The last year was a big one for Parveen Jain and Krishna Kolluri. Jain’s company—Intruvert—was acquired by Network Associates (NYSE:NET) for $100 million in cash. Kolluri’s company—Neoteris—was acquired by Netscreen (NASD: NSCN) for $265 million.
The story doesn’t end there. There were 35 mergers and acquisitions worth $1.6 billion made in the security space during 2003. The appetite for M& A is still there. “The space is in a consolidation phase. Acquisitions will continue,” says Harry Weller, Partner at New Enterprise Associates. According to industry analysts, Symantec, Network Associates, Check Point, Verisign, Computer Associates, Netscreen, Cisco, Microsoft and Hewlett-Packard are likely to buy security startups in 2004. And as we go to press, Symantec folded San Francisco-based Brightmail, an email security firm, into its product offer.
The bigger players know that the road to dominance in the security space is steep and full of competitors. The only way they can take a lead is by gobbling smaller players. “As long as these big guys have currency and are willing to pay the kind of valuation the smaller companies are seeking there is no reason they won’t be sold,” says Marc Sokol, Partner at Chicago, IL-based JK & B Capital.
It is interesting to note that Zonelabs, one of Sokol’s portfolio companies, was acquired by CheckPoint last December for $205 million. “Although acquisitions have always provided more venture-backed exits than any other option, they have become increasingly important in recent years when IPOs are virtually nonexistent. Rising valuations represent good news, and such a trend will support stronger private equity performance,” says Mark Heesen, president of the National Venture Capital Association.
Though 2003 saw no IPOs in the security space, it was primarily because of the sluggish market conditions. Many industry observers believe that in 2004-05 there will be more than half-a-dozen IPOs. (See panel: Suitable IPO candidates)
Despite sluggishness elsewhere in the information technology sector, the market for security-related hardware, software, and services will continue to experience healthy growth, swelling to more than $45 billion in revenue by 2006 from just $17 billion in 2001, according to a study released by IDC.
“That is a sizeable amount,” notes Asheem Chandna, venture partner at Greylock. “Security of the enterprise is a priority area for the CIOs. Most of the CIO surveys point out that security is on the top of the list.”
Fragmented and Over Crowded
Today there are over 700 private companies in the security sector. According to VentureWire, in 2003, there were 89 investments worth $684.8 million in this space. Many VCs agree that the sector is over funded. However, the good news is that there is more venture money available out there for this space and new companies will still be funded.
“We’ve certainly seen an increase in security-related business plans, and we are excited about the security space. Having said that, it’s important not to get carried away. Network security is extremely crowded, with large entrenched players and a glut of funded start-ups. You have to be significantly differentiated to rise above the noise,” says Matt Harris, Managing Partner of Williamstown, MA-based Village Ventures.
Chandna concurs that despite the [security] space being crowded there is still an ability to create new companies. “Customer problems are still unsolved in a number of areas,” He points out that there is opportunity for startups is in the area of email security, application security, security policy compliance, security appliances and identity management.
With so much noise in the market, “the customer cannot distinguish between what he will get from the other. It is really interesting to watch all these,” says Weller. “Niche players will survive and do well. They have a much longer term growth story.” Weller points out that there is pricing pressure in almost every sector of the security space. Most of the smaller players will shut doors, as they will not be able to face the competition. Quite a few companies will get acquired by their private brethren or get acquired by public companies, maintains Weller.
It isn’t enough if startups build “sexy” technology products. The companies should make sure that they sign on customers. But it isn’t as easy as it appears, especially in a ‘crowded space’ where there are hundreds of product within each segment. “Partnerships is the best way for companies to go to market,” says Chandna, “For most early stage companies, the conventional wisdom is to have a direct sales force and then target large accounts. However, in the security space one could look at other alternatives. There is a well-established network of security resellers and integrators. Startups can leverage this active and thriving channel to go to market.”
Also one should note that increasingly, businesses trying to secure their computer networks are looking for one large company that provides all of the security services. “Right now people are buying best of breed. That is not going to last,” says Weller. “As the demand increases and the space gets matured, customers will prefer single vendor. They will buy from the big players who will integrate all these [firewall, intrusion detection, email security] technologies into a combined vision for you for security enterprise.”
This would again emphasize the appetite for acquisitions. For a company to be acquired they have to have a product and have customer traction. To go public, add on several quarters of real revenue and profitability within a quarter or two.
Chandna points the way in that security companies can leverage the talent in India and gain on the cost advantage. “In areas of security monitoring, security hosted services there is a great opportunity to build companies which will have the backend in India. The security managed services market for 2004 is projected to be $5 billion,” he says.
The biggest challenge to security suites is the effort it takes to integrate and maintain many diverse products equally. The next challenge is that the collection of products may not be best-of-breed. But both of those challenges may lead to the success of a suite. After all, what customer really desires best–of-breed in all products? An axiom of security is “good enough is always good enough.”
Vendors that put together a collection of “good enough” products may actually beat the individual best-of-breed vendors or the suites that try too hard to be perfect.