Unlocking profits from security deals

They say crime doesn’t pay. For much of the decade, neither has security. Venture capitalists poured billions into security startups only to see them mature in a moribund exit environment.

But things are starting to look up. Two security companies, Postini and IronPort, produced the venture industry’s largest technology M&A exits of the year. Meanwhile, developers of antivirus, data recovery and authentication technologies are carrying out new stock offerings on U.S. markets. And several more are exploring the prospect of an IPOs or in registration.

Market watchers expect the trend to continue, with deep-pocketed acquirers and public market investors signaling that they’ll pay a premium for market leaders in fast-growing sub-sectors. These include developers of security-as-a-service applications geared to small businesses, authentication technologies for payment processors and tools to protect against data loss and theft.

Later stage companies also have less to fear from upstarts, as VCs are backing fewer early security deals. For the time being, investors are focused largely on building up and finding buyers for older, still-private companies. Industry watchers say there are quite a few which merit attention.

Numbers game

Brewer Stone, of investment bank East Peak Advisors, estimates that there are slightly more than 700 private security companies operating today that could conceivably be acquired or go public. Requirements for the list aren’t onerous: Generally a company needs at least 10 employees and a product that is either on the market or close to it.

Over the last couple of years, Stone says, acquirers have annually bought about 10% of the private security companies he tracks. That ratio remains largely on track this year, he says, with about 50 security exits announced as of the end of July.

The fact that there are some interesting exits does not validate the several hundred investments that were made.”

David Cowan, Managing Partner, Bessemer Venture Partners

Sought-after security companies get some of the best multiples in the technology industry, commonly fetching purchase prices equal to four to seven times annual revenue, according to Stone. Public markets can be equally generous. Shares of SourceFire (Nasdaq: FIRE), which began trading in March, for example, are valued around five times sales.

Less prominent players, meanwhile, often land in the liquidation bin, with some VCs selling portfolio companies for less than what they invested. Internet security software developer NFR Security, for example, raised more than $40 million in funding between 2000 and 2004. It sold to Check Point Software in January for $20 million.

Just how many fire sales occur is difficult to estimate, as acquirers frequently don’t disclose purchase prices. David Cowan of Bessemer Venture Partners ventures that such deals account for a high portion of security exits for the VC industry overall.

The pace of unprofitable exits is likely to pick up over the next three years, as tech bubble-era funds wind down. Security venture investing hit a peak of $1.9 billion in 2000, according to Thomson Financial (publisher of VCJ). The following year was also strong, with $1.4 billion invested, before falling below $900 million in 2002 and 2003. VCs got more aggressive the following two years, but really slowed their pace in 2006, with just $752 million invested (see chart).

Who’s who

In most profitable acquisitions, prices seem to reflect more who’s doing the buying than who’s being bought. Both Postini (purchased by Google for $625 million) and IronPort (bought by Cisco for $830 million) fetched above-market rates when they found themselves courted by two of the industry’s most deep-pocketed acquirers.

There’s very little being done in security in early stage companies by high-profile venture capitalists.”

Brewer Stone, Managing Director, East Peak Advisors

“You have two buyers in Cisco and Google where money isn’t really an object,” says Mike Rothman, president of Security Incite, a research firm. “Do I think they overpaid? Yes. But it’s not like either of these deals are going to affect earnings per share for either of these companies.”

But even the most successful exits tend not to come quickly, a point driven home by Postini. Former Mobius Venture Capital principal Ryan McIntyre vividly recalls negotiating term sheets with the company’s founders on the morning of Sept. 11, 2001. Over the next six years, Postini survived what McIntyre describes as the technology industry “nuclear winter” of 2001, built a suite of e-mail security tools, and attracted more than 35,000 customers.

While few startups are likely to garner Postini-type prices, several have built to a scale that ought to generate attractive exit valuations (see table for exit candidates). Companies atop Rothman’s list include Crossbeam Systems and Fortinet, which sell unified threat management services that are popular with businesses that want to simplify their security infrastructure. Those two companies have raised $103 million and $84 million, respectively, in cumulative venture funding. Intrusion detection specialist NitroSecurity, meanwhile, recently filed for a $55 million IPO.

Another area that’s continued to attract significant venture investment, and some strong exits, is database security. Here Rothman’s picks include Imperva, which has raised $34 million in funding since 2002, and Application Security, which has pulled in $23 million over the past four years.

East Peak’s Stone also sees companies in the network access control space attracting interest. Acquisition candidates in that segment, he says, include venture-backed Lockdown Networks ($4 million in funding) and Mirage Networks ($40 million).

Across all security sub-sectors, the most talked-about companies among industry insiders share a common trait: They tend to be at least five years old. “If you look at what’s getting funded today, there’s very little being done in security in early stage companies by high-profile venture capitalists,” Stone says. “Most of what they’re investing in is later rounds of established companies.”

The problem has really become not one of lack of available technologies but too many available technologies.”

Brad Miller, CEO, Perimeter eSecurity

That holds true of large funding recipients, too, such as Perimeter eSecurity, which raised $104 million in expansion funding from Goldman Sachs, Bessemer and Stripes Group this summer. In conjunction with its latest funding round, the company announced an acquisition of USA.NET, a secure messaging provider backed by VCs including ABS Ventures, Philadelphia Ventures, for an undisclosed sum.

Perimeter, a security-as-a-service provider, has been profitable for the past five years with annual revenue around $40 million, says CEO Brad Miller. He’s looking to grow sales before contemplating an IPO. In exchange for its investment, Goldman got about a third of Perimeter. The round provided partial liquidity for all other stakeholders in the 10-year-old company.

Miller is bullish about opportunities for companies that excel in integrating existing security applications. “The problem has really become not one of lack of available technologies but too many available technologies,” he says. The challenge lies in developing a delivery model that makes technologies easily available to companies, especially small and mid-sized businesses.

Authentication nation

That’s not to say early stage is dead. Bessemer’s Cowan sees strong growth prospects for companies that can deliver integrated security services for small businesses.

Particularly if one widens the notion of security to encompass technologies for identity verification, biometrics and video surveillance, demand from government customers alone could bolster industry sales for years to come.

Do I think [Cisco and Google] overpaid? Yes. But it’s not like either of these deals are going to affect earnings per share for either of these companies.”

Mike Rothman, President, Security Incite

At least that’s the thesis Jay Meier, CEO of year-old investment consulting firm Sage Capital Advisors, is talking up to prospective clients. Over the next decade, Meier forecasts that governments and businesses will carry out a massive upgrade of “privilege entitlement systems.” Broadly speaking these are the programs and related technologies used to determine who can receive such privileges as a driver’s license, credit card or entry to a restricted building.

Industry research indicates the markets for new technologies are vast and still largely untapped. A survey of federal agencies identified more than 788 data breaches at 17 agencies from January 2003 through July 2006, according to a June report by the Government Accountability Office. The GAO also noted that more than 570 data breaches have been reported in the news media from January 2005 through December 2006.

Surveillance and identification are also high on Meier’s list of favorite buzzwords. Venture-funded companies he’s following in this space include LifeLock, which makes online identification and theft prevention tools, and UPEK, a developer of silicon-based fingerprint security systems that’s in registration for an IPO. AuthenTec, another maker of fingerprint authentication sensors, went public this spring.

While Meier is upbeat on growth prospects, he’s more elusive on the outlook for exits. Developing a healthy deal pipeline will take years, he admits.

Cowan is less generous in his assessment of the overall market for security companies. “You can’t ignore the reality that there were several hundred companies in security that raised venture capital in the early part of this decade,” he says. “The fact that there are some interesting exits does not validate the several hundred investments that were made.”