Cyber security investments gain momentum with rising threats

Cyber security isn’t as sexy as social media among venture capitalists in Silicon Valley. But it’s a critical technology sector that has been gaining momentum with the economic recovery and the rising threats from cyber criminals.

That was the message for security entrepreneurs and investors from a group of venture capitalists and security experts at today’s Information Technology Security Forum at Stanford University. They said that cyber security’s hot segments include protecting mobile devices and cloud services from new kinds of ever-evolving threats. (Critical vulnerabilities were found in Adobe products just this week). And the emerging threats can only be dealt with by combining the forces of governments, law enforcement, big companies, start-ups and venture capitalists.

“This is one of the very hot areas of innovation where investors are actively deploying capital,” said Bob Ackerman (pictured top, right) managing director of Allegis Capital. “If you look at the $15 billion in exits, or more than 20 percent of the venture capital exits, in the last year, you can see that it’s also an area where the returns are good.”

The event drew around 300 people and it was the fifth annual gathering that brings together security technologists and entrepreneurs from Silicon Valley with policy makers from Washington D.C. The government and big corporations are often the main customers for innovative new technologies in the security sector and those customers want more technology faster, said Jim Pflaging, director and managing principal of the Security Innovation Network, which stages the forum. As with a year ago, the group’s purpose is to reduce the friction that startup companies face in dealing with government agencies.

Acquisitions are one sign that the ecosystem is healthy. Maria Lewis Kussmaul (pictured right), founding partner of investment bank America’s Growth Capital, said the number of acquisitions in the security tech market has been increasing since 2007, when there were 69 deals with a median value of $70 million. The companies sold for 5.5-times 12-month trailing revenues. The number of deals climbed to 120 in 2008, 154 in 2009, and 159 in 2010. Last year, the median value was $60 million and prices were 2.8-times revenues.

In the meantime, the number of IPOs declined from 4 in 2007 to none in 2010. In fact, many of the acquisitions were mega-deals where public companies were taken private. Intel, for instance, bought McAfee for $7.68 billion last year and HP bought ArcSight for $1.6 billion. Symantec bought security divisions of Verisign for $1.3 billion. Overall, IDC expects the security tech market to grow at a 14 percent compound annual growth rate to $82 billion in 2012. And Forrester says that security now accounts for 14 percent of the information technology spending, compared to 8.2 percent in 2007.

While the ecosystem is healthy and recovering from the recession, it’s not a get-rich quick sector. That’s OK with Alberto Yepez (pictured top left), managing director at Trident Capital. By comparison, he said that cleantech has suffered from the boom and bust cycle that came with fad investing in the past few years. The current boom in social networking investments has made it harder to hire people in Silicon Valley, since engineers think they can get richer in social than in security.

“You will always find sectors that are the latest shiny new object,” Ackerman said. “At some point, it stops being a good investment.”

Since security has fundamentally strong revenues behind it as a sector, it has more going for it than the sectors that the  boom-and-bust herd investors are going after. Still, security itself has some shiny sectors that are drawing more attention. The social networking craze has driven more interest in digital authentication and protecting a consumer’s identity, which are security technology problems at the core, said Asheem Chandna, partner at Greylock Partners.

The big trends also include the bigger burdens of complying with security and privacy laws. Companies also have to deal with advanced new threats such as the Stuxnet virus, which is believed to have taken out some of Iran’s nuclear equipment. Customers are buying security technologies to comply with laws and lower costs, or to deal with rapidly changing threats in real-time.

Because of the changing threats, the new security technologies have to offer real-time analytics, predictive capabilities, intelligence, and the ability to sift through masses of data. Big corporations from Boeing to Verizon are buying security companies so that they can integrate them into their everyday enterprise computing infrastructure.

Lewis Kussmaul said that the acquirers include defense contractors, storage companies, security firms, software makers and even chip/hardware companies such as Intel. Sarah Friar, managing director at Goldman Sachs, estimates that the top 10 tech companies alone have more than $250 billion in cash that they can use on acquisitions.

The recession knocked security tech valuations lower and the strategic investors stayed out of the market as they were laying off employees. But in the recovery, those strategic companies such as Cisco and Hewlett-Packard are back in the market. And the cybercriminals didn’t take any time off during the tough times. Government institutions are now attacked 6 million times a day. The Operation Aurora attack, which originated from China, broke into not only Google’s security infrastructure, but also the computers of more than 2,500 organizations and companies. The need for security technology is growing.

Cloud computing and mobile investments have taken off. Lookout Mobile Security raised $19.5 million in December to protect mobile phones from viruses, while Endgame Systems raised $29 million to secure the cloud against malware. If investments like those pay off, then the group of security-focused VCs will likely continue to investing in the security technology start-ups for a long time to come.