THE CURIOUS CASE OF CYBERSECURITY

BLUF (Bottom Line Up Front)

  • Cybersecurity ventures saw longer time-to-exits and lower multiples
  • The worsening supply-demand gap for cybersecurity professionals is an economics puzzle
  • Cybersecurity’s prevention-centric value proposition is a tough sell (and the old FUD sales pitch is not helping!)

Cyber Picks: Value or Value “Traps”?

Someone asked me the other day, “what is one trendy technology space you are not keen to get into (as an investor)?” My answer was — no, it is actually not blockchain — cybersecurity.

And here is a 10,000-foot, rather superficial explanation of my reservation: while solutions to cybersecurity employ some of the coolest cutting-edge technologies, and startups in this space tend to be capital efficient, the lack of a “growth edge” make them less than compelling.

To see that, let’s get inside of the head of a (reasonably disciplined) venture capitalist and take a qualitative look. We already know that successful exits are rare events in the startup land, in order to reward capital at greater risk of loss, we would want outsized returns from those bets that do pay off. In other words, for the math to work out, it is imperative to score “unicorns” (valuation: $1B+). And just how many unicorns have we observed in the security technology space? A quick search of “cybersecurity unicorn” returned no more than 10 names over the last decade or so [1]. (Note, most of those numbers are also private valuations, meaning, they were subject to less stringent scrutiny; reportedly, a few of them that went for IPO later raised less than $1B on the public market [2] [3])

If the fact the exits of most security ventures fall into tiers of ~50MM, ~200MM, and ~500MM is not bad enough, there is a long time-to-exit factor that scares away another good percentage of VCs [4]. In a day and age where certain technology ventures can achieve a $1B+ market cap in less than three years, we cannot blame the sane and the rational ones of the investors for picking those that get there faster.

Even in the eyes of the public market, cybersecurity companies are not treated as your typical FANG stocks, partly for the lack of growth prospect. The industry on average trades at a modest ~3x enterprise-value-to-sales multiple (EV/S) [5], (to put things into perspective, Netflix boasts a 13 EV/S.)

Where Are the Talents?

Another puzzling phenomenon in the cybersecurity land is a perpetual status of zero unemployment rate [6] and an ever widening gap between industry demand and job market supply.

“If you’re a cybersecurity professional with any kind of skill set, you already have a job and multiple offers on the table.” — Sam Olyaei [7]

Economics 101 tells us that in a market where demand way outnumbers supply, we should see the dynamics being driven toward a state where the price of the scarce resources goes up, which leads to more of those resources being produced, and eventually we get to some equilibrium point where both sides should be happy.

However, we are struggling to fill the pipeline of security professionals. Some say costs of education and qualification are one of the main barriers. Others argue the fragmented state of tool/technology space contributed equally to this shortage. Neither of these obstacles seems to be absent in, say, the area of big data or AI, where talents are rushing toward. So, we need to dig deeper to uncover real causes.

What Makes Cybersecurity A Tough Sell?

The said “anomalies” beg the question — why aren’t people/businesses getting excited about cybersecurity?

One hypothesis may be, being proactive about preventing “potential” losses is just not a high priority for business decision makers. Even with security marketers and practitioners actively publishing thought-leadership pieces, trying to bring it to boardroom, IT spending is still seen as a cost center rather than a value lever.

Nevertheless, all is not lost for cybersecurity. Newer estimates with impressive figures about the market size are coming out [8]; there is also some signal indicating attitude change from the VC side [9]. Perhaps with real numbers showcasing concrete impact of security comprises [10], the cybersecurity industry can upgrade their stale sales pitch that was based on fear, uncertainty, and doubt (FUD), and formulate better value propositions/ROI stories that will resonate with buyers. I will certainly be curious to observe how the curious case of cybersecurity unfold in the coming years.

===

[1] Cyber unicorns https://techcrunch.com/2016/09/02/what-if-cybersecurity-followed-physics/

[2] funding drought http://fortune.com/2016/02/24/cyber-security-funding-drought/

[3] lower ipo http://fortune.com/2017/10/27/cyber-security-unicorn-forescout-ipo/

[4] Cockroaches Versus Unicorns: The Golden Age Of Cybersecurity

https://techcrunch.com/2016/01/06/cockroaches-vs-unicorns-the-golden-age-of-cybersecurity-startups/  

[5] Public company stats http://cogentvaluation.com/wp-content/uploads/2017/11/Cyber-Security-3Q-2017.pdf

[6] Cyber security job report https://cybersecurityventures.com/jobs/

[7]

https://www.gartner.com/smarterwithgartner/solve-the-cybersecurity-talent-shortage/

