In recent years, companies are reported to increase their spending on information security due to the growing number of hack attacks, and the total amount of such spending is predicted to reach $170 000 billion by 2020 already. Accordingly, venture funds tend to actively support cybersecurity startups, though the share of such investments is only 7 percent of all VC investments. Here is the question: should investors pay more attention to cybersecurity startups?
Logically, venture capitalists prefer the projects that are most likely to turn into unicorns. However, unicorns are exceptionally rare in the security industry. As a rule, there are three categories of security exits, all of which are characterized by long times-to-exit: ~$50 million (Toopher acquired by Salesforce after $3 million of raised funds), ~$200 million (Aorato acquired by Microsoft for $200 million) and $500+ million (OpenDNS acquired by Cisco for $635 million, it took them more than 10 years to reach $60+ million in ARR). Venture funds also search for companies at “growth edge”, while security startups often stay long at the survival stage: in difficult periods, cybersecurity companies can switch into consulting agencies.
As a result, security startups are characterized by an extremely low pace of growth – from 7 to 10 years (of course, there are several exceptions that managed to achieve $1 billion evaluation in 3 years). So it’s logical to conclude: unless security startups start to grow at a higher pace, VC funding in this industry will remain stagnant and won’t outreach 10 percent in total venture investments.
According to some experts in security investments, currently, security budgets are on the rise across international companies, which create a prosperous market for cybersecurity startups. This may lead to some changes in exit dynamics. For now, cybersecurity exits are rather hard to achieve due to a number of market conditions. Meanwhile, some IT giants, like Symantec and HP fail to adapt to cybersecurity market demand, their revenues from security software sales tend to shrink, which implies encouraging the market environment for newcomers – startups. Respectively, cybersecurity startups are acquired by big corporations like Microsoft, Intel, and Google, wishing to integrate their powerful data centers and cloud technologies with innovative security approaches, suggested by startuppers.
Speaking about the market demand for cybersecurity projects, it is worth noticing several leading market trends and challenges:
- More and more enterprises move their businesses to the cloud and, therefore, wish to shift the security burden to so-called managed security service providers (MSSPs). Obviously, customers want services, so startups should consider following a strategy of managed services, which could likely guarantee a short path to an exit.
- Cybersecurity software is of great customer interest today and private equity shops have already noticed that selling cybersecurity software can bring money. In this connection, many private equity shops tend to acquire security startups, developing niche offerings (each security solution is rather individual to each project, so the market is described as rather fragmented).
- Security market is highly competitive today: more than 50 large vendors, more than 200 new startups emerging every year. All of them are in search of good partners among CISOs of the leading enterprises. CISOs are interested in comprehensive solutions that can be easily integrated with their existing systems, which often turn out to be pretty challenging for startups: most of them just cannot reach those CISOs at once, first they should position themselves as trustworthy partners.
- Many customers wish to try the product before buying. This encourages some necessary changes in security sales models (like free trial downloads for example).
- Attracting seed investments have become rather hard for cybersecurity startups because most of them demonstrate the same concept and business idea. So the key recommendation for cybersecurity startups is to differentiate with clarity and conviction. Differentiators can be found among the variety of focus, features, pricing and sales methodologies.
- There is a certain lag of security innovation behind tech innovation. Security vendors are constantly looking for new innovation opportunities. In February 2015, Kaspersky Lab even organized a specialized hackathon in order to find something new.
With growing security awareness caused by increasing numbers of hacks and attacks, the cybersecurity budgets are currently on the rise, which opens great opportunities for security entrepreneurs. To succeed, they need to differentiate and find the way to faster exits. If all goes well, we will soon see more capital flows in the cybersecurity industry.
You may sign up our monthly newsletter to receive updates or news from our team.