Despite cybersecurity boom, fewer firms acquired or go public
By Rob Lemos, ThirdCertainty
A flurry of investment announcements and a major acquisition has underscored that the cybersecurity gold rush continues in 2015.
On June 30, Cisco announced it would purchase Internet security firm OpenDNS for $635 million in cash. The same day, key-management system vendor Venafi announced an additional $39 million in funding, and a few days earlier, application security firm Checkmarx attracted an $84 million investment from a private equity and venture firm.
Such valuations and deal sizes have become typical in the cybersecurity sector. Over the past five years, more than $7.3 billion has been invested in cybersecurity firms, according to investment tracking service CB Insights. The annual value of deals has climbed every year since 2011, reaching $2.4 billion last year.
While the valuations have increased dramatically over the past five years, interest in the cybersecurity sector is grounded in necessity and that sets it apart from many other sectors, said Robert Ackerman, managing director and founder of venture-capital firm Allegis Capital.
“The innovation is being driven by demand for solutions, not speculation that there might be a problem that needs to be solved,” he said.
Growth rampage based on need
The deals suggest that 2015 will be another banner year for investments in the cybersecurity sector. Significant payoffs, such as the OpenDNS deal, will continue to fuel interest, both by entrepreneurs and investors.
Jeff Hudson, CEO of Venafi, likes to evoke biological analogies to explain why security is still such a dynamic market. While the real-world environment has evolved over billions of years, the cyber realm has had just a few decades. The cybersecurity industry will continue to innovate, because the environment is still in its infancy, he said.
Security & Privacy News Roundup: Stay informed of key patterns and trends
“The bad guys are attacking from cyber (space) because there is no equivalent of the immune system, and there‘s more and more value there, so more attacks will go there,” he said. “Because of that, the investments will continue to go there as well.”
Yet, the supply of security firms may be leveling off. In 2014, the number of investment deals only increased by 4 percent from the previous year, a far cry from 21 percent and 37 percent increases in the previous two years, according to CB Insights data. While investors are willing to put capital into the market, finding the startup companies with the right skill sets to succeed in the cybersecurity market is tricky, said Don Dixon, general manager for venture-capital firm Trident Capital.
Quality vs. quantity
“More people are coming into the industry as it attracts more money, and you see more venture firms come in, but if you look at the number of qualified people and the number of opportunities, both are limited,” he said.
In addition, the endgame is still questionable for most security firms. The number of exits—companies that are acquired or go public—is small compared to the number of companies being funded, according to CB Insights. While more than 350 companies have exited in the past five years, the trend peaked in 2012 and dropped by a quarter the following two years. Only 15 cybersecurity companies have gone public since 2010.
A significant part of the problem is that, to prove themselves, cybersecurity firms need to gain customers among companies and their chief information officers who are taxed by ever-increasing attacks, Trident’s Dixon said. Moreover, the shortage in qualified CISOs means that products from the hundreds of cybersecurity firms are vying for the limited resource of CISO attention.
“I think you have a glut of companies,” Dixon said. “How many companies are the CISOs willing to look at and look to process? I think that, at the end of the day, that is what’s going to limit the number of opportunities.”
More on emerging best practices
5 data protection tips for SMBs
What SMBs need to know about CISOs
Protecting your digital footprint in the post privacy era