Why are cybersecurity asset management startups so hot right now?

In the world of cybersecurity, you can’t secure something if you don’t know it’s there.

Enter cybersecurity asset management, an admittedly unsexy fragment of the booming industry that investors have shown an ever-increasing appetite for over the past 18 months.

The cybersecurity industry experienced what is being hailed by some as a “golden year” — funding for cyber startups climbed by 138% to $29.5 billion in 2021 and M&A activity skyrocketed by more than 294% to $77.5 billion. And those focused on securing an organization’s internet-facing assets have received more attention than most.

Over the past 12 months alone, Sternum, a Tel Aviv-based startup that provides real-time asset management for internet-connected devices, raised $27 million; Censys, a search engine for networked devices, secured $35 million; JupiterOne, a platform that helps companies see all of their digital and cloud assets, raised $19 million; and Axonius, which lets organizations manage and track computing-based assets, bagged $100 million.

Big-name tech giants clearly see the value in this often-overlooked area of the industry, too. Microsoft spent $500 million in July to acquire RiskIQ, a company that provides visibility into what assets, devices and services can be accessed outside of a company’s firewall, describing the takeover as a “powerful” addition to its portfolio.

Assets, assets everywhere

While asset management was once the concern of in-house IT teams managing on-premise hardware, it has evolved to warrant the purview of the chief information security officer and is the backbone of any effective cybersecurity strategy.

That’s because, in order to effectively address security issues, enterprises need a comprehensive and reliable inventory of their internet-facing assets. Once comprised of PCs and servers, the pandemic-induced digital shift means that organizations have increasingly diverse assets and more platforms in place than ever before — from operational technology systems and Internet of Things (IoT) devices to company-owned and cloud-based services.

The proliferation of new asset types, along with the widespread shift to remote work, has resulted in assets becoming more highly distributed, making them even more difficult to manage and inventory.

“Asset inventory has historically been a challenge when workforces were physically sitting in company offices and on company networks,” Paul Baird, chief technical security officer at security and compliance giant Qualys, told TechCrunch. “With the pandemic solidifying a new normal of either fully remote or hybrid working approaches, the complexities surrounding asset inventory have only increased in difficulty.”

Jeb Buckler, who founded and runs Startup Giants, a pre-seed tech investment company, said that not only has this shift to the cloud made asset management more difficult for in-house teams, but this, in turn, also makes it easier for hackers to infiltrate an organization.

“There’s more opportunity now for a hacker to get information about an organization by hacking into their blended cloud-based environment. It’s harder for organizations to control the entry and exit points with blended software-as-a-service approaches; the whole architecture of a firm’s data has changed and the old-school security firms that used to do all in-house hosting for organizations are struggling to catch or even keep up.”

Naturally, as a result, market opportunities for cybersecurity startups that have created innovative solutions to address this new paradigm have grown.

Noetic Cyber, a startup that built a cloud-based continuous cyber asset management and controls platform, credited its recent $15 million Series A raise led by Energy Insight Partners to the accelerated adoption of cloud-based services and the explosion in the number of unmanaged devices by remote workers.

“Asset management is a foundational challenge for security leaders, and the transformation we’ve seen with modern digital infrastructure has created a renewed impetus to fix it,” Shawn Cherian, a partner at Energy Insight Partners who joined Noetic’s board after its Series A investment, told TechCrunch. “Every mid-sized or larger organization, across every industry sector, will have gaps in their asset visibility they need to close to have an effective cybersecurity program. This market is a huge opportunity for startups with a differentiated approach.”

Bain partner Enrique Salem, who recently joined JupiterOne’s board, told TechCrunch that he also sees a huge market in the asset management space, slated to be worth $8.5 billion by 2024.

“We see a large multibillion-dollar market opportunity for this technology across mid-market and enterprise customers,” said Salem.

Cyber landscape

Organizations have been forced to contend with digital transformation at an unprecedented pace as a result of the pandemic and faced a cyber threat landscape like never before. Not only will 2021 be remembered as the year that hackers turned their attention to critical infrastructure as if to demonstrate the immense damage they’re capable of creating, but it also brought supply-chain weaknesses to the forefront, be it in the form of the wide-reaching Kaseya ransomware attack or the more recently discovered ‘Log4Shell’ vulnerability in the open-source Java-based logging utility.

“Log4Shell was a prime example of a vulnerability within the software supply chain causing havoc — it’s a popular component — so when it came to addressing the risk, the first step for most businesses was trying to find out whether it was used and where it was used,” Gemma Moore, co-founder and director of cyber security consultancy Cyberis, told TechCrunch. “For many, this involved asking questions of suppliers and software maintainers, but this was time that would have been better spent applying the patch.

“Businesses with a comprehensive list of components and libraries in use cut out that time in their response and were able to move straight into mitigation,” Moore said. “Comprehensive asset management, done well, cuts down on time to mitigation significantly — meaning your window of exposure is reduced.”

If an organization doesn’t have real-time visibility over their IT assets — a task that has increased in complexity as a result of often-confusing cloud-based environments and, in some organizations, a lack of security know-how — it puts the company and its data in a vulnerable position and poses a huge risk to the business and its key stakeholders.

If an organization’s essential data or systems are brought offline because of a breach, that business may not be able to operate. That means their reputation takes a hit, but there are also serious financial consequences: IT downtime costs businesses $5,600 per minute on average, and in the case of a ransomware attack, large U.S companies lose an average of $5.66 million each year.

Vicarius, a New York-based startup that secured $24 million Series A for its fully autonomous vulnerability remediation platform, is perhaps a prime example of why asset management has become such an attractive investment opportunity in the wake of mounting cyber threat incidents, like supply-chain attacks.

Michael Feiertag, a partner at AllegisCyber Capital, which was one of the lead investors in Vicarius’ Series A round, said that the asset management market has long been ripe for innovation.

“As an industry, we’ve taken a cookie-cutter approach to these core components of an infosec program for a decade-plus,” he said. “At the same time, the systems that we’re protecting have exploded in diversity and complexity. Vicarius is the first company that I have encountered that has taken a ‘clean sheet of paper’ approach to this bedrock component of enterprise infosec. Their key innovation is to focus on actually eliminating risk rather than just measuring it.”

Futureproofing

This appetite for asset management startups is likely to gain momentum. Not only are some organizations planning to invest more heavily in the cloud and further diversify their assets by shifting to hybrid work, but the cyber landscape will also continue to evolve and organizations will need to keep a comprehensive inventory of their IT estate.

Ransomware attacks, for example, will become more relentless throughout 2022, according to recent IBM research, and we’ll see blockchain become a more common tool used by cybercriminals, making it easier for them to obfuscate their malicious traffic and avoid detection through the use of traditional cybersecurity tools. Supply-chain attacks are likely to ramp up over the next 12 months, too, making them a top concern in the boardroom.

What’s more, according to Cherian, many CISOs are only just starting to look at making investments in this technology, so there remains plenty of room for the industry to grow, he said.

Of course, the scalable nature of this new era of asset management, which now takes the form of subscription-based software-as-a-service products, means these emerging asset management and inventory startups can, and will likely continue to, grow at pace.

“You write a little bit of software, and you can get 100,000 customers paying you $9.99 or $1,000 a month and away you go,” Buckler said. “In terms of investment, these companies can grow incredibly quickly, and investors can see a high return.”