Trident Capital Cybersecurity turned heads a year ago when it raised a hefty $300 million fund with a sole focus on security.
The fact that the fund was oversubscribed should not have been a surprise. Domain specialization appears to be an increasing differentiator in the complex world of cybersecurity.
This area “really does require specialization to do it right,” said Managing Director Donald Dixon. “While we see more people investing, we don’t see more people specializing in cybersecurity.”
For Dixon, opportunities in the space are not in short supply. One of the latest is blockchain.
“This is an area we will be addressing this year,” he said. Many traditional VCs are talking about blockchain and cryptocurrencies and “now is the time for us to begin the process of identifying the companies that will secure that part of the industry.”
Still, cybersecurity investors are wise to remember one key point: Security spending lags spending on infrastructure. So watching where corporations spend their infrastructure dollars today usually reveals where they will spend their security dollars tomorrow.
Many of these opportunities are abundantly clear, Dixon said, whether it is integrating security defenses for the mid market or delivering software as a service to large banks.
VCJ recently spoke with Dixon about security investing. An edited transcript follows.
Q: With cybersecurity continuing to be a priority at corporations worldwide, how did cybersecurity investing unfold in 2017?
A: 2015 was probably more of a record year in terms of valuation multiples. But 2017 continued to be a very solid year driven by just the continual drip, drip, drip of problems.
Q: What do expect from valuations this year?
A: Flat to up.
A: We’re seeing a lot of people who are saying, ‘Gee, I don’t have a cybersecurity company in my portfolio.’ So on later-stage deals, say, Series C and some Series B, we’re getting first-time investors in cybersecurity as a way to check a box in their overall enterprise-software portfolio.
And anytime you have somebody who is not deep into the industry, they may not have the full picture as to the need for that product, or the success of that company. Maybe that will lead to future disappointment, but nonetheless it does place extra demand on the existing supply to high-quality companies.
It is good for us because we are in the Series A and B space. That drives up valuations (and) that will ripple down.
Q: How’s been the pace of investing this year?
A: I don’t see the number of deals changing. We track obviously the seed stage, the A and the B. That’s the world we live in.
Overall in software, I think you (are) seeing the seed and the A go down slightly as people focus more on later-stage deals. We’ve seen that also in cyber. But the amount in the later-stage deals is going to get bigger in terms of dollars per deal.
Q: With all the money that has gone into cybersecurity, is the sector overinvested?
A: I’m not seeing a lot of distressed companies for sale. That would indicate that there had been previous overinvestment trying to find a soft landing. This means either they have enough cash to continue and they are not yet at cash-flow break-even, but they can be, or they are doing well.
Q: Where are you focused this year?
A: There is a trend you have not seen yet, and that is enterprise software writ large has been developed without regard to cyber. Cyber is an afterthought. And in fact right now I think blockchain has got to the point with banks adopting it, they are starting to think, ‘Holy cow, how did that cryptocurrency get stolen? Is my blockchain actually secure?’
So now this year we will focus on, What will we do to secure blockchain? We talk to the big banks to find out what their concerns are and where they will spend money. It usually is lagging a year or two from where they spent money on infrastructure.
Q: Are there many companies in the space?
A: Not that many.
Q: Where else are you spending time?
A: We are looking for more applications where we can inform the application through our knowledge of cybersecurity. For example, the most obvious one is cybersecurity insurance premiums. These are platforms that are ERP platforms for insurance companies. And they are starting to write a lot more cyberinsurance. … It’s growing very quickly.
So we’re working on a transaction where we inject our knowledge of cybersecurity data into the underwriting platform for the cyberinsurance underwriter.
A: Any other sectors interest you?
A: Clearly we are going to do more in the internet of things. We already have two investments there: Mocana and Bayshore Networks.
That area continues to expand as a problem. That is an ongoing theme we will continue to work on. We’re looking at some of the more regulatory-driven areas, like, ‘Is it possible on GDPR (General Data Protection Regulation) to do something?’
We hesitate there because a lot of that has to be customized for the particular customer. And heavy customization doesn’t lend itself to scalable business models for software. We’re looking at all the issues associated with ‘Know Your Customer’ anti-money laundering, those kinds of things, which might be more scalable.
Q: Do you expect a change in the M&A environment this year?
A: I thought it was interesting that Google stood up a separate cybersecurity unit named Chronicle. We do a lot of work with Amazon Web Services and Microsoft Azure and IBM. Everybody realizes they have to be secure, but this is still a patchwork quilt of point solutions.
So bringing together those point solutions to make an integrated offering, especially for the cloud vendors, I think will be an area of acquisitions.
You’ll see the private equity firms wanting to buy legacy cybersecurity software companies and add them to their platform companies. That’s been a successful strategy.
And the big guys now have more cash.
Photo of Donald Dixon, managing director, Trident Capital Cybersecurity, courtesy of the firm.