December 3, 2024 Investment Themes

Security Myths and Misconceptions

The cybersecurity landscape evolved rapidly in 2024, marked by significant financing rounds, notable breaches, and a surge in mergers and acquisitions. As we look ahead to 2025, we thought we’d look back on four of the prevalent “narratives” in cyber this year and try to sort through fact and fiction with our own observations and data from various surveys and collected through our own internal survey of CISO’s, vendors, and security founders. 

1. Has Consolidation and “Tool Fatigue” Finally Set In?

Our take: Mixed. One of the prevailing narratives of 2024 was that cyber “tool fatigue” had finally fully set in, and that CISO’s were intent on consolidating tools. We heard this from many CISO’s in our network throughout the year– they’re tired of managing additional vendors, additional applications, and additional headaches with an ever-expanding suite of products. And without a doubt, this was amplified by macroeconomic uncertainties and evolving security threats. 

But the data here is much less clear. CISO surveys are inconclusive, with one survey from Anomali showing 68% of surveyed CISO’s plan to consolidate tooling while another survey from ETR Partners suggesting 51% of CISO’s surveyed think they’ll increase the number of tools they buy.Our own internal survey reflected this, with 50% of respondents saying they thought they’d buy from more security vendors in 2024 and 50% responding they felt they’d purchase fewer. 

Our observation is that CISO’s do desire more integrated solutions and that all things being equal, the pendulum is swinging towards suites and away from point products. But the data is clear that many organizations are still expanding their vendor base to address specific needs or emerging threats. 

This trend is mirrored in early-stage cybersecurity startups; many are shifting their focus toward building platform solutions capable of replacing multiple incumbent point products. Given the variation in responses within the data, we believe this is a great demonstration of startups that are doing the work to “see around the corner” and anticipating a future where this push for consolidation becomes less mixed, and more concrete. Startups are recognizing the headwinds and adapting their approaches accordingly instead of trying to forever push a boulder uphill. It’s a savvy move that leverages current pressures in the market.

2. Are CISO Budgets Shrinking?

Our take: Mixed. Another common belief in 2024 is that economic downturns have universally led to shrinking budgets for CISOs. While financial constraints have certainly impacted many organizations, the broader picture is more nuanced. The data reveals a combination of retrenchment and growth, with some budgets tightening while others continue to expand.

For instance, Proofpoint’s 2024 Voice of the CISO report found that 59% of CISOs felt the economic downturn hindered their ability to make business-critical investments. 48% also reported having to cut staff or delay hiring. This paints a picture of widespread belt-tightening and a cautious approach to spending.

However, other surveys provide contrasting insights. According to Morgan Stanley’s Q2 2024 CIO Survey, IT budgets grew by +3.5% year-over-year, up from +2.9% in 2023, albeit below the pre-COVID average of +4.1%. This suggests that while budgets aren’t growing at pre-pandemic rates, they’re still increasing. Similarly, in our internal survey, 12.5% of respondents reported budget increases, while 50% said their budgets remained flat and 37.5% reported decreases.

Where the increased budgets are being allocated also sheds light on CISO priorities. According to Morgan Stanley’s Q3 2024 CIO Survey, the top-funded areas in descending order were:

  1. AI / ML / Process Automation
  2. Security Software
  3. Digital Transformation

This data reinforces that while growth is slower, security remains a key focus area, with budgets being carefully directed toward high-impact initiatives.

We saw security budgets surge during COVID as organizations scrambled to adapt to remote work and heightened cyber risks. This effectively “pulled forward” demand, leading to an inevitable slowdown post-pandemic. Yet, the data clearly shows a trend of returning to pre-COVID norms rather than a sustained drawback. For cybersecurity founders, this means the fight for budget dollars is fiercer than ever. Buyers are prioritizing products that demonstrate clear value, address urgent pain points, and integrate seamlessly into their existing ecosystems.

3. Is Data Security the Next Multi-Billion Dollar Category in Security?

Our take: Yes. As the cybersecurity landscape evolves, data security has emerged as a foundational priority for CISOs. Protecting sensitive information—through data loss prevention (DLP), governance initiatives, or AI model security—is no longer optional in a world of expanding regulatory oversight and increasingly sophisticated attacks. Data breaches, poorly governed AI models, and weak data governance practices have become vulnerabilities too significant to ignore. These factors are driving enterprises to reevaluate their strategies, creating an opportunity for innovative solutions that could make data security the next multi-billion-dollar category in cybersecurity.

