Lay Your Chips Down: An Infosec Venture Capital Roundup

Active investors are now giving more than just their money to help grow companies, says Lookout's Mahaffey
Active investors are now giving more than just their money to help grow companies, says Lookout's Mahaffey

Even just a few short years ago, infosecurity firms were far from the top of most venture capitalists’ investment list. Security vendors, the argument went, were too slow-burning to interest the VC community. Investors wanted growth companies, and companies offering rapid growth at that. Social media, collaboration and file sharing, Big Data and mobility technologies all piqued the investors’ interests.

Security, though, was less attractive, not least because security firms often have a business model that prioritizes steady revenue growth, over a rapid expansion in the company’s valuation, and the quick exit often demanded by VC firms.

Furthermore, security firms might also be looking for – in VC terms, at least – relatively small sums that are below their typical deal size. In 2011, for example, Veracode’s founder and CTO, Chris Wysopal, told an event audience that firms looking for funding of up to $50 million – a significant sum for an information security start-up – was too small to interest many investors.

Move forward to 2013, however, and the picture seems to have improved. Perhaps some of the opportunity, and interest, in areas such as social networking has declined.

Meanwhile, information security has proved to be one of the most resilient areas of both public sector and corporate IT spending; Gartner says the sector is growing at a very reasonable compound annual rate of 9%.

Infosecurity firms have also gained a higher profile, as a result of hacktivism, cyber-espionage, and the continuing challenges posed by cybercrime. With cybersecurity in the minds of the public, governments, and senior company managers, it is also going to register with investors.

Let’s Make a Deal

The fact that a number of security companies, such as Imperva and Qualys, have managed successful IPOs despite the difficult economy has also helped the sector’s investment prospects.

At the same time, the regular cash flow produced by revenues from subscriptions and updates are attracting investors who are looking for an income from their holdings, not just capital growth. This has led to an uptick of interest in security firms among venture capitalists, as well as a number of deals at the higher end of the market, which has seen some security companies taken private.

Websense, for example, recently signed a deal with Vista Equity that values the company at just over US$900 million. Kaspersky, the anti-virus vendor, sold a stake valued at between $150 and $225 million to US investor General Atlantic in 2011. Blue Coat Systems is owned by investor Thoma Bravo, which also owns security vendors including Entrust and LANDesk.

These deals – Thoma Bravo’s purchase of Blue Coat was valued at $1.3 billion, in 2011 – are very much at the upper end of the scale. Most of the current flow of deals in infosecurity may be at the lower end of the investment range for technology firms, but transaction sizes are increasing. FireEye’s $50 million fund raising, and the recent CipherCloud and Veracode deals – both worth $30 million – are among the larger of the more mainstream agreements. (Note: Since this article was written, FireEye has gone public and is now traded on NASDAQ.)

“We’ve invested in companies that have had success but where we’ve seen the opportunity to grow them further. We’ve started to do larger investments, such as our $50 million holding in Tenable,” says Jon Locke, a vice president at Accel Partners, a VC firm.

This also reflects growing confidence among investors, as well as a shift toward investing in security, to benefit from both its revenue streams, and its growing importance to businesses and consumers alike.

The Next ‘Big Thing’

“The investment community is more active than it has been in the past few years”, observes Ruggero Contu, research director and security market analyst at Gartner. But, he adds, there is a mixed picture within the information security sector.

In the endpoint security space, for example, we are talking about revenue from licenses that need to be renewed every year. You are assured of revenue streams, but that is also a commoditizing market”, he says. “The opportunity may not be as large there as it was.”

Instead, investors are looking at mobile security, cloud security, and security for virtualization, as well as companies that offer technology to address advanced persistent threats (APTs).

“Another area is around security intelligence, helping companies to do a better job of dealing with new threats, and leveraging Big Data”, he continues. “The other big area is context-aware security tools that provide security controls with some level of automation.”

Watching the latest stream of investments can also give an idea of where the information security business is heading, although even venture capitalists themselves warn that it is not always a perfect indicator.

