Driven by a seemingly unending parade of breaches, investors looking for the next big score—the rare “unicorn” company that becomes valued at $1 billion or more—are pouring money into security startups and early-stage ventures.
So far in 2015, cyber-security firms received more than $1.2 billion in nearly 100 funding deals in the first two quarters, putting the year on track to match last year’s record pace, according to investment tracking firm CB Insights. Over the past eight quarters, investors put more the $4.6 billion into cyber-security firms, the firm stated.
In the latest such deal security-in-the-cloud company Zscaler announced it closed a $100 million round of funding from a group of investors, adding to the $38 million it had previously received. Dan Druker, chief marketing officer for the company, hesitated at divulging the on-paper valuation of the company, except to say that it had reached an estimated value of more than $1 billion.
Because Zscaler did not take early funding—the company was self funded by founder and CEO Jay Chaudhry—the company had few problems reaching its lofty valuation, Druker told eWEEK. “Because of the funding model, we are not just a unicorn, but more like a unicorn sliding down a rainbow,” he said.
It’s a claim that every startup would like to make. And because of the heated activity in cyber-security, Zscaler is unlikely to be the last security firm to claim the status.
Yet, there also is a danger that the market is becoming overheated. Too much investor interest and a restricted supply of skilled cyber-security entrepreneurs mean that investors have to pay a premium to get in on the action. In short, investors may be paying not for unicorns, but some entirely mythical beast.
As a result, venture firms need to question the value of security startups, Robert R. Ackerman, Jr., managing director and founder of Allegis Capital, told eWEEK.
“I think the cautionary note is that this stuff is complex, and there is a risk of things getting funded that perhaps are not as well thought through and perhaps not as differentiated as they should be,” he said. “‘The old fools rush in.’ I think we are seeing some of that in cyber.”
Despite the caution, this year will likely match the investment activity of 2014. While the number of cyber-security companies that are acquired or go public has fallen from the 2012 high, at least seven currently claim unicorn status.
CB Insights lists Tanium, Good Technology, CloudFlare, Lookout, Illumio, AVAST Software and Zscaler as the current crop of companies with valuations of $1 billion or more. In July, cloud-based security provider CrowdStrike also announced it had received $100 million in its third round of funding.
investors Search for IPO ‘Unicorns’ Among Cyber-Security Startups
The funding frenzy is driven by the constant litany of network breaches hitting the headlines. More than that, the consequences to businesses and their executives’ reputations have corporate boards willing to spend on security. Target, Sony and the U.S. Office of Personnel Management all dismissed their top manager following significant hacks.
Online adultery site Ashley Madison will likely have to scuttle plans for an initial public offering after hackers appeared to have stolen data on its 37 million users.
With such dire consequences from undetected breaches, companies are understandably willing to pay for better security.
“If you look at the threat landscape, it is as broad and deep as you can get,” Ackerman said. “You have vulnerabilities absolutely everywhere. People are very very concerned, and their concern is driven by wondering where the adversaries are going to hit next.”
The constant reminders that businesses can be impacted by breaches has loosened purse strings and driven business to security firms. With CEOs worried about their jobs, and boards worried about potential negative impacts to their stock price, cyber-security firms no longer have to convince businesses that information security is necessary, Zscaler’s Druker said.
“No one wants to be the next Sony, and that makes this a board-level discussion, not an IT-department discussion,” he said. “That is why it is valuations are so high.”
In addition, a number of other factors have restricted supply of cyber-security companies, leaving investors to aggressively fight over fewer companies. The shortage of skilled and experienced cyber-security entrepreneurs—an offshoot of the lack of supply of cyber-security professionals in general—means that fewer companies are available to be funded.
“We know for a fact, there are truly a small number of people that understand cyber-security,” Jeff Hudson, CEO of key-management firm Venafi, told eWEEK. “Think of people that can start companies and have the domain expertise and the track record to do it—there are not that many.” Venafi raised $39 million in June.
The cyber-security industry’s failure to stop breaches, however, is wearing on the confidence of potential customers. Information security managers and chief security officers also only have so much time to evaluate new products and have to carefully choose what they are actually going to deploy on their network.
While investors continue to be enamored of the cyber-security industry’s luster, the time of bargains is long past and potential pitfalls are more likely, Allegis’ Ackerman said.
“I think there are things that are getting funded that should not get funded, because people do not understand how complicated this is,” he said. “When you get to cyber-security, it is still the domain of deep science and deep engineering, and many people do not understand that.”