How Cybersecurity Influences Tech Investments

2025's Cybersecurity Budget Reality Check 💰 New data shows over 50% of companies are spending 11-30% of their IT budgets on cybersecurity tools. That's not just significant—it's transformative. 10 years ago, convincing enterprises to invest in cybersecurity was an uphill battle. Today, the conversation has completely flipped. The mindset shift is profound: - "We can't afford a breach" → "We can't afford to fall behind on security innovation" - Security budgets moved from defensive spending to competitive investment - Fear-based vendor pitches are getting rejected—buyers want business enablement stories What's really fascinating: Companies implementing zero trust aren't just getting better security. They're seeing 23% faster customer onboarding, reduced IT friction, and improved user experiences. For B2B SaaS founders, this budget shift creates unprecedented opportunity. Your prospects have allocated funds and executive urgency. But here's the key: Don't sell security as insurance—sell it as acceleration. The deals I'm seeing close fastest show how security investments: ✓ Reduce customer acquisition friction ✓ Enable faster product development cycles ✓ Create differentiated customer experiences ✓ Support compliance-driven market expansion Security isn't a cost center anymore—it's a growth multiplier. How are you positioning your cybersecurity investments: as protection or as competitive advantage? #Cybersecurity #B2BSaaS #ZeroTrust #ProductLedGrowth #Innovation

Boards Funnel Cash to AI, Starve Security, Invite Breach AI is now the top tech spending priority for 2025, with 45% of IT leaders ranking generative AI above cybersecurity (AWS Generative AI Adoption Index). Yet, boards continue to cut cyber budgets, overlooking unresolved risks like outdated firewall rules and unpatched vulnerabilities. Median breach costs were up 10% YoY per our favorite IBM Data Breach Report Investing in AI without matching security measures is an open invitation to attackers. We have yet to see what a true AI-related data breach will cost. Listen, AI spending will always outpace security, but we need to work with our C-Suites and boards to ensure that every AI investment is matched with security funding and oversight commensurate with risk. This is CISO'ing 101. "The CISO Evolution: Business Knowledge for Cybersecurity Executives" is a great resource to help. Matthew Sharp #AI #Cybersecurity #BoardGovernance #Leadership

#Cybersecurity as a #CompetitiveAdvantage - We typically think about Cybersecurity in the same category as dirty laundry and crazy uncles (i.e. stuff you don't want to talk about.) After reviewing Accenture's State of Cybersecurity, I'm impressed with how businesses that have leaned into developing a proper defense have achieved tangible business results by "reinventing the whole enterprise." (e.g. 18% more likely to achieve revenue targets, market share, improved customer satisfaction, and greater employee productivity, 6x more effective #DigitalTransformation) It makes sense. Effective organizational change occurs when there is a compelling, driving need for specific outcomes. The escalating threat of #ransomware provides an unrelenting flood of reminders of the need to take action. An effective cyber defense requires a comprehensive, holistic understanding of the org's business systems and processes across many dimensions (e.g. marketing, sales, operations, customer service, finance, legal, etc.) A proper defense requires a competent, essential understanding of what to defend and tighter operational controls over the business to maintain the integrity of the defense. Cyber investments are most effective and least expensive when planned rather than when added on as an afterthought. A robust cyber defense justifies proactive investments in elevating an organization's operational processes. It is refreshing to realize that cybersecurity is not merely a necessary chore to be completed; when done correctly, cybersecurity can return highly favorable business outcomes. #TimTang Hughes #NRFBigShow #NRF2024

The next $1 trillion company won't be AI — it'll be cybersecurity. Rubrik founder Bipul Sinha predicts that this will happen by 2029, and the data supports his claim. Here's why elite operators in cybersecurity are positioned to win big: Cybercrime costs are projected to hit $10.5 trillion annually by 2026 — up from $3 trillion in 2015. Each attack costs companies an average of $4.35 million in damages. The cybersecurity market is growing at a rate of 14.3% annually, three times faster than the overall software industry. But here's the fundamental flaw in today's approach. Most solutions focus on prevention while overlooking what happens after a breach, which is inevitable. Sinha's insight is dead-on: Security isn't about perfect defense — it's about surviving when your walls fail. His execution-focused approach at Rubrik prioritizes resilience and recovery: • Cloud-native architecture that scales without friction • Immutable backups attackers can't touch • Near-zero recovery time post-attack Microsoft validated this vision with a $100M investment at a $4B valuation. Three market forces are making the trillion-dollar prediction real: 1. The talent crisis creates a massive opportunity With 3.4M unfilled cybersecurity positions globally, companies that automate security will dominate their markets. 2. Security has shifted from a cost center to a business enabler 73% of boards now run dedicated cybersecurity committees. Critical infrastructure protection alone has scaled to a $153B market. 3. Industry consolidation is accelerating Current leaders: • Palo Alto Networks: ~$113B valuation • CrowdStrike: ~$87B • Fortinet: ~$74B The winner will be a platform that delivers end-to-end security without compromise. Is $1T realistic? When digital defense becomes as essential as electricity, this prediction will look conservative. It's not a question of if, but when. Follow me for more software, cybersecurity insights, and execution strategies that work.

Turning Cyber Risk Into Boardroom Metrics That Matter - Forbes Cybersecurity has always come with a translation problem. Technical teams speak in terms of vulnerabilities and threats, while boards want to understand risk in dollars and business impact. As attacks become more costly and regulatory scrutiny grows, however, the gap between technical risk and business accountability is shrinking fast. The Boardroom Is Asking New Questions Boards and executives increasingly want to know: How much risk are we taking on, in real financial terms? Are cybersecurity investments justified? Are we actually reducing exposure—or just reacting to the latest crisis? All fair and valid questions. The pressure to answer these questions isn’t just external. Internally, organizations are moving away from blank-check security budgets. Leaders expect to see risk—and progress—quantified in business language: dollars, business impact, and return on investment. From Jargon to Dollars It is an eternal struggle. For most companies cybersecurity is a cost center, not a revenue-generating function. The better cybersecurity is at achieving its stated objectives, the less necessary it seems—if there are no successful attacks, why spend so much money on defending against them? Cyber risk quantification is quickly gaining ground as a bridge between IT and the C-suite that addresses this challenge. The promise is simple: turn technical scenarios into dollar-based outcomes so everyone is on the same page. CRQ platforms don’t just talk about possible vulnerabilities—they show what a breach could really cost, how an investment reduces exposure, and where risk is shifting across the organization. This approach is becoming the new standard as boards and regulators demand clear evidence of measurable progress. A New Player in the US Market The changing landscape is driving international players to expand their presence. Squalify, a Munich-based cyber risk quantification provider, just announced its U.S. entry, launching with a Bay Area healthcare customer. The company’s platform, backed by Munich Re’s cyber loss data, aims to help organizations move from reactive, compliance-based security toward proactive, ROI-driven strategies. #cybersecurity #CyberRiskQuantification #CRQ #boardofdirectors #riskmanagement #ROI

Cybersecurity is changing how financial markets work but not in the way people think: 1. Private equity companies have learned that cyber incidents can derail even the best-laid investment theses, and few cases illustrate it as well as the story of SolarWinds. That is why we are seeing more and more PE firms invest in captive MSSPs - having a single service provider (usually owned by the same PE) offer security and compliance to all the companies in their portfolio. The struggles of SolarWinds and the fact that the company has become known worldwide because of the breach highlighted that, while over the long term, the impact of cyber incidents tends to be negligible, given the PE playbook and timelines, it can be pretty disruptive. 2. During M&A, security is starting to play a more and more important role. One of the earliest wake-up calls came in 2017 when PayPal acquired TIO Networks. Some weeks after the acquisition closed, PayPal discovered that 1.6 million customers’ data had been compromised in a breach that predated the deal. The fallout was really bad: TIO was forced to suspend operations, PayPal got stuck in many lawsuits, and the company took a reputational hit even though it wasn’t responsible for the original breach. The story of TIO Networks became a textbook example of a cyber issue derailing an otherwise promising acquisition, sending over $200M down the drain. There have been plenty of other cases like Verizon’s acquisition of Yahoo and Marriott's acquisition of Starwood Hotels that made this an issue acquirers are paying attention to today. 3. VCs don't evaluate the security of their investments because there has not been a correlation between the security posture of a company and their success. Most startups fail due to well-known and well-documented reasons: lack of product-market fit, running out of money, poor execution, etc. A breach or cyber incident is not on the list of top 20-50 reasons. Let me be clear: I am not saying that VCs ignore cyber risk. It’s really the opposite - venture is fundamentally about managing risk and reward, but not all risks are treated equally. Legal and regulatory risks, for example, are taken seriously because there’s a well-established history of them tanking deals and killing companies. Legal due diligence is a standardized, critical part of the investment process, not because it’s exciting, but because stuff like intellectual property issues have burned investors before. The moment cybersecurity creates similar pain, like when a breach derails a billion-dollar IPO or acquisition, cyber due diligence will quickly become a part of the process, likely starting with later rounds.