Security

Cybersecurity is hot, but a bubble it’s not

stealing computer password

Above: Sorry, we know this is a cheesy image.

We’re only a few weeks into 2014 and already there is a great deal of talk about a tech bubble and the odds of it imploding this year.

A recent New York Times article observed that there are now more startups with billion-dollar valuations than at any other time in history. In the three years from 2011 through 2013, there were at least 34 venture-backed startups valued at $1 billion or above, according to Dow Jones VentureSource, compared with just 16 during the helium-filled dot-com era of 1998 to 2000.

The froth is all-encompassing. It’s not only the social media sector that’s scoring monster valuations from investors, but cloud computing, big data, and hardware as well. Even security startups, traditionally underfunded by the venture community, have joined the party.

Over the past year, venture capital firms invested a record-high $1.4 billion in 239 cybersecurity companies, from mobile-app security platforms to online-authentication infrastructures, according to research firm CB Insights. Nearly 80 cybersecurity startups have exited, either through acquisition or IPO, with an average tenfold return on investment.

Notable deals include FireEye’s massive IPO in September (currently sporting a $7 billion market cap) and subsequent $1 billion acquisition of endpoint security provider Mandiant; Cisco’s $2.7 billion purchase of network security firm Sourcefire; and IBM’s acquisition of cybercrime prevention firm Trusteer for $1 billion.

Despite these lofty numbers, I would argue there is less risk of a bubble in the cybersecurity space. For example, the $7 billion valuation of red-hot cybersecurity company FireEye seems downright modest compared to the $33 billion market cap of Twitter. While both are yet to achieve profitability, FireEye is addressing a market need that is exceptionally large, pervasive, and growing.

The amount of venture money flowing into the cybersecurity sector — and the valuations and sale prices being commanded by cybersecurity companies — are justified, especially given the urgent need for cybersecurity solutions in the marketplace. In fact, I anticipate even more activity around these deals in 2014, given our expanding security problem and growing awareness of it.

Look no further than last month’s massive data breach at Target, in which the credit and debit card information of up to 70 million customers was compromised. Or the alarming break-in at Snapchat, which revealed the names and phone numbers of 4.6 million users.

Cyberattacks are increasing in ferocity, and enterprise customers are waking up to the fact that cybersecurity investments are not discretionary. They’re realizing that the cost of getting it wrong is too high and, in response, cyber IT budgets are exploding, growing from $65 billion last year to an estimated $93 billion in 2016.

Cyber threats are not existential. They are all too real with significant risks and associated costs. Addressing these risks represents a high-value opportunity for entrepreneurs. Now is the time for forward-thinking entrepreneurs and investors to respond to both the threat and the associated opportunity, because they will only grow in the future.

As innovation in cloud computing, social media, and mobile technologies accelerates, the need for strong security solutions increases exponentially. If the high-tech industry was built on computing, communications, and storage — the three legs of the innovation stool — security is now the fourth leg. The interconnected nature of the global economy and the huge risks associated with the sharing of information in a mobile and social make security essential.

Some important new opportunities rising to the surface in 2014 include secure communications, especially in reaction to digital spying by both governments and corporations, information security in a BYOD environment, detecting and mediating zero-day threats inside network firewalls, engaging and defeating automated BotNet attacks (“Active Defense”), prediction and isolation of insider attacks (estimated to be the source of more than 2/3 of cyber breaches), and ensuring the security and integrity of “data in motion.”  Increasingly, we will see the need for disparate solutions to be integrated into command and control systems that can operate autonomously. Then we have the wild card implications of quantum computing as a total game changer in encryption and security.

Overall, I anticipate a lot of investors jumping on the cybersecurity bandwagon in 2014, and there is risk that valuations will continue to move up. But keep in mind that creating a security company is not the same as designing a new smartphone app. Building a serious security company requires serious money and expertise. And discerning what is a serious security company from what is not requires a great deal of technical expertise and market knowledge.

As an experienced investor in security startups, I know this stuff is just plain hard. I also know that the opportunities that lie ahead are bigger and better than ever before. Stay tuned.

Bob Ackerman Jr. is the founder and a managing director of Allegis Capital, an early stage Silicon Valley venture capital firm that invests heavily in cyber security.