In a previous article, we talked about how AI-native enterprise apps and service-as-software (one-to-many) AI applications are the future of enterprise SaaS.
But there are many more dimensions to the future of software, even in Southeast Asia, where existing SaaS companies face competition from global brands to legacy / in-house solutions, long sales cycles, and customer cost crunches in today’s market.
One dimension of interest is cybersecurity. Cybersecurity is a layer in the software solution stack that is often not in the spotlight (usually only when it fails), but continues to be an indelible part of driving greater trust in enterprise software adoption, especially for enterprises undergoing digital transformation.
With increasing data leaks and evolving security threats in recent years, as well as the security threats posed by AI, this industry also presents opportunities ripe for disruption and more solution providers to emerge.
At Echelon X in May 2024, our Vice President of Investments and Indonesia Country Head Shefali Dodani illustrated these opportunities in the aptly titled panel on “The Evolving Role of Cybersecurity Startups in the Age of Escalating Digital Threats”, alongside Veronica Tan, Director of Safer Cyberspace, Cyber Security Agency of Singapore (CSA), and Paul Hadjy, CEO & Co-Founder of Horangi, moderated by Rahul Thayyalamkandy, Host of the Understanding VC podcast.
She and our in-house cybersecurity expert Ardian Danny share more insights below on the viability of venture-backable cybersecurity startups to emerge in Southeast Asia, amidst evolving cyberattacks due to the ongoing shifts towards cloud storage and AI-native tech stacks.
(1) Cloud security is ripe for disruption but solution providers need to evolve with new offerings to secure winning clients.
Cloud Security, a subset of Network Security, would be the most ripe for disruption. This is largely driven by an increase in the number of companies moving their infrastructure to the cloud (94% of companies globally using a cloud computing service in 2023, a 14-pt jump from 2020).
In Southeast Asia, global cloud providers are also undergoing data center colocations in the markets like Indonesia, with Jakarta’s colocation market alone expected to grow to US$938 million by 2027 (projected from 2023).
Global cloud computing alone is a US$680 billion market in 2024 and is growing rapidly at 16.4% year-on-year growth (projected to be US$1.44 trillion in 2029). Consider as well AWS, which on its own continues to see double-digit growth despite nearing US$100B in cloud computing revenue.
However, the more data that is made available online, the higher the risks of threats. While there are many companies emerging out of the US, the client-base in Asia is lacking.
A key learning from more developed markets is that companies should evolve with new products either through in-house development or acquisition, else they will fall short on winning clients if they don’t have a suite of products.
Related to security threats posed by increasingly internet-dependent infrastructure is Identity, Network and Endpoint security, which is another sector ripe for disruption. There are a multitude of internet-connected devices that present new threats and openings for hackers.
(2) Local advantage, account retention, and channel partnerships are key foundations for a venture-backable cybersecurity business in Southeast Asia.
The picture painted above has drawn investors to the space, but this doesn’t discount the fact that building a commercially competitive SaaS business out of Southeast Asia, in a space as globally competitive as cybersecurity is not without its high hurdles.
When it comes to what investors are looking for in a cybersecurity business, it then largely boils down to how the cybersecurity company is able to carve out a meaningful slice of the market with a playbook that retains customers.
Thus from a business due-diligence standpoint, other than the standard due-diligence we do, we focus on three key areas for the sector:
- Founder background and track record. We are seeing a number of global cybersecurity solutions expand to SEA, hence to invest in local founders we need to find comfort that the local founders have a clear advantage over them to win clients with their solutions.
- Net dollar retention of each account y-o-y. We found that a lot of cybersecurity companies apply the “land and expand” model, however it may take years before we see a 100% wallet-share.
- Track record of being able to (or potential ability to) secure large SI(s) or channel partners. We have seen this play out quite well for cloud security darlings in the US such as Wiz. In some cases, the cybersecurity sales cycle is long hence companies need to find the right channel partnerships to expedite client onboarding. With the gross margins of such companies, this does not harm the cybersecurity company’s books.
As for the product and technical due diligence, apart from customer reference checks, we would often liaise with our in-house security consultant and experts in the industry to carry out the technical due-diligence.
(3) Vulnerability assessment layer presents opportunity in Southeast Asia where there is low awareness of risks (and how these risks emerge) within organizations.
Cybersecurity can be likened in some ways to healthcare, where the companies building in the diagnostics layer can already scale on top of delivering assessment solutions that meet a wide range of potential risks.
As a result, in Southeast Asia alone, we have seen a lot of companies build in the vulnerability assessment space which entails security assessment through bounty programs, SaaS service or SaaS to ensure there are no blind spots in an organization’s system.
(4) The shift to cloud has seen higher and more sophisticated cloud and network environment attacks, creating greater pain points around network endpoint security and monitoring.
An evolution of cyberattacks that has come with the heavy shift to cloud infrastructure are the increments in cloud and network environment intrusions to obtain credentials, and withdraw data.
On a more technical level, some intrusions become more advanced, moving away from device level such as in managed laptops to network-level whereby these endpoints (e.g. router, VPN gateway) do not have endpoint detection and response sensors hence it is easier to bypass. This is because such networks do not allow for modern sensor deployment.
As a result, investing into an endpoint security solution won’t suffice anymore. Cybersecurity companies that offer both endpoint security solutions and monitoring platforms that can access activity in internet-exposed results have a greater advantage than those with a fragment product stack.
(5) When it comes to cybersecurity, AI can be your friend, or foe.
Another evolution of cyberattacks has been through AI. Artificial intelligence has benefited us in many ways however it has also made it very easy for people to create fake videos and photos. This is only one such example of an AI-based attack.
Because it is so easy to create deep fakes, individuals may be able to bypass Know-Your-Customer (KYC) for any target, and this has already happened in the past. Cybersecurity startups selling identity management solutions or KYC need to incorporate AI-based solutions such as one that can analyze videos and images to detect manipulation.
With the speed of development in new threats today, it is also becoming crucial for companies to leverage threat intelligence platforms to flag unusual activity ahead of time.
One such way is for cybersecurity companies that can leverage artificial intelligence to automatically identify unusual activity and attack patterns, data manipulations, leaked credentials and other threats in the dark web.
Startups can start with the basics
While the demands of today’s market in cybersecurity can become increasingly complex and important the larger an organization is, startups can already get a headstart in identifying risks and putting policies in place to de-risk these attacks, simply by running penetration testing.
Currently, we do offer penetration testing for our portfolio companies as part of our cybersecurity support capabilities in-house. This is particularly important because we realize newly established startups focus on the core business operational and product development and oftentimes forget the importance of fundamental security measures.
More on penetration testing here.