Cybersecurity investing surges (again)

When Palo Alto Networks, Proofpoint and Splunk launched what became crackerjack IPOs in 2012, they did more than funnel returns to investors, such as Benchmark, Sequoia Capital, Ignition Partners and August Capital. They signaled the start of a wave of cybersecurity investing that in the next five years channeled $13 billion to young companies in the United States.

History may be repeating itself.

This year has seen its own triumvirate of top-performing security offerings, from Tenable, Zscaler and Carbon Black. Investments again may be starting to take off. This year’s second quarter was the largest in history for cybersecurity funding, with big rounds lifting capital deployed to $1.3 billion.

More money could be on the way, as the two-decade-long security arms race shows no signs of slowing.

But something is different this time: overfunding. Risks due to excess capital appear higher, and emerging opportunities that don’t immediately attract a swarm of competitors are more difficult to find.

After years of relatively little interest in security, “the venture herd is jumping in,” said Robert Ackerman, a managing director at AllegisCyber. “No great opportunity will go under capitalized” in venture capital.

There are, of course, good reasons for the enthusiasm. Security is no longer a niche or IT afterthought, but a broad horizontal market running across the entire technology industry. Online attacks have scared up corporate alarm and turned more nefarious, with financially motivated assaults on banks and individual institutions on the rise, and nation-state subterfuge, including the attack on the Democrats during the 2016 elections.

With security a more necessary piece of the digital economy, venture investors can no longer ignore the strategic necessity of being involved — or the possible reward. Nor can they dodge the difficulties.

There is “an arms race that is increasing at an increasing rate,” said Maria Cirino a managing partner at .406 Ventures. No other area of digital infrastructure sees product reinvention so regularly and rapidly.

Maria Cirino, managing partner, .406 Ventures.

From a startup’s perspective, and therefore an investor’s, this is good news. The game of cat and mouse has led corporations, governments and small businesses to become avid consumers in a global market Gartner estimates will expand to about $96 billion this year.

In such an environment, growth trends can be strong. Tenable’s revenue growth jumped last year to 51 percent even as sales topped $187 million and the company’s gross margin held at 86 percent.

LPs also have taken notice. Two years ago, when ForgePoint Capital sought capital from limited partners, some questioned the notion of a dedicated security fund, said Managing Director Alberto Yepez. Now as the firm looks to pre-market its next fund in the fourth quarter, the level of interest from LPs has spiked, with some challenging the firm to raise a larger fund, Yepez said.

“Cybersecurity is not a fad,” he added.

But the attention brings bad news, too. The security market has become fragmented, with long sales cycles as buyers conduct lengthy product bake-offs to test capabilities. Products are more expensive to develop. Overfunding, too, has crowded the landscape with scores of companies and hyper competition.

Consolidation is necessary, and blood could be drawn as some companies lose out to others, Ackerman said.

“My concern is we get too many undifferentiated, me-too companies,” he said.

Despite the crosswinds, investing surged to a record $1.3 billion in the second quarter, 12 percent above the previous record of $1.16 billion from first quarter of 2014, according to data from Thomson Reuters.

Sixty companies in the United States received backing, a number that also climbed close to a quarterly record.

A spike in mega rounds helped lift the total, with CrowdStrike raising more than $200 million from Accel Partners, CapitalG, IVP and others; Tanium collecting $175 million from TPG Growth; Cylance attracting $120 million from Blackstone Group and others; and Signifyd reeling in $100 million from Bain Capital Ventures, Menlo Ventures, AllegisCyber and others.

IronNet Cybersecurity also raised $78 million with backers including ForgePoint and Kleiner Perkins Caufield & Byers.

The quarter also experienced a rise in early-stage funding, suggesting money is not hard to find for emerging companies as well. One example of the trend is HYAS, which closed an oversubscribed $6.2 million Series A in early August just after the quarter closed.

“I thought it would be a bit more of a struggle than what it was,” said CEO Chris Davis.

The investment surge is expected to continue. One reason is the interest from funding sources beyond venture capital, including corporate venture, sovereign wealth funds and private equity.

“Investors are being increasingly excited by the potential opportunity,” Yepez said. “Companies with more promise are getting a lot more funding.”

Yet investment challenges exist, in particular, finding areas that aren’t drenched in capital, the way threat intelligence and endpoint protection have become. One promising area is attribution, where HYAS plays and where technology seeks to ID cyber hackers and quickly respond.

Other companies attracting attention include JASK, which is bringing machine learning and automation to security centers; Seclytics, with its predictive threat intelligence; and Cymmetria, developing cyber-deception technology.

Cirino said she is paying close attention to how machine learning can increase the efficacy of security solutions and to internet-of-things security.

VC People
Aaron Jacobson, partner, New Enterprise Associates. Photo courtesy of NEA.

New Enterprise Associates Partner Aaron Jacobson said new opportunities might be found in protecting microservices.

At least until the copycats arrive.

To access additional data, click on the links below:

Cybersecurity deal volume remains strong

Cybersecurity funding heads toward record

Israeli cybersecurity investments rise

M&A deals acccount for most cybersecurity exits