Startups innovate, Big companies acquire
Date: Monday , November 17, 2008
The venture capital community is calling on security startups, more often than ever before.” Are you interested in raising capital? Do you want to sell the company?” they ask the entrepreneurs. There appears to be no respite in sight.
According to Thomson Venture Economics, VCs have pumped about $350 million into 35 security-related companies during the first six months of 2004. Not only are security startups receiving plenty of venture funding from a variety of investors, but are also being trumped in the Mergers and Acquisitions (M&A) market.
In 2004 there were 20 security-related M&As. Going forward, M&A will be the primary vehicle for exit within the security space.
M&A seems to be a better option of exit than Initial Public Offerings (IPOs) because bigger players in the market have continued to acquire companies at attractive multiples. For example, in October 2004 Cisco acquired Perfigo, a network security company, for about $74 million. Venture Wire says Greylock is the sole investor, and had invested $2.8 million into the company back in 2002. Industry observers say Greylock held close to 30 percent stake, which would mean Greylock cashed out at 10 times the investment. That’s indeed an attractive multiple!
Most acquirers have big market capitalization and liquid stocks. “If you are planning to go public, you not only have the burden of competing with bigger players but you also need to comply with various regulatory issues. Entrepreneurs should keep in mind that bigger players will not let you own a whole new segment. If you really believe you have built a complete-breakthrough product such that no one can touch you, then you can think of going public. If you are just building something incremental to an existing product or application then your company is more valuable as part of a broader suite M&A,” says Amish Jani, Vice President, Pequot Capital.
Spending boosts M&A
M&A activity in the security industry is being spurred by an increase in corporate security spending. Large public companies want to tap into that revenue stream by expanding their offerings. Big players who have snapped up VC-backed security companies include Cisco, Check Point Software, F5 Networks, Microsoft, McAfee (Network Associates) and Symantec.
“Acquisitions for security companies are on the rise as CEOs expect to increase their IT spending for security; and the values of these companies outweigh their risks,” says Marc Sokol, a partner with JK&B Capital, one of the most active venture investors in security.
Overall the security market continues to grow at a compounded rate of 20 percent, which is much faster than the overall IT market. A study by the Meta Group, a Stamford, CO-based IT consulting firm says, a percentage of IT budgets spent on security will be rising and this in the near future, say two-years, will peak nationally. Currently average security spending among 2,000 organizations worldwide accounts for three to four percent of their IT budget. This proportion is expected to reach eight to twelve percent before stabilizing around five to eight percent of overall IT spending. “This trend will continuously improve as organizations realize that a full information security solution is not as easy as implementing a firewall or anti-virus solution,” says Ernst & Young’s Shaun Nel, senior manager for Information Systems Assurance & Advisory Services (ISAAS).
Despite more corporate spending on IT security and continued consolidation in the security industry, dangers still lurk on the network. “Keeping the bad guys off the network is not going to work ultimately and we need to start securing the IT assets on the network. We should address security-related issues from inside out rather than outside in,” says Ted Schlein, Partner, Kleiner Perkins Caufield and Byers. “In the last 20 years, all the security investments have been outside in. I see the trend changing soon.”
The New Breed
“Security is clearly over funded as a sector,” says Asheem Chandna, a venture partner with Greylock Partners. “When you talk to customers one gets the strong sense that the security threat is only getting worse. That means there are opportunities for new companies.”
Schlein agrees. There has been lot of investments in the security space over the last three years. I don’t think there will be enormous investments in security in future. However, innovative companies will get funded. “One of the new areas of interest in research is Day Zero detection. It involves writing complex algorithms and building sophisticated tools. It is hard to do. It is such new technologies that attract the venture capitalists. They will fund startups that have their own niche in the growing security industry,” he says.
“Big companies can’t innovate fast enough to fight back. That’s why the strategic value of acquisitions outpaces the financial value. When Symantec acquires a new point solution for one of its suites, not only does it benefit from increased revenue but also increases demand for the entire suite. They’re buying companies based on what will make their suite more attractive. And it’s working,” says David Cowan of Bessemer Venture Partners in an interview with one of America’s leading publication.
Cisco’s acquisition spree in the security space sends a signal that in a sense, security is becoming an embedded networking function. Today all their products are embedded with security. Such a move makes the market challenging for younger companies trying to innovate on the network side.
Similarly Microsoft has made some acquisitions on the security side. Taking into account their model of distribution and their ability to drive innovative solutions makes entrepreneurs leery of the areas that the big giants are getting into.
Making sure information is not leaked beyond your corporate network is essential. Content monitoring and inspection is an interesting area where innovative solutions can be built. Enterprises are also spending on change configuration management and authentication tools. “How do you make sure what you are doing is right?” Is a resonating question they are trying to find an answer for. Hence, identity management and access, is an area of opportunity for entrepreneurs to build products.
Pressed by the need to comply with a spate of regulatory directives like the Sarbanes-Oxley; companies are concerned about information security. They recognize that IT assets need to be secure and policies need to be implemented. A new set of companies are building technologies focused on log management.
Source code security, securing transactional information across enterprise, secure online transactions are all emerging areas where entrepreneurs can look at building best-of-breed solutions.
The industry is crowded and it’s tough to invest in security. There are too many investors chasing too few deals. There are too many security vendors with similar offerings. So a lot of security startups will have it tough unless they have a unique technology and a compelling business ROI to present to investors and buyers.
“Security is a specialists business. Customers are looking at sophisticated solutions that protect them at the right level. Customers will prefer to buy from larger companies. But then customers will go to specialists if they see the superiority of the technology. Security lends itself to new ideas. Entrepreneurs should make sure that they are working on a burning issue or a real problem that the customer believes as problem and that there are no other alternatives in the market,” advices Chandna.
However, a new wave of threats, issues and problems will come up.
“Security is always the leading edge issue. You solve a problem another one erupts,” says Jani. Startups will continue to innovate. Going forward, understanding ‘who is doing what in my environment’ becomes more important. Building new products will require deeper level of understanding of organizations’ business processes. Deployment of these new technologies will further fuel the acquisition spree. And the bigger ones will acquire the small.