Every month, it seems, there is at least one security incident that leads people to wonder whether cybersecurity has finally gotten out of control.
In May, the Treasury Department shut down several websites after discovering they’d been hacked and were serving malware to visitors. In April, the Storm Worm defeated (temporarily, at least) Microsoft’s attempts to wipe it out and was back to pumping spam. In March, Adobe announced yet another security problem with Adobe Flash, which Apple CEO Steve Jobs subsequently banned from the iPad and iPhone, partly for security concerns. That same month, Apple plugged at least 16 security holes in its Safari browser.
Despite all the problems, venture capitalists aren’t rushing to pour more money into security startups. From 2002 to 2007, U.S.-based investors pumped a total of $6 billion into 870 companies developing computer security services, security software (such as firewalls and encryption), and Internet security and transaction services, according to Thomson Reuters (publisher of VCJ). With the IPO and M&A markets hitting a rough patch in 2008 and 2009, most VCs appeared to be satisfied to manage their existing security bets rather than add new ones. For the first time in nine years, annual investment in security-related companies fell below $900 million in 2008. American VCs invested $827 million in 134 security companies that year, and they put just $658 million to work in 89 security companies in 2009. This year is looking particularly peaked, with fewer than 30 security startups raising a combined $119 million from U.S. investors as of mid-May.
A Pivotal Day
As investment in new crime-fighting technology has waned, cybercriminals have built international businesses. One security researcher, Mary Landesman, who now works at Cisco’s ScanSafe, traces the change back to New Year’s Day in 2001. A female virus writer Landesman was following—a teenager who called herself Gigabyte—lamented on her blog that the other virus writers who used to hang out on the Internet Relay Chat channels and bulletin boards had disappeared.
“It just clicked with me, right then, that the virus writers of that day were turning pro,” Landesman says. “They weren’t on the old channels because they weren’t writing prank-driven ‘look at me’ malware anymore. They were moving into commercial work.”
Landesman turned out to be right. Cybercrime has mushroomed in the last decade into a multibillion-dollar international business, in which professional, technically adept thieves in places like China and Russia can remotely infect and wield armies of PCs—known as botnets—and order them to attack websites, steal banking credentials and credit card numbers, lift medical records and business plans and engage in other mischief. New malware is being created so fast that the antivirus vendors can barely keep up.
U.S. computer systems “are probed thousands of times a day and scanned millions of times a day,” James Miller, principal deputy under secretary of defense for policy said in a speech on May 12. Miller went on to say: “The scale of compromise, including the loss of sensitive and unclassified data, is staggering. We’re talking about terabytes of data, equivalent to multiple libraries of Congress.”
What we’re seeing is exploitations across very complex systems. Whether it is insider attacks, [protecting] data at rest or data in transit, the software models have not caught up. Even the hardware has not caught up with the sophistication of the attacks.”
One prominent security VC—Gilman Louie, who co-founded In-Q-tel, the venture arm of the Central Intelligence Agency, before co-founding Alsop Louie—says good, innovative security startups are out there, but the venture industry’s general lack of financial health is making it tough for them to get funded.
Upside to Less Investment
Not everyone thinks the funding decline is a problem. VCs “invested in dozens of competing companies thinking the enterprise security market was much bigger than it was,” says Alan Paller, director of research at the SANS Institute, a non-profit security training and research organization in Bethesda, Md. “Less money that is targeted better will make a lot more money than the mindless investment of the last decade.”
In any case, there are signs that security investments and security problems are becoming better aligned, and that security is once again a place where VCs could look for good returns. Exits for security companies are more than twice as high as they are for other information technology companies—about 4 times revenue vs. 1.8 times revenue, according to Randy Hawks, a managing director of Claremont Creek Ventures.
ScanSafe, for instance, whose service blocks malware encountered on the Web, was acquired by Cisco in October for $183 million in cash and retention incentives. It had previously raised $32 million from Balderton Capital, Benchmark Capital, Montagu Newhall Associates, Scale Venture Partners and others.
The IPO market for security companies looks promising, too. Last year’s IPO of the year, according to Renaissance Capital, was a venture-backed Silicon Valley security company, Fortinet (Nasdaq: FTNT). Its shares priced at $12.50 on Nov. 17 and closed at $16.90 on May 10, up over 35%. Fortinet, which makes a network appliance that protects against online threats, had raised about $84 million from Acorn Campus Ventures, DCM, Defta Partners, Meritech Capital, Redpoint Ventures, WI Harper and others, according to Thomson Reuters.
And while VCs have pulled back, the federal government is putting more money into security. The Obama administration has allocated billions for hiring security specialists, replacing outdated technology and funding research.
VCs invested in dozens of competing companies thinking the enterprise security market was much bigger than it was. Less money that is targeted better will make a lot more money than the mindless investment of the last decade.”
This year’s security investments appear to be a mix of new companies with cutting edge technologies and older companies that have been given a shot of new money. For example, 3-year-old Altor Networks has raised $16 million over two rounds from Accel Partners, DAG Ventures, Foundation Capital, G&H Partners and Juniper Networks to provide security for the burgeoning market of virtualized data centers.
On the other end of the spectrum, 19-year-old antivirus vendor AVG Technologies of Czechoslovakia sold a 25% stake last July to buyout firm TA Associates for $200 million. It had previously raised about $32 million from Poland’s Enterprise Investors, Intel Capital and Springboard Technology Ventures.
