Smart investors seem to have fallen in love with cyber security lately.
Just a few years ago, most investors believed that the cyber-sector did not justify significant venture capital attention or investments. There were several reasons for this:
- Headline-grabbing, landmark cyber-attacks only started to receive attention some two to three years ago.
- The IT and OT (operations technology) environments had yet to undergo fundamental transformations in fields such as cloud, industrial Internet, and mobile computing. As such, cyber security was believed to be safe in the hands of predominately legacy solutions such as firewalls and anti-virus software. For over a decade, many considered cyber security a space requiring a relatively low level of innovation.
- Cyber security startups suffered from a glass ceiling in terms of valuations, with many stuck at the $50 million level, limiting the upside potential.
- Regulation has lagged behind threat-levels, allowing executives to shirk responsibility and companies to defer needed security measures and related spending.
But all that has changed. The increasing ferocity and scope of cyber-attacks worldwide, growing awareness of the problem, and the steady blurring of the lines between cyber security and our personal, financial, and national security has led to a significant global upswing in investment over the past two years. This is particularly true in my country, Israel, a “Startup Nation” renowned for its cyber-prowess.
As a partner at Jerusalem Venture Partners (JVP), which operates JVP Cyber Labs — an early stage investment vehicle dedicated to cyber security startups — I have witnessed this trend up close and personal.
In 2012 alone, over 200 cyber security startups worldwide attracted more than $1.4 billion, up from approximately $1 billion in 2011 and some $500 million in 2010. Last year, 2013, seems to have generated even higher figures.
Interestingly, seed stage cyber companies, considered the riskiest, enjoyed more than 30 percent of these investments.
In Israel, we’ve seen the number of new cyber security startups rise from around 30 new companies a year to more than 100.
There are good reasons for this blossoming love affair. Cyberspace is becoming dramatically more dangerous as trends in information and operational technology continue to develop at a dizzying clip. Technology such as cloud, mobile, the Internet of things, M2M, the big data explosion, and the industrial Internet are changing the connected world as we know it and bringing with them new, previously unimagined threats.
And the more connected we grow, the more vulnerable our “house of cards” becomes. Combine this with the growing sophistication, effort levels, and budgets of cyber-criminals, cyber-terrorists and rogue states, and the need for disruptive security technology is unmistakably urgent.
Regulation and compliance in the cyber security realm are also progressing at a much swifter pace in line with burgeoning threats and have driven increased spending. It’s estimated to be more than $60 billion annually. The U.S. government alone spends more than $12 billion on cyber security per year.
And startups, once undervalued, now seem to be enjoying much more attractive valuations — some might even say over-hyped valuations — from seed funding to initial public offerings to mergers and acquisitions. While just a few years ago most transactions had two to three times revenue multiples, we’ve recently seen IPOs such as FireEye generate enterprise-value-to-revenue multiples of over 33X, even though the company continues to operate at a 90 percent loss.
Nevertheless, despite the rekindled love affair, familiar challenges still face cyber security startups on their fledgling path towards becoming significant companies — and some new ones as well.
- Increased complexity — As IT and OT environments get more and more complicated, more complex solutions are required to protect such environments and provide holistic solutions to growing threats. This, in turn, requires significant research and development spending, creating less capital-efficient companies and longer risk periods for investors.
- Feature or company? — Many security startups falter on the path to creating solutions which will justify significant spending by customers. While this may not deter micro-VCs and certain strategic investors who may be looking to acquire companies early on, this is posing a major challenge for larger VCs interested in more serious exits.
- Products versus services — Cyber security spending is still very much driven by budgets allocated to services, rather than products. But venture capitalists and strategic investors typically shy away from putting money into service companies, especially those based on time and material models. Nevertheless, this may actually turn into a big opportunity for startups which are able to automate segments that have traditionally been dominated by service companies including penetration testing, certification, and forensics.
- B2G challenges — The public sector is driving a significant portion of spending in the cyber-arena, but startups typically find it hard to cope with the long sale-cycles and the layered, often bureaucratic tiers of integrators and value-added resellers which characterize governmental agencies.
- The hype-cycle effect — Valuations are at an all-time high in the cyber security sector. This may not last for long. The market enjoys an abundance of capital, which may or may not be directed at the leading technologies and companies. Certain investors are looking for quick wins investing in short-lived, feature-based companies, which may in-turn contribute to over-valued acquisitions and hyper-inflation of valuation for good companies.
- Lack of common criteria — Cyber-security is a domain of deep expertise. Both customers and investors face increasing challenges in differentiating between good and great companies and technologies in general.
So how will this growing love affair seek to overcome these challenges in 2014? A group of leading venture capitalists and top corporate strategic investors from around the world will be discussing both the challenges and opportunities at the upcoming CyberTech Israel 2014 Conference set for Jan. 27th -28th in Tel Aviv.
Yoav Tzruya is a partner at JVP, Israel’s leading venture capital firm. Yoav brings more than 20 years of executive-level experience in the IT industry, with extensive knowledge in cyber-security, digital media and enterprise software verticals.