[8] Market size https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

[9] Venture scanner Q1 2018 Insights https://www.slideshare.net/NathanPacer/security-tech-q1-2018-startup-highlights

[10] Breach price tag https://www-statista-com.stanford.idm.oclc.org/chart/9918/the-price-tag-attached-to-data-breaches/

 

0

4 comments on “THE CURIOUS CASE OF CYBERSECURITY”

  1. Awesome business analysis on cyber security, Sara! I enjoyed reading your posts!
    To add up to the shortage of talents, maybe it also falls into your “fragmented state of tool/technology space” category, I do find security one of the most challenge areas from a developer perspective. It requires almost a full stack of knowledge, up to the UI/UX frontend, down to the disk level low-end. When tracking down a cyber breach, one needs to diagnose/rule out all the possible loopholes down the stream. Meanwhile, a simple mistake of developer could potentially worsen an attack case. Personally I feel it’s role for only experienced engineers.

    1+

    Users who have LIKED this comment:

    • avatar
    1. Thanks for sharing your experience, Hailun.

      Most CISO/CIOs I’ve spoken with are quite frustrated with the fact that security solutions/tools sometimes bring more complexity to the situation than it promises to reduce. “I have to consider the cost/time it takes to train Kevin up on the software, right?”

      And not to mention the 22 different security certifications an aspiring security analyst may consider to get…

      At the same time, as you alluded to, when an issue occurs, it is often a _process_ to triage/diagnose. I forgot to mention the part about hardware security too.

      0
  2. Hey Sara,

    I like your critical analysis of the risks related to investments in cybersecurity. However, I think that the overall decision whether to invest in the cybersecurity industry is a bit more difficult than depicted in your blog post. In this context, I have analyzed a very interesting blog post by Jocelyn Aspa (Investing News Network) (https://investingnews.com/daily/tech-investing/cybersecurity-investing/why-cybersecurity/). She is elaborating on two dimensions which should have a higher priority in your overall evaluation in my view. Firstly, the market growth in the industry is extraordinarily high. Her figures suggest that until 2021 we will face a CAGR of more than 10% in the industry. This growth is especially driven by my new demand for cybersecurity in the financial industry which market size she quantifies as $68 USD bn in 2020 but also by new emerging industries such as health care. I would argue that this market growth resembles increasing demand for cybersecurity and thus attractive investment opportunities. However, there are also many professionals arguing from your perspective and seeing the increasing growth as a bubble. So, the market development can be seen from two perspectives.
    The second argument why I would see the overall market less critical than you is that we have many startups with proven value propositions. According to Jocelyn Aspa cybercrimes cost the firms a yearly amount of 3 trillion euros. So other than in many other industries we have a good value story and I would disagree that precaution measures are generally unattractive. The same holds true for your valuation example. Of course, you are striving for unicorns in the industry. But first, unicorns are rare in most industries and second as Yoav Leitersdorf (YL Ventures) points out, even startups likely to reach valuations of $300m can be profitable business opportunities. (https://www.reuters.com/article/us-cybersecurity-startups-analysis/under-threat-cyber-security-startups-fall-on-harder-times-idUSKBN1F62RW)

    Still, your points made are valuable arguments for your opinion but you might have a look at the other arguments as well. Looking forward to your thoughts!

    Sources:
    https://investingnews.com/daily/tech-investing/cybersecurity-investing/why-cybersecurity/
    https://www.reuters.com/article/us-cybersecurity-startups-analysis/under-threat-cyber-security-startups-fall-on-harder-times-idUSKBN1F62RW

    1+

    Users who have LIKED this comment:

    • avatar
    1. Thank you for reading and providing constructive comment, David.

      A wise VC once told me, “every rule is there to be broken (in the startup world).” I’ve always been more of a value investor (like to analyze my investment like a bond), but his word did intrigue me. I’ve followed movements in VC more closely since.

      There are certainly exceptions. Please don’t take this piece as a generalized commentary on why to avoid cyber. If anything, I’m glad it had achieved its main purpose of attracting thoughtful feedback like that of yours.

      I did review the links you posted.
      For the first one, I agree that the pie is getting big. FWIW, it aligns with the materials that I personally reviewed for the post. And I think at some point, the size of the market (even if just a bold estimate) will attract good entrepreneurs to figure out ways to capture that value.
      For the second one, I think the argument is that a profitable $300M business is possible. It boils down to whether that math is attractive enough to a VC and what economic alternatives she has access to (ultimately, VC has to answer to her LPs and demonstrate overall returns)

      Thanks again for sharing your thoughts!

      0

Comments are closed.