Previously known as Grisoft, AVG claims to be the world’s fourth largest antivirus vendor, with over 110 million users. The company’s revenue has been growing by over 70% per year, according to CEO J.R. Smith, who says he was brought in three years ago by Intel Capital with the idea of taking AVG public one day. Not only has AVG acquired and added several products over the years—including Web browsing protection, rootkit detection for botnets and so on—but it has also started selling the security-related data it collects from its end users to big vendors like Microsoft and Cisco to help those companies improve their products.
“We need to figure out how to better protect people because they’re online all the time,” Smith says. “We’re putting in a lot of investment to make sure people are protected at that layer.”
Cloud computing—the idea that most of what people do with computers and mobile phones is going online—is driving a lot of new investment in security, according to data from Thomson Reuters. Security for the cloud touches on myriad areas, including social networks, online gaming, e-commerce, the smart grid and the need for protecting all that data going into Google Docs and now Microsoft Office 2010, to name a few.
Cloud computing will also require security to be radically restructured over the next few years to accommodate this massive shift online. “I think what we’re seeing is exploitations across very complex systems,” says Louie. “Whether it is insider attacks, [protecting] data at rest or data in transit, the software models have not caught up. Even the hardware has not caught up with the sophistication of the attacks.”
Louie goes on to say: “Network design is shifting from a protected, physically-based facility with servers and trusted partners to something that’s riding on the backbone of the ‘net, with data floating everywhere.”
Every lightbulb is IP addressable, so you have software algorithms to save energy, but now you also have a security issue. Now that you’ve enabled very powerful algorithm control, you don’t want people hacking your lighting.”
With that in mind, Louie has invested in online forensics company NetWitness, whose technology was developed by the intelligence community to detect thieves, terrorists and other online intruders. NetWitness helps businesses protect against the kinds of targeted threats that Google faced in January, when cyber-thieves based in China allegedly attacked its network and stole intellectual property.
NetWitness can capture data packets on the network and use them to recreate network sessions, such as email trails, documents and blog posts “as they look when they’re posted, as if you’re standing over the shoulder of the bad guy,” says company president Nicholas Lantuh.
An even bigger market, says Paller of the SANS Institute, is the one addressed by RedSeal Systems, which has raised about $43 million since 2004, including $12 million last September, from Jafco Ventures, Leapfrog Ventures, OVP Venture Partners, Sutter Hill Ventures and Venrock Associates. RedSeal develops security risk management (SRM) software, which on a daily basis gives corporations actionable information about their overall security and business risks and specific information about threats and exposures to their networks.
Another emerging market VCs may consider targeting: security around the smart grid. In March of 2009, in presentations before the House Committee on Homeland Security and the Department of Homeland Security, researchers from security company IOActive showed that the grid had several common security vulnerabilities that could expose utilities to fraud, extortion and loss of control over the power supply, leading to widespread power outages.
Since then, a national smart grid cybersecurity task force, chaired by the Commerce Department’s National Institute of Standards and Technology, has been working to set standards for the grid and develop a response and recovery strategy in case the grid is attacked.
The smart grid creates new opportunities for VCs, says Hawks of Claremont Creek Ventures. One of Claremont’s portfolio companies, Adura Technologies, makes lighting management systems for commercial buildings. “Every bulb is IP addressable, so you have software algorithms to save energy, but now you also have a security issue,” Hawks says. “Now that you’ve enabled very powerful algorithm control, you don’t want people hacking your lighting.”
Hawks is also looking at a company that he won’t name that has a new way to identify fraudulent online transactions. “The challenge when retailers like Amazon or Zappos ask you extra security questions is when you’re not on your normal PC—you’re sitting at your mother-in-law’s house, and something about the secure cookie doesn’t work,” he says.
We need to figure out how to better protect people because they’re online all the time. We’re putting in a lot of investment to make sure people are protected at that layer.”
The biggest market of all, according to Paller, will go to the service providers—federal integrators like Booz Allen and CSC—whose consultants are skilled enough to combine venture-backed technologies in a toolbox for both businesses and government.
Venture capitalists cite plenty of obstacles to investing in security. Those who hope their portfolio companies can sell technology to the government still find the government’s procurement processes slow and complex. And Pascal Levensohn of Levensohn Venture Partners cites a lack of standards for new products.
Consolidation among security companies has tended to depress corporate spending on security, Hawks says, and investing in security companies requires expertise that many venture capitalists don’t have.
“It’s analogous to the banking debacle over the past year: It’s too complex for any one person to claim to know it all,” Hawks says. “There are probably 10 people in the world who are capable of understanding what’s going on, yet we have over 400 house members and 100 senators weighing in.”
But business expertise counts for a lot. Smith, of antivirus maker AVG Technologies, had no background in security when he joined the company three years ago, but he says he was able to double growth in his first year simply by cleaning up basic business problems like conflict among the company’s resellers.
Eldar Tuvey, co-founder and CEO of ScanSafe, says Rory O’Driscoll of Scale Venture Partners helped the company by applying his business knowledge of software as a service. “They have at Scale what they call the magic number,” Tuvey says. “They ask questions about productivity-per-head, your retention rates for customers and your marginal cost of service. Only somebody who knows SaaS knows how to think about it this way. Nobody knows it like Rory. You use it as a guide for how you’re tracking.”
Additional reporting by Phil Stewart and Jim Wolf, Reuters