Building technology companies, Cybersecurity, Forum

Cyber Security – Why it’s Hot AND Why it’s Not ?

Anik Bose, BGV General Partner shares his perspective on the state of the cyber security sector.  “It was the best of times and it was the worst of times, it was the age of wisdom, it was the age of foolishness.” I believe that these lines from Charles Dickens Tale of Two Cities are an accurate description of the state of the cyber security sector today. Why it’s HOT ? Security budgets are increasing across the board. Gartner is predicting that enterprise security budgets are shifting towards an increased focus on detection and response, and 60% of security budgets will be allocated to these two areas by 2020. PWC Security Survey states that information security budgets increased by 24% in 2015 as a response to 38% YoY increase in security incidents. IDC predicts that Security Analytics, threat intelligence, Mobile Security and Cloud Security will be hot areas of growth. Additionally we believe that IoT security a relatively new market will be a significant growth area in the future. Consistent with the above we continue to see market pain points attracting innovation and VC funding in areas such as threat intelligence (e.g. Survela, http://www.survela.com), anti-fraud/identity management (e.g. Identity Mind Global, http://www.identitymind.com), encryption, next generation end point, network visibility and isolation (e.g. Spikes Security, http://www.spikes.com) and automated incidence response (e.g. Packet Sled, http://www.packetsled.com) This rate of innovation is fueling a leadership shift amongst the vendors in the cyber security industry. Old guard companies like Symantec, HP, Cisco, Dell/EMC, Trend Micro, Blue Coat and Intel/Mcafee are scrambling to stay relevant in the rapidly changing market. New guard larger companies like Palo Alto Networks, Cyber Ark, Palantir and FireEye are staking out a lead along. Finally startups like Cylance, Illumuo, SkyHigh Networks and Tanium are poised to transform sub segments of the industry. In summary strong sector growth and an industry structure ripe for change is attracting innovation and capital at unprecedented levels. Why it’s NOT ? The cyber security sector has attracted more than $3.3Bn in funding in 2015 across 130+ deals. The practical reality today is that CISOs cannot absorb and deploy anywhere close to the amount of new cyber technologies getting funded. In other words, there is a cyber tools saturation phenomenon which will force out all but the very best and most critical new cyber technologies — those most critical to their cyber security priorities and which can best be integrated in their existing environments. We believe that only very large enterprises will be able to invest in internal capabilities to vet and integrate a variety of best of breed startup technologies while other Enterprises will rely on their trusted security vendors and or MSSP’s to vet, source and integrate best of breed innovation. Valuations are at all time highs – early stage pre revenue series A companies are being valued at pre-money valuations of $20-30M. Late stage companies like Tanium, Illumio, Okta and Zscaler with revenues in the tens of millions are being valued in excess of $1bn, multiples that could be difficult to maintain in public markets. However recent public market volatility is leading investors to a “back to basics” mentality in venture and late stage funding – looking at growth coupled with profitability and cash flow generation. Companies like FireEye that were enjoying lofty valuations based on growth alone have seen their valuations come down reflecting the “back to basics” mentality. Companies like Palo Alto and Cyber Ark that are delivering growth and profitability are being valued at far higher multiples. CISO’s at enterprises are becoming more cautious when working with startup cyber vendors making ambitious claims or pricing assumptions that are inconsistent with the value they deliver – they are increasingly seeking a level of vetting that is creating extended POC’s and long sales cycles for these startups competing for mindshare. Furthermore many CISO’s are increasingly looking to their trusted vendors and MSSP partners to vet best of breed products and deliver integrated security solutions. Finally strategic acquirers are also becoming more cautious with respect to paying the frothy valuations seen in recent year – preferring instead to work with the startups over a period of time, either through an investment or through their accelerator programs. In summary the cyber security sector is overfunded with troubling signs of valuation froth with startups struggling to compete for mindshare with Enterprise CISO’s leading to extended POC’s, sales cycles and ultimately increased capital intensity. BGV Conclusion We believe that cyber threats are endemic and the demand for effective counter measures is strong. This combined with an industry leadership structure in flux and scarce cyber talent represents the best of times – opportunities to invest in and create young innovative companies. However capital being available at unprecedented levels coupled with frothy valuations and “noise levels” competing for enterprise CISO mindshare represent the worst of times. Investing to build strong companies in such an environment requires a thoughtful and disciplined approach to investing while seeking to create eco-system alignment with CISO “trusted” strategic security vendors and or MSSP’s. One that discerns between investing in technologies that will create successful companies valued on fundamental metrics (customer value, growth and profitability) versus “quick flip expensive” bets that will deliver good returns predicated only on frothy strategic M&A valuations. BGV remains disciplined on valuations (have walked away from several cyber deals when valuations approached unjustifiable levels). We also continue to invest time in validating customer value (ROI), the technology and technical teams (with the expertise to tackle complex cyber problems) by leveraging our privileged relationships with ex CTO’s of cyber portfolio companies, with trusted strategic security vendors (eg Palo Alto Networks) and trusted MSSP’s (eg Cap Gemini).