Cybersecurity, in recent years among the strongest segments of the tech sector, now is feeling the effects of the downturn.
Over the last two years, investors have poured capital into private security companies. Twelve security companies have raised more than $100 million each from venture capitalists, according to Dow Jones VentureSource. It’s fitting that the industry’s largest annual conference, which started Monday in San Francisco, is held just two blocks from the former sand dunes where Gold Rush-era prospectors encamped in an area known as Happy Valley.
At the RSA Conference this year, the mood may not be quite as happy. Along with the broader tech market, the cybersecurity sector has cooled. One basket of cybersecurity stocks, an exchange traded fund called HACK that trades like a stock, is down more than 30% since June 2015 compared to an 11% decline in the NASDAQ composite index during the same period. Private companies have put IPO plans on the back burner. Instead, many venture capitalists and investment bankers expect 2016 to be a year of mergers and acquisitions for some companies. For other companies it will be the death knell, say experts.
“Two months ago, I would have said we were 18 months away from going public but now, with the market the way it is, it’s more like 36 months,” said Matthew Prince, CEO of CloudFlare Inc., which raised $110 million in 2014. Still, Mr. Prince said that of all the money his company has raised, 80% is still in the bank and his company is profitable.
Last year, there were 133 security M&A deals, up from 105 in 2014, according to 451 Research’s February report on the tech outlook for 2016. Its recent survey of investment bankers showed that security is expected to have the most M&A activity this year, surpassing mobile technology for the first time in six years. International Business Machines Corp., Monday, said it will acquire Resilient Systems, which sells an incident response platform. Other large tech companies such as Microsoft Corp. are adding security capabilities too.
Cloud security, identity management and security analytics are likely to be in demand as consolidation continues, according to 451 Research. Centrify, which helps companies manage security for employee logins internally and across a range of external cloud services, could be a target if it skips an IPO this year, according to the report.
“We’re confident that we’ll have options in respect to the future of the company – whether it be a possible IPO or being acquired by a strategic company,” said Centrify CEO Tom Kemp in an email.
Larger companies also may be interested in buying security analytics companies to fill holes in their security information and event management systems. Exabeam and Fortscale, among several potential targets cited, specialize in identifying authorized users based on their typical behavior as they use software and websites.
Exabeam did not respond to a request for comment.
“We didn’t build Fortscale to be acquired, but we certainly appreciate the increased attention, resources and brainpower that’s being brought to bear to a security space that we’ve always thought of as pivotal,” said Fortscale CEO Idan Tendler in an email.
The share price of some security companies has fallen sharply, which can make an IPO unattractive. Rapid7, for example, went public in July 2015, and its price has fallen nearly 50% to $13.73 per share as of February 26.
Rapid7 declined to comment.
“With the sheer number of new venture capitalists who have gotten into cybersecurity in the last couple years, I would predict that there’s going to be a few of those that do really great, really cool things and there’s going to be a large number of them that just fail,” said Jason Witty, chief information security officer at U.S. Bancorp. That’s because many startups are focusing on problems that are too niche.
Cybersecurity is a highly fragmented market and many of the products are niche products that don’t talk to one another, said Brenon Daly, research director of financials at 451 Research. His company currently tracks about 1200 security firms. “A CIO or a CISO is tasked with stitching together a number of different products and it’s inefficient,” he said. Larger enterprises typically want to buy platforms that can do more than one thing and work with other products, he added. A startup whose products don’t work with others is limiting its potential customer base and its potential for an IPO.
In 2015, worldwide spending on information security reached $75.4 billion, an increase of 4.7% over 2014, according to research firm Gartner Inc. The increased spending was driven by government programs, increased legislation and high-profile data breaches.
The market is expected to grow at a compound annual growth rate of 9.8% between 2015 and 2020, according to a report from Markets and Markets.
Last year, venture-backed cybersecurity companies raised $3.3 billion, up from $2 billion in 2014. A few of those companies scored outsized deals. In 2015, Palantir Technologies which specializes in security analytics, raised $879.3 million. Tenable Network Security raised $250 million in November.
Palantir did not respond to a request for comment.
Tenable Network Security said it benefits from offering a comprehensive security platform rather than a single product. “CIOs don’t want to work with multiple vendors, they want their security teams to work with one platform,” Ron Gula, CEO of Tenable, said in an email.
A company that raises hundreds of millions of dollars is better positioned to ride out a weak market, said Mr. Daly at 451 Research. “You have a suitable cushion to weather this storm – it is a tough market,” he added.
Over the last two years, investors who did not understand cybersecurity have jumped into the market, said Bob Ackerman, founder and managing director of Allegis Capital. Investors tend to fall back to markets they’re most comfortable with during markets like this and the ones who don’t understand cybersecurity will flee the market, he said.