Although security breaches make the headlines regularly and Washington has plans to upgrade the security of the United States’ national infrastructure, up-and-coming IT security companies are having difficulty securing investment funds.
The U.S. Defense Department plans to spend US$500 million on researching new cybersecurity technologies, and the U.S. Department of Homeland Security is putting up $40 million to encourage research and development in the field.
However, when it comes to funding small IT security companies, VCs are apparently reluctant to fork out cash.
“It seems there’s been a general shift among venture capitalists away from security,” Jim Pflaging, director and managing principal at SINET, stated at a private lunch at the 2011 IT Security Entrepreneurs’ Forum (ITSEF), held in Palo Alto recently.
Small Returns Hamper IT Security Investors
The problem is that large returns are not common in the security business.
“In any space there are some large outcomes, and that’s true for security as well, but you’re not going to see tons and tons of them,” Asheem Chandna, a partner at Greylock Partners, stated at the ITSEF lunch.
The vast majority of the 950 companies in the security industry in the United States are capitalized under US$5 million, and there are probably “fewer than 5 or 10 percent of them that are above $50 million,” said Maria Kussmaul, a founding partner at America’s Growth Capital. That $5 million capitalization “is the appropriate bite size for investment,” she added.
Venture capitalists are putting their money in other areas such as social networking, mobile and green technology because they can get a higher possible rate of return, SINET’s Pflaging told TechNewsWorld.
Also, venture capitalists think the IT security market has been overinvested. As proof, they point to fewer homeruns and the fact that many IT security firms plateau at $20 million to $30 million, Pflaging added.
“IT security issues are hard to solve,” Robert R. Ackerman, managing director and founder of Allegis Capital, told TechNewsWorld. “The issues of market timing and technical complexity have combined to serve as barriers to a massive influx of capital in IT security,” he said.
Cannibalizing the IT Security Sector
Mergers and acquisitions in the IT security space are outpacing initial public offerings (IPOs) by small, new IT security firms, Kussmaul said.
“In the last couple of years, we only had one security company that went public — Arcsight,” Kussmaul added. “We’re losing security companies faster than we’re repopulating them, which means we’re having the most centralized consolidation around the companies that remain active,” she added.
M&A activity is strong in the IT security business. The larger IT security companies are snapping up the smaller ones, and outside players are also getting into the act.
“Platform companies, storage companies, other security companies — they’re all getting involved [in buying up IT security companies],” Kussmaul said.
“To me, the bigger issue, which hasn’t been well-discussed, is the trend towards more security M&A from the system integrator community, especially those SI companies with a government focus,” SINET’s Pflaging stated. Large IT manufacturers such as HP, IBM, Cisco and Dell will battle their former government channel partners such as SAIC and Raytheon to provide IT security to the government sector, he said.
Possible Areas for Future Investment
Things may be changing for the better.
“As someone who sits as a trusted advisor to many in the security space, I can say that the M&A activity in 2010 and a greater awareness of the importance of cybersecurity at the national level has created more interest in finding the next generation of breakout security companies,” Pflaging remarked.
Investment in security technology is beginning to grow because of a combination of major platform shifts, the increasingly sophisticated threat landscape, and increased regulatory compliance being demanded by governments, J. Alberto Yepez, managing director at Trident Capital, told TechNewsWorld.
“VCs are beginning to move aggressively to invest in the sector given the high-profile cases of intellectual property theft such as the RSA hack and Aurora, cyber attacks such as Stuxnet, identity theft such as those that hit Heartland Payments and TJ Maxx, and cyberwarfare such as the Georgia conflict,” Yepez stated.
There are four major platform shifts all occurring concurrently now, Yepez postulated. These are virtualization, the cloud, mobility and the consumerization of the enterprise, both through consumers bringing their own devices to work and the intrusion of social networks into the corporation.
VCs should look at the white spaces — where nobody’s offering adequate security yet — as opportunities to invest profitably in IT security, Allegis Capital’s Ackerman suggested.
“Cloud computing is certainly an area of significant interest,” Ackerman said.
Another area is networking. “The larger networks become, the greater the vulnerability of these networks and devices connecting thereto,” Ackerman pointed out. We are going from about 2.5 billion devices connected to the Internet today to about 50 billion by 2020, and this “translates directly in vulnerabilities and IT security-related risks,” he explained.