According to a PrivCo, a financial data provider on privately held companies, venture capital firms are poised to push $788 million into early stage cybersecurity startups this year. This investment amounts to a 74% increase from last year’s $452 million (note: see this article for more details).
If you follow cybersecurity trends, it’s easy to understand why VCs fat cats are throwing money around. For one thing, the threat landscape continues to become increasingly dangerous. In fact, ESG research indicates that 57% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) believe that the threat landscape is significantly worse or somewhat worse than it was two years ago (Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013). So large organizations clearly need help and there are rich rewards waiting for cybersecurity vendors that can come to their aid – after announcing better than expected financial results, Check Point and Fortinet shares are trading at or near a 52-week high.
There’s a lot of money just waiting for the right play, but just where should VCs actually invest? Yes, some will fund startups claiming to be the next FireEye, Palo Alto Networks, or Splunk, but lightening doesn’t often strike twice in the same place. If I worked on Sand Hill Rd., I’d look for cybersecurity investments in the following areas:
1. Managed security services. Information security is getting more difficult as large organizations embrace new IT initiatives like cloud and mobile computing. At the same time, there is an acute shortage of cybersecurity talent available and things will get worse before they get better. CISOs simply can’t keep up anymore and are throwing in the cybersecurity towel. As a result, ESG sees $2 going toward security services for every $1 dollar of product. I know that VCs tend to eschew services investment but the current economic and threat environment makes this a no brainer. Rather than look for the next SecureWorks (now part of Dell) however, I would seek out a vertical play. For example, an advanced anti-fraud managed service would be a great offering for thousands of mid-market financial services and/or eCommerce firms that don’t have the skills or budgets for tools like Nice Actimize, RSA/SilverTail, or Palantir.
2. Cybersecurity middleware. An average enterprise uses somewhere between 70 and 100 disparate security technologies that operate in silos with little to no cross-technology interoperation. CISOs recognize that this type of cybersecurity technology infrastructure is no longer effective – ESG research reveals that 41% of enterprises are already designing and building a more integrated enterprise security architecture (Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013). This leaves enterprises with a choice: Buy all the piece parts from a single vendor like Cisco, McAfee, IBM, or Symantec, or continue to buy best-of-breed security tools and spend tons of dough on custom integration. There’s a third option here that represents a tremendous VC opportunity: cybersecurity middleware. In other words, imagine a Tibco-like company focused on cybersecurity integration for message queueing, publish-and-subscribe, etc. If I were 10 years younger, I might give this one a go myself.
3. IoT security. This one is risky as investment here may be ahead of the curve, but there will be some unique IoT security challenges creating opportunities for pure-play IoT security software and services. A startup with leading products and knowledge in this area could wind up as the Nicira of IoT security – acquired by Google, HP, or Lockheed-Martin for 10x revenue by the end of 2016.
4. Vertical security products and services. The Verizon Data Breach Investigation Report indicates that different industries face their own dynamic cocktail of targeted threats. Additionally, different industries have different business processes, regulations, and technologies. These disparities will become much more pronounced as industries adopt IoT for their own unique business cases. In spite of industry diversity however, most cybersecurity vendors approach the market with horizontal technologies and services and then tweak them here and there for specific customer and industry use cases. VCs should buck this trend by rolling the dice on industry-specific cybersecurity software and services. Furthermore, smart VCs will look beyond the obvious financial services market play and invest in cybersecurity solutions for industries like health care, manufacturing, and retail, screaming for help.
5. Data security and privacy. This domain has been fairly dormant since the big DLP payouts a few years ago but it’s ripe for an investment renaissance. Enterprises need some type of data-centric identity and access management (IAM) software that tags and tracks sensitive data throughout its lifecycle. Furthermore, data security tools must span across the cloud and enterprise IT, and support third-party data sharing without the need for device- and/or application-specific agents. Ionic Security and Varonis are moving down this path but there is plenty of room in the market for others. I truly believe that the data security opportunity will only increase driven by an avalanche of IoT data and more stringent privacy regulations.
VCs have a golden opportunity for one important reason: Our current cybersecurity technology defenses aren’t working. Status quo VCs will invest in the next-generation of tactical point tools and may come up with one or two “ten bangers” amongst a portfolio of dogs. Those that think about cybersecurity in relation to economics, technology innovation, global events, and enterprise strategy will be far more successful.