The numbers reflect a growing urgency. According to the CISO Society’s 2024 State of Data Security report, nearly one-third of security leaders indicated plans to increase spending on both AI model security (31.5%) and privacy and governance, risk, and compliance (GRC) initiatives (31%). Similarly, Evanta’s 8 Trends for CISOs in 2024 showed that data security-related areas like IAM /MFA / Zero Trust (44%), and DLP (33%) ranked high among budget priorities, alongside generative AI and cloud security. Proofpoint’s 2024 Voice of the CISO report, revealed a 16% year-over-year increase in the adoption of DLP technology, rising from 35% in 2023 to 51% in 2024.

These trends indicate a clear recognition of data security as a top priority. Investments in areas such as DLP and privacy frameworks underscore how organizations are adapting to a world where lapses in data governance or compliance carry significant reputational and financial risks. The rapid growth in DLP adoption highlights that CISOs aren’t merely identifying data security as an area of improvement—they’re actively deploying solutions to address it.

For startups, this shift represents a golden opportunity. As data security intersects with broader industry themes like AI adoption and cloud migration, there is an increasing need for solutions that address these challenges comprehensively. However, the path won’t be easy. Data security often requires cross-functional alignment—spanning IT, compliance, and even legal teams—which adds complexity to sales cycles and product adoption. To succeed, startups will need to demonstrate not only technical efficacy but also the ability to simplify workflows, enable compliance, and mitigate risks in an increasingly regulated landscape. Those who can deliver clear value while addressing these challenges will be well-positioned to thrive—and possibly build the next generation of multi-billion-dollar cybersecurity companies.

4. AI as a Cybersecurity Silver Bullet: Fact or Fiction?

Our take: Mixed. It’s no surprise that AI has become one of the most talked-about technologies in cybersecurity, often described as a game-changer or even a silver bullet. Morgan Stanley’s Q2 2024 CIO Survey reported an 8% year-over-year increase in net prioritization for AI projects, solidifying its position as a top priority for CIOs. Similarly, our internal survey revealed unanimous agreement among cybersecurity vendors and founders: 100% of respondents said AI is a key part of their near to mid-term product roadmap.

This enthusiasm reflects AI’s potential to “self-react to threats,” “streamline risk evaluation,” and “free up teams for higher-order tasks,” as cited in Scale’s Cybersecurity Perspectives 2024 report, where 89% of respondents affirmed AI and machine learning’s critical role in improving security postures.

CIO priority and CISO priority tend to be fairly distinct though – Morgan Stanley’s Q3 2024 CIO Survey revealed that 46% of respondents cited security concerns as a primary reason for not launching AI or LLM projects. Proofpoint’s 2024 Voice of the CISO report further highlights these risks, with 54% of CISOs identifying generative AI as a potential security threat. Specific risks include:

  • 44%: ChatGPT and other generative AI tools
  • 39%: Collaboration platforms like Slack, Teams, and Zoom
  • 38%: Microsoft 365

Our internal survey revealed similar hesitation among security buyers. When asked if implementing AI in their security organization was a top-five priority, responses were evenly split—50% said yes, while 50% said no. This highlights a gap between vendors, who are heavily prioritizing AI, and buyers, who remain cautious about its integration into existing practices.

While AI holds immense promise for cybersecurity, its adoption is far from straightforward. CISOs are wary of the potential vulnerabilities AI can introduce, from data privacy risks to unintended consequences of automation. Since everyone is figuring out how to effectively build and utilize AI together, it can feel like you’re assembling the plane as you’re flying. This indicates that while AI holds immense promise, its integration into existing cybersecurity practices must be managed carefully, balancing potential benefits with emerging risks.

The reality is that while AI may sometimes feel like a magic solution, its effectiveness, like all magic tricks, depends upon the execution. It should not be taken for granted how important the implementation, oversight, and complementary human expertise will be as these systems are embedded deeper within enterprises and within critical functions. It’ll be essential to mitigate risks and ensure that AI-driven systems enhance, rather than compromise, organizational security.

Conclusion

Prevailing narratives rarely square with the complexity of CISO realities. Cybersecurity, and the narratives within it, tend to evolve very quickly because their evolution is tied to multiple factors: market dynamics (tool fatigue, CISO budgets), tech innovation (data security, AI), and threat actor activity. It’s more important than ever to have open, consistent, and productive conversations so CISO’s and founders alike can be aware of how quickly their environment is changing and what conditions they’ll find themselves operating within.

Authors

0 Shares

Written by

Link
author

Associate

Michael Parker

Link
author

Partner

John Cowgill