Cybersecurity Products + Services
Mahendra Ramsinghani wrote an enjoyable piece recently on the cybersecurity startup environment. It was called Cockroaches Versus Unicorns. Kind of a cybersecurity-specific drill-down on a less recent piece by Caterina Fake, similarly titled, The Age of the Cockroach. In it, Ramsinghani makes a few recommendations to founders based on observations of certain characteristics of cybersecurity startups that are atypical to many venture-backed companies. One recommendation in particular caught my eye because it’s something I’ve been pondering myself lately. Here it is…
“Startups should bake in a managed services strategy in their offerings (as much as VCs hate it, customers want services). A tie-up with MSSPs could prove to be a valuable path to an exit.”
He doesn’t elaborate any further, unfortunately. What are some of the reasons a startup might want to bake in a managed services strategy in their offering? Ramsinghani give us one… as a path to exit. Other reasons might include: as a way to grow revenue early in the life of the company in concert with product development; as a way to up-sell and cross-sell existing customers; as a way to reach new customers that want services; or as a way to better serve customers with a more complete security solution. These aren’t mutually exclusive.
Many investors that like cybersecurity know this already even if they haven’t articulated it out loud. But, I suspect many venture investors, angel investors, and founders overlook this phenomenon because venture capital blogs and conventional wisdom eschew services business models (if they don’t dismiss them a priori) because humans don’t scale as well as software, and certainly not as quickly. Perhaps cybersecurity is a reminder of what’s important in venture capital — growth and demand. How it’s achieved depends a lot on the type of business and industry — consumer, enterprise, cybersecurity, etc… They each have their own best practices. A high priced, semi-scalable service can grow revenue as well as a low priced, fully automated product. And a service in high demand enjoys acquisition multiples similar to software products as long as they’re both expected to grow.
In cybersecurity a fair number of companies offer not only software products, but security services too. This may come in the form of incident response services to clean up the aftermath of a breach, or investigate an indicator of compromise (IOC); human analysts that manually contribute to or refine a threat intelligence feed; a partnership with an MSP; or an on-site engineer.
To be clear, I’m not talking about pure security services and consulting shops. I’m talking about companies offering product and services, where a significant percentage of total revenue or value delivered by the vendor comes from non-automated human tasks of a security nature… that percentage may range from 10% to 90%. Maybe it’s easier to think of these companies as product-enabled services or service-accompanied products… or whatever.
This is not the same as more traditional enterprise software models that also include a service component. In that case, take Oracle, for example, where product revenue from LTM March 2015 was $31.8B. That product revenue was comprised of licensing fees, implementation and customization fees, and annual maintenance fees, where the latter two could be labeled services. And those services represented 85% of the product revenue. The difference being that these services entailed essentially customer support of the product — installing, customizing, and updating the database software itself versus sending consultants in to work with and analyze the actual business data, or manage the customer’s database needs.
This is also different from SaaS-related services revenue. Take Salesforce, for example. Their product revenue is comprised of subscription fees and related professional services. The professional services include process mapping, project management, implementation services, and training — stuff so the customer can use the product properly. At Salesforce the professional services make up 6% — 7% of product revenue… not that significant. Many SaaS companies also have a “Customer Success” team to help customers derive value from the product post-purchase and to minimize churn. Hubspot, for another example, also reports a professional services component of revenue, which hovers around 10%, but again this mostly refers to training and customer success-related setup.
To get a better idea of the types of cyber companies and services I’m thinking of, consider the following few, in no particular order, and with the common denominator being they are venture-backed companies selling related products and services.
- Mandiant: with only ~10% of revenue booked to product and the other 90% booked to services it’s hard to call them a software product company. But with a $1B acquisition by FireEye in 2013 on a 10X revenue multiple, they were definitely venture investible (by Kleiner Perkins).
- iSIGHT Partners: also recently acquired by FireEye for $200M on an approximately 4X revenue multiple. iSIGHT buttressed their subscription threat intel service with a network of 250 human cyber intelligence gatherers across 17 countries.
- Distil Networks: makes a software product that lets websites block malicious bots and prevent web scraping. Funded by Bessemer, Foundry Group, and MACH37’s (I used to work at MACH37) own sister fund, the CIT GAP Fund, Distil has seen very healthy customer and revenue growth year over year. Just last month they acquired competitor, ScrapeSentry, which is the human services version of Distil. Why? In Distl CEO, Rami Essaid’s own words: a) larger customers wanted more than simply automated blocking and identifying of bots… they wanted a deeper dive with a human expert; b) enterprise customers want an analyst that adds a human element to what we do; and c) larger customers will pay a hefty price for that level of service.
- Crowdstrike: one of only 10 companies accredited by NSA for Cyber Incident Response Assistance (CIRA) (along with Mandiant/FireEye, Morphick, Dell, RSA, and Booz Allen to name a few). Over $100M raised from Accel, Warburg Pincus, Google Capital, and Rackspace.
- Morphick: also CIRA-accredited, and maintains a 24/7 manned threat intelligence center.
And below is a hastily collected (and by no means exhaustive) list of more cyber companies that may or may not fit the product + services mold to varying degrees.