Security defies gravity (for now)

Cyber security has all the intrigue of a Frederick Forsyth novel.

Organized crime rings and bad state actors hack websites, steal identities and compromise corporate secrets. Stealthy coders work out of the same cloud data centers as their victims, and worms penetrate network defenses as if they were soft dirt.

No wonder security provokes such fear in corporate boardrooms and such an endless supply of venture dollars.

Commercial demand is high, entrepreneurs are motivated and opportunity runs deep. So deep that the race for innovation has sparked a wave of over investing that may finally be approaching a day of reckoning.

“Security is certainly a space that has gotten disproportionate attention from investors,” said Joe Horowitz, managing general partner at Icon Ventures. “I think at this point it is fair to say that the category is over invested, but that’s not to say there aren’t some extraordinary new companies that will emerge as true game changers.”

Joe Horowitz, managing general partner, Icon Ventures
Joe Horowitz, managing general partner, Icon Ventures

Ahead is likely a period of down rounds, company consolidation and greater investment selectivity in a market that has been one of venture’s most exciting and resilient. Last year, VCs placed $3.1 billion with U.S.-based startups, a jump of 50 percent from an already active 2014 and an all-time record. For the first time, the total eclipsed that of the peak dot-com year of 2000.

It is possible investing will rise again this year. But the majority of VCs and entrepreneurs interviewed for this article say more challenging conditions likely lie ahead with difficult follow-on financings and M&A accelerating over the next several quarters as small companies find their alternatives limited. Already, valuations have begun to plateau and the emphasis has shifted from growth at all costs to more profit-minded business plans.

“Now is going to be a one-two punch for startups raising money,” said David Cowan, partner at Bessemer Venture Partners. “They are all going to have to raise money this year. When they do, it will be difficult. There will be a lot of down rounds, shutdowns and acqui-hires.”

By all measures, the retrenchment runs counter to end demand in a market eager for more potent cyber defenses. Corporate security execs and vendors say security budgets are healthy and will likely grow in raw numbers and as a percentage of this year’s IT spending. That should push the security market to more than $75 billion, as estimated last year by market research firm Gartner.

The pinch comes from the number of security companies now seeking that spending. Corporate buyers complain of being overwhelmed by choice and daunted by the number of trials they must run to test all the promising products.

For every security company to make its numbers, the security market will have to grow much faster than it is, argues Cowan.

This gap could have a broad impact on investing and entrepreneurship. Some companies will accelerate their move to profitability, or toward a path to profitability, as FireEye has done recently.

Others will find raising money increasingly difficult and face recaps with lower valuations. Some could go out of business or be forced to sell, accelerating a wave of M&A already begun with high-profile acquisitions by the likes of Palo Alto Networks and FireEye just the tip of the iceberg.

“The ones with strong fundamentals will survive and the others will be sold as assets,” said Alberto Yépez, managing director at Trident Capital Cybersecurity. “The biggest opportunity in cyber right now is investing at the early stage,” where the rounds haven’t changed as much.

Already a change of direction is seeping into the startup funding. When iboss Cybersecurity started to raise money last June, investors asked why the company wasn’t spending more to spark growth, said co-founder Paul Martini. Profits didn’t mean that much to them.

The same investors posed different questions toward the end of the fundraising period in October and November, Martini said. By the time iboss announced a $35 million Series A in November, profitability and sustainability were more important, as was EBITDA, he said.

The pain will likely be worse for existing companies with narrow, niche-focused products. But hurdles could pop up for emerging companies, too.

“I think we’ll get funded,” said James Hamilton, CEO of the Calgary-based cloud security company Wedge Networks, which is planning a Series A round of about $5 million in the next three to four months. But because of the changing market, “we probably won’t get the same valuation today compared with a year or two ago.”

Yet venture investors remain upbeat. “Absolutely we’re going to continue making investments in this space” and focus on things “that are novel and unique,” said Pravin Vazirani, managing director at Menlo Ventures. “In aggregate there are more companies than will survive long term, but that doesn’t mean there won’t be some very high-quality and sustainable companies coming from the security space.”

Pravin Vazirani, managing director, Menlo Ventures
Pravin Vazirani, managing director, Menlo Ventures

In the short term, valuations may rise and fall, but over time they will rise, added Mark Fernandes, managing director at Sierra Ventures.

“I think the volume and interest in security is only going to continue,” he said. “What might change is where valuations end up.”

Feature illustration: Design by Janet Yuen. Image courtesy of ©

416-Cover chart A416-cover chart B416-Cover chart C

Downloadable Data: Venture-backed security IPOs (since 2011)

Downloadable Data: Select international targets in cyber security space, funded in 2016