The cluster of security acquisitions (Twistlock, Verodin, Recorded Future) announced this week prompted a lively conversation at NGP Capital today about where we are in the security investing cycle. Is this a rush for the exits by venture funds wishing to take chips off the table before a downturn? Are scale players like Palo Alto Networks consolidating so quickly that there is little sustainable advantage for technology specialist startups — again pointing to a downturn? As active investors in many leading security companies, the answers have a meaningful impact on our practice.
Security companies have certainly been on a fundraising tear in the past few years driven by multiple new areas of growth. Growth of the cloud and proliferation of mobile devices in the enterprise have meant that perimeter defense is woefully inadequate. Applications can now reside within and outside enterprise walls. Data likewise may be outside the enterprise and users are accessing both from not just work and home, but from coffee shops, hotels and airport lounges around the world. Even as we enjoy the convenience and business velocity enabled by these rapid shifts, trillions of dollars of intellectual property is now susceptible to cyber mischief.
Security startups have rushed in to address these new problems from different angles — cloud security, threat response, better authentication, new trust models, data encryption etc. — but our collective work has just begun. We are still at the starting gates of our new “beyond the perimeter” security architecture and while even the first steps have proven lucrative for entrepreneurs, we predict that there is much more to come. Often, entrepreneurs who have set aside nice nest eggs are starting back up to solve bigger problems they observed building their first companies. Over the past five years, near $20B has gone into security ventures, and most of this investment is still private. VCs are not rushing for the exits, but betting that we will see bigger returns in coming years.
The second question, whether this is a consolidating market, is worth considering. As a firm, we lived through adtech consolidation, which was lucrative for some initial players, but left a number of promising companies lagging as Google and Facebook dominated the market with in-house technology. Adtech technology specialists lost out vs. the scale, distribution and data advantages of these larger companies.
Could this happen in security as well? After all, a lot of security companies are acquired for $100M — $500M for their technology and initial product market fit. Wouldn’t a larger, technology forward company like Palo Alto Networks squeeze out smaller players? Recent data suggests not. Twenty security companies were acquired between January 2018 and now. Unlike in adtech, there were 16 diverse acquirers.
Multiple companies within a category are finding attractive exits as the numerous players fill out their product line-ups. For example, in the security operations space, Phantom Cyber and Demisto had strong exits. In the Cloud access Security broker space (CASB), Skyhigh and Elastica have had attractive exits, and yet Netskope continues to scale as a private company. And among acquirers, we see not just security incumbents, but also cloud vendors, infrastructure players, service providers, and others. Most importantly, enterprise customers are strongly prioritizing “best in class” technology from small players vs. “good enough” from larger ones given the fast-moving threat landscape, so distribution and scale are not sufficient to trump technology chops.
To answer the fundamental question, is cybersecurity investing still attractive? Our view is an enthusiastic yes. With a large market disruption, wide availability of capital, the presence of experienced entrepreneurs, and a quickly evolving industry structure, cybersecurity remains a dynamic place to invest. We remain bullish on this sector.