First, let us define some terms. Credit to Amit for re-framing the question in his tweet to ask if we are in a “mini” bubble. This is the right question. History has seen some bubbles. A single tulip bulb sold for 10 times the salary of a skilled craftsman. Prime Tokyo real estate lost over 99% of its value between 1989 and 2004. By these measures the U.S. sub-prime mortgage boom looks tame, but let’s grant that as a bubble too.
Even in my modest investment career, I’ve seen some bubble activity. I had an opportunity to get into venture capital thanks to the “B2B E-Commerce” boom which was quickly proven a bubble. If memory serves, Internet Capital Group, the publicly traded B2B accelerator, traded at a market cap of $1 billion … per employee! I was also a VC when hundreds of billions of “value” vaporized when expected demand for optical networking gear failed to materialize. And I tried my hand at finding rational deals when investment activity in “Cleantech” was at its peak.
The enthusiasm for new cyber security ventures looks nothing like these examples, so let’s stipulate we are not in a bubble and investigate whether we are in a “mini-bubble.”
Amit cites CB Insights (a great service!) that $2.4 billion was raised by 269 cyber security companies in 2014. That is surely a lot. But