Snyk and Cloudflare will do well in this scenario. As this trend plays out, we will see more companies do acquisitions of startups to add features and products quickly to their platforms so that customers can easily add on. This trend also is a way for security companies to expand their contracts without too much additional effort and combat the issue described above regarding contracting/flat renewals, i.e. they will sell another product on the platform to solve a problem for an organization. As a result, bigger platforms will expand capabilities, and there will be fewer points and “one-trick pony” solutions, leading to fewer vendors overall. Companies that have a strong platform should pre-emptively buy some startups!
VCs will continue to invest in early-stage cybersecurity startups.
In general, a vast majority of growth deals and companies have slowed down. It’s become clear who the winners are going to be, and VCs are doubling down on those. However, this is a great time to start an early-stage cybersecurity company. I believe if the above predictions come true, there will be a fundamental shift in the company’s security tools strategy. In many ways, it’s similar to the shift when the public cloud became more mainstream. Except that this time, the security tools will be tailored toward increasing operational efficiency and supporting security engineers. What’s unclear to me is whether this shift and these organizational changes will be permanent. The value, in my mind, is obvious, but the question is whether executive teams will see this value. It’s up to security leaders to define these metrics and present them clearly to the rest of the executive team.
Conclusion
There will be some fundamental (and hopefully, positive) shifts in cybersecurity this year. They are related to increasing efficiency, which is what many companies are trying to do in anticipation of a recession. In my opinion, cybersecurity has been inefficient for too long, and the forcing function of uncertain macroeconomic conditions will create more sustainable organizations as well as better demonstrate how security can deliver value in meaningful ways.