VCs Hope To Cash In on Security Spending Spree –

A couple of times a week Mike Cote fields calls from bankers and investors who all want to know the same thing. Is he interested in raising capital? Does he want to sell the company? He politely tells them no and goes back to work, until the next call.

Cote, CEO of SecureWorks, isn’t surprised by all the attention. His Atlanta-based company, which provides Internet monitoring and related services, happens to be in one of the hottest sectors right now-security. Not only are security startups receiving plenty of venture funding from a variety of investors, but they are also being scooped up on the M&A market. And there appears to be no letup in sight.

But don’t count SecureWorks among the transactions, just yet. The company, which has raised $29 million in venture financing, last closed a round in late 2000 when it raised $20 million in a Series C from Mellon Ventures, Noro-Moseley Partners and others at a post-money valuation of $50 million (according to Thomson Venture Economics, publisher of VCJ). The company reached cash-flow positive late last year, says Cote, and SecureWorks also made its first acquisition in 2003, when it purchased TesserEye, an Austin, Texas-based provider of network monitoring services, for an undisclosed price.

Cote says he tells the callers he’s not looking to make a deal. However, he knows security is booming, and he says that it’s important to never say “never.”

“We’re currently not out looking for new capital, but we’re not gonna close the door on raising funds either,” Cote says. “There’s a lot of interest being paid to Internet security right now and that just can’t be ignored.”

Follow the Spending

Rather than a shakeout of weak players or a lackluster market, M&A activity in the broad Internet security industry is being spurred by an increase in corporate security spending. Large public companies want to tap into that revenue stream by expanding their offerings. Big players that have snapped up VC-backed security companies include Check Point Software, F5 Networks, Microsoft, Network Associates, Symantec and VeriSign.

As a percentage of IT budgets, security spending is on the rise and is expected to peak nationwide within the next two years, according to a study released in June by the Meta Group, a Stamford, Conn.-based IT consulting firm. Meta reports that average security spending among 2,000 organizations worldwide accounts for 3% to 4% of their IT budgets. This proportion is expected to reach 8% to 12% before stabilizing around 5% to 8% of overall IT spending, Meta says.

“Acquisitions for security companies are on the rise because CEOs expect to increase their IT spending for security and the values of these companies outweigh their risks,” says Marc Sokol, a partner with JK&B Capital, one of the most active venture investors in the space.

In June, F5 bought MagniFire Websystems for $29 million. MagniFire, a New York-based provider of security gateways, had raised about $9 million from JVP and Lucent Venture Partners. Last December, VeriSign paid $140 million for Guardent, a Waltham, Mass.-based provider of security programs for large companies. Guardent had received about $57 million from Charles River Ventures, Sequoia Capital, Hudson Venture Partners and others. One of the largest transactions lately for a VC-backed security company also came in December when Check Point Software acquired Zone Labs for $205 in cash and stock. San Francisco-based Zone Labs, an Internet security provider, had raised $40 million from JK&B Capital, Intel Capital, Pacific Venture Partners and others.

Feel the Heat

Security has always been a hot sector for M&A activity, says Scot Sedlacek, managing director in the New York office of M&A advisor Broadview International. But it’s getting hotter. Over the past year, Sedlacek has noticed a rise in the number of transactions, a pace not seen since the late 1990s.

He expects about 18 acquisitions of security companies this year worldwide at prices above $20 million. In comparison, in 2001, there were only six security related transactions of $20 million or more. Broadview doesn’t distinguish whether the M&A is VC-backed, but Sedlacek notes private investors stand to benefit.

“Venture capitalists are funding new technologies and startups that each have their own niche in the growing security industry,” he says. “Meanwhile, Symantec and Microsoft and all the other large companies are vying to be he one-stop shop for security needs, so they will continue to acquire and build their businesses.”

Like a Virus

Once upon a time, in the early 1990s, security mainly focused on firewalls and anti-virus software. But the computer industry has grown to include email protection, database security, vulnerability assessment and real-time response systems. The proliferation of wireless devices has spawned an increasing range of security technology and management systems.