“When it comes to trends, we tend to listen to what the market is saying”, comments Mike Volpi, partner at Index Ventures and a board member of mobile security vendor, and investee company, Lookout.

“The issues around security for mobile devices is very much top of mind. BYOD poses a challenge for organizations. The mobile device might not have much information inside, but they are gateways to corporate information. So these devices are potentially very threatening,” he says.

“There’s also a porous boundary between personal and professional use and that poses some interesting challenges for security officers”, Volpi remarks. This makes the mobile, device management and related security sectors – such as encryption and data loss prevention – attractive to investors.

Avoiding a Red Herring

Venture capitalists are not looking just for the next great technology – they are also looking for sound companies that have the potential to grow. This suggests there are risks in reading too much into the outlook for information security from examining deal flows alone.

“VC investment can be something of a red herring because VCs are becoming more conservative”, cautions Steve Durbin, global vice president of the Information Security Forum (ISF). “But if big VCs put money into something”, he suggests, “you can be more certain that it’s a worthwhile technology”. Venture capitalists, though, also need to know there is an exit strategy, whether that is an IPO or, as Durbin believes is more likely in the current market, a trade sale.

“Generally VCs are looking for one of two types of companies”, says Pravin Kothari, founder and CEO of CipherCloud, which raised $30 million in series A funding in December 2012 from investors Andreessen Horowitz.

"We've invested in companies that have had success but where we've seen the opportunity to grow them further"
Jon Locke, Accel Partners

“They are either looking for a company focused on a single point solution, which might then go on to be acquired, or companies offering a platform, which are more likely to remain independent”, he explains. “Both are good investments, but one is short term, and one is a longer-term play.” In the case of companies that seek to develop into a platform in their own right, this might need several rounds of venture funding, as well as investment in both the product, and the business behind it.

This suggests that to attract venture capital, security vendors must offer more than smart technology. Either they need a product or service that is in a new category, where there is plenty of untapped demand, or one that offers new features, and will benefit from additional marketing funding and expertise.

Conversely, the company could be looking to expand geographically, outside the country where it was founded. This is a path taken both by Israeli security companies looking to break into the US market, and by US firms looking to establish a foothold in Europe.

VC or other early-stage investor decisions to back a company might also have more to do with the quality of its management team than with the potential of its technology to disrupt the security market. Some businesses do, of course, raise investment for product development and R&D. But from an investor’s point of view, a company will not pay a return if it fails to deliver its product to market.

“VCs want a return, and are not patient”, Durbin cautions. “They are starting to come to things later, letting the angels do the dirty work. They can’t guarantee a return, but they want a slightly better chance, so they are plumping for more traditional areas such as firewalls or encryption that are dull from a security point of view, but which are safe.”

‘Active’ Investment

Venture capitalists, then, are looking for strong management teams, or management teams they can add skills to, and ready markets not currently served by the investee firm. To an extent, this is where the interests of the investor and the CISO are aligned: like investors, buyers of technology want to know that their suppliers will last the course.

Although investors might be more conservative in their choice of who to back, they are taking a more active role in supporting the firms they invest in. “There’s a model emerging where investors are rolling up their sleeves and helping”, observes Kevin Mahaffey, founder and CTO at Lookout. “They’re actively helping with structuring partnerships, with PR, with contract negotiations. It’s not just the money. It is even not just smart money, but directly engaged smart money.”

This access to expertise, networks and people is increasingly important, agrees Jack Huffard, president at Tenable. Even for a more mature company, access to a VC’s network, in this case Accel’s, has helped the firm expand geographically.

“When we launched in APAC we had calls with people on the ground giving us great advice and introductions we would have never had otherwise”, he admits. “Our time-to-market was a lot faster than we could have achieved on our own.”

Prospects for the information security sector, over the medium to long term, look good as companies and governments make more use of the internet to deliver their services – and the necessary protection to go with it.

“Security won’t go away any time soon”, Durbin predicts. “We are seeing money being made available by companies to buy products and services to secure the enterprise.” And that, he concludes, is an indicator that the sector will be attractive to investors for some time to come.

What’s Hot on Infosecurity Magazine?