The upcoming earnings season could be a bit noisy for the cybersecurity players, as violence escalation in the Middle East is likely to have hampered project timelines and delays product innovations in Israel where many cybersecurity firms are located and/or have large R&D teams. It’s probably no coincidence that Q3 VC funding in cybersecurity startups slid 51% from the previous quarter to $2.1 billion according to Crunchbase, with some investments probably delayed by the tense situation in the region.
But, if history is any guide, the impact should be manageable on cybersecurity firms’ earnings and guidance, provided the situation does not deteriorate further.
Looking beyond the very short term, research firms start delivering their 2025 predictions as we are getting close to the end of the year. As it pertains to cybersecurity software, Gartner projects spending to reach $100 billion next year, a robust 15% year-over-year growth, showing a slight acceleration compared to the 14% expected this year.
Overall, this continued strength of cybersecurity spending should not come as a surprise in light of the proliferation of cyberthreats. As an illustration, Cloudflare blocked an average of 209 billion cyber threats each day (+87% year-on-year) in Q1.
This Gartner forecast is consistent with Morgan Stanley’s latest CIO survey that points as well to global IT budget growth accelerating to 3.6% in 2025 from 3.4% and that highlights again cybersecurity as a top priority for corporates, just behind AI.
If the acceleration expected in 2025 is modest for both Gartner and Morgan Stanley, we believe that the risk is skewed to the upside as easing interest rates could unlock some corporate spending and as AI initiatives and efforts gradually spread from hyperscalers to businesses (AI applications), sparking increased need for data infrastructure protection.
M&A could represent another driver for the industry. While 2024 has seen so far very few large cybersecurity deals (Darktrace acquired by private equity Thoma Bravo for $5 billion, Venafi acquired by CyberArk for $1.5 billion…), the lower rate environment combined with the “platformization” strategy of cybersecurity leaders (= offering all security products in a single platform to reduce complexity) should fuel a pick-up in M&A activity from both private equity and strategic buyers. Notably, cybersecurity firms that still have a niche positioning (e.g. Okta or CyberArk in identity & access management, Varonis in data governance…) could end up as natural takeover targets for the leading players seeking to increase the attractiveness of their platform.
In conclusion, even if the earnings season could be tricky due to the situation in the Middle East, we stick to our view that the outlook is becoming clearer for the cybersecurity industry after an agitated year (Palo Alto’s platformization and aggressive commercial policy, CrowdStrike’s massive IT outage) and would expect most companies to set a positive tone for 2025. This, combined with a likely pick-up in M&A activity, should support valuations going forward.