While the broader SaaS stocks have recovered from Q1 lows, I couldn’t help but wonder why IT security companies haven’t bounced back [see Figure 1].
There is a lot of confusion and skepticism among investors, and they have good reason to be wary. The security sector is oversaturated. A shakeout is inevitable, and scores of security startups will fail. But savvy investors need not shun the sector’s tremendous potential if they look [figure1] for three key indicators that can help determine whether a security vendor is built to last.
Cybersecurity is a market unto itself, primarily because the speed at which security software evolves stands out even within the constantly changing technology sector. Just think – we didn’t even have smartphones before 2005, few devices were connected to the Internet of Things in 2010, and wearables didn’t come into the picture until 2013. Now we’re talking about connected cars. Given the stakes, it’s little surprise that cybersecurity spending is at an all-time high [see Figure 2].
In response, investors have funneled record amounts of capital into innovative startups chasing new approaches [see Figure 3]. This is pretty phenomenal, but I also started to wonder if we’ve reached the saturation point. In 2006 there was just a handful of publicly traded security firms. Today there are more than 20, not to mention a small herd of billion-dollar “unicorns” like Zscaler, Okta and Lookout. And as if that weren’t enough, there are hundreds of other privately held startups with high aspirations.
The impact of this proliferation of vendors has been two-fold. It has greatly improved exposure of this sector from an investment perspective, but on the other hand it’s left investors struggling to make sense of a market that is far more technical and moves much more quickly that traditional application software.
How did we get here? Perhaps the most consistent security trend we’ve seen over the past five years is the imperative to grow at all costs. Mindshare is critical and market leaders like ArcSight (SIEM), Splunk (machine learning) and CyberArk (IAM) have been rewarded with outsized multiples.
But to achieve recognition, we’ve seen evidence that some security companies spend a much greater share of their capital on sales reps and flashy marketing campaigns, instead of innovating. An analysis of some leading security companies I track suggests that the ratio of capital invested to revenue generated is substantially out of whack [see Figure 4].
While blitzscaling is appropriate in some situations, publicly traded companies are expected to deliver much more than good marketing efforts. So when cybersecurity leaders like FireEye and Imperva miss quarterly earnings, they reinforce the perception that investors should be cautious about the entire sector. But those who apply a broad brush to security are missing the critical distinction between pure-play companies that provide point solutions targeted at specific problems and platform companies built to evolve in response to changing security needs.
Most security companies start out as point-solution providers, but first mover advantage in security lasts a few years at best and many startups fail to evolve. A decade ago, junk email was a huge problem that spawned scores of anti-spam software vendors. Before long, the best anti-spam startups were acquired and their technologies wound up as security features for the likes of Cisco Systems, Symantec and Google.
We’ve seen this process play out in subsequent consolidation waves: security information and event management software in 2010 and 2011; mobile device management in 2013 and 2014; and CASB in the past two years [see Figure 5].
A strategic exit is perfectly acceptable as long as the price is right, but the painful reality is that most startups fail to get acquired. The alternative is a security startup designed to last – as a private or public company.
Of course, there are no crystal balls to tell us which startups will succeed over the long term, but I think there are three key characteristics that will indicate whether a security vendor has the DNA to evolve and overachieve in this rapidly shifting market.
Relevancy: The security market is changing rapidly, with new threats emerging faster than startups can go from zero to exit. Many desktop security companies failed as laptops, smartphones and tablets went mainstream. The most successful security entrepreneurs have a long-term plan to holistically address big-picture security problems in large markets, like mobility, identity or IoT. At the same time, they have a clear near-term blueprint for achieving that vision, fully recognizing that they will have to course correct along the way as technology evolves and improves. The key is building a platform that is flexible enough to stay relevant.
Differentiation: The security market is strewn with “me-too” vendors. The winners often adopt entirely new strategies. That is, they approach a problem from an entirely different angle and tackle it with out-of-the-box thinking. Not all out-of-the-box ideas work, but they are often the source of innovative security software that moves the needle. For example, we have come a long way from standard signature-based security. As new enabling technologies in hardware, database and machine learning emerged, companies like Cylance are leveraging artificial intelligence to tackle important problems.
Stickiness: No one got fired for spending more on cybersecurity, but not all of that spend is mission critical. Security vendors addressing a regulatory requirement and ones that provide leverage to the security administrators via automation (given the scarcity of talent) score high. Going one step further, some security vendors like Alert Logic (managed services), and CyberArk (identity management) have also embedded themselves in the day-day workflow of end users within the organization, giving them incremental staying power.
The last several years have been like a golden age in the cybersecurity sector. Demand has soared and VC investment has skyrocketed, but cybersecurity is still new to public markets. Investors are understandably confused by point-solutions providers that lack long-term potential and visionary platform players agile enough to evolve with the times. High quality names are out there and more often than not, three key characteristics will indicate whether they have what it takes to stand the test of time.
Kapil Venkatachalam is a general partner at Technology Crossover Ventures and his areas of focus include vertical market software and services, business analytics and security.
Photo of a padlock seen at the 2016 Black Hat cybersecurity conference in Las Vegas, Nevada, Aug. 3, 2016, courtesy of Reuters/David Becker