Security has always attracted interest from VCs, says Allon Bloch, a principal with JVP. “But the security market is growing rapidly as corporations increase spending on security,” says Bloch, who has overseen JVP’s two other security investments, Cyber Ark Software and Quarry Technologies, which have raised $19 million and $120 million in venture, respectively.

Hoping to tap into that increased security spending, VCs have pumped about $350 million into 35 security-related companies during the first six months of 2004, based on preliminary data from Thomson Venture Economics.

One of the largest VC deals this year for a security company was Determina, a Redwood City, Calif.-based developer of a host-based intrusion prevention system, which raised a $19 million Series A from Bessemer Venture Partners, Mayfield Fund and U.S. Venture Partners.

“Security deals, like all good investments, show that where there are bees, there’s honey to be found,” says Matt Howard, a principal with Norwest Venture Partners. “Hopefully, though, as investors flock to security with an eye toward the exits, we’ve learned our lesson from the Internet Bubble and we don’t get ahead ourselves.”

Norwest has stakes in two security companies: Reconnex, an Atherton, Calif.-based enterprise security company that has raised $6 million from Norwest and Outlook Ventures; and Authentica, a Lexington, Mass.-based provider of certification security software that has raised $40 million since 1998 from Norwest, 3i, Greylock, Intel Capital, Lighthouse Capital Partners and Venrock Associates, among others.

As Howard notes, most venture firms have at least one security deal in their portfolios. In addition to the firms mentioned above, Comdisco Ventures, Draper Fisher Jurvetson, Flagship Ventures, Insight Venture Partners, Vanguard Ventures and Veritas Venture Partners have all flocked to security this year.

One of the most active firms in the space has been JK&B Capital. The firm has eight active security investments and took part in three recent fundings. Vormetric, a Santa Clara, Calif.-base provider of storage encryption, has raised $32 million to date; Trusted Network Technologies, an Alpharetta, Ga.-based developer of security software, has raised $18 million since 2003; and Bluefire Security Technologies, a Baltimore-based developer of security software for wireless handhelds, has raised $17 million to date from JK&B and Walker Ventures.

JK&B also had two exits last year. There was Zone Labs’ sale to Check Point Software. And in early 2003, Network Associates paid $120 million for Entercept Security Technologies, a San Jose, Calif.-based provider of intrusion protection technology, which raised $66 million from JK&B, Dell Ventures, Intel Capital, Alpine Technology Ventures and others.

Tougher than It Looks

However, all this activity and prediction for future spending doesn’t mean investing in security is like shooting fish in a barrel. The industry is crowded and it’s tough to invest in security, says Andrea Kaufman, a partner at Novak Biddle Venture Partners.

“There are too many investors chasing too few deals,” says Kaufman, whose investment focus on IT security has her serving as a director of two companies: Object Video, which develops video surveillance software, and Trusted Edge, which provides secure enterprise information management.

“There are too many security vendors with similar offerings,” she says. “So a lot of security startups will have it tough unless they have a unique technology and a compelling business ROI to present to investors and buyers.”

Frank Milano knows first hand what it’s like to raise capital. Milano is vice president of finance for Symbiot, an Austin, Texas-based provider of network security infrastructure. Symbiot is in the midst of raising a Series A and has been in discussions with angel investors and venture firms. Milano says that the potential for the exit strategy of a security company is important when raising cash because it makes it easier to sell when the time comes to exit.

“A hot sector like security attracts more capital from investors because the economics are attractive,” Milano says.

Yet despite more corporate spending on IT security and continued consolidation in the security industry, dangers still lurk on the Net.

The worldwide network remains vulnerable to viruses and break-ins, says Bruce Schneier, founder and CTO of Counterpane Internet Security, a Mountain View, Calif.-based provider of security management services that has raised $78 million from Accel Partners, Bessemer, Comcast Interactive Capital and others.

Simply put, hackers are getting smarter, and computer networks are getting more complex and difficult to keep safe, says Schneier, a noted security expert and author of Beyond Fear: Thinking Sensibly About Security. That means the demand for security will continue to remain strong. Companies that invest in security may be reducing their risks, but new risks are cropping up, Schneier says. “So I suppose security companies and industry consolidation will continue to take place because corporations need to get it right eventually,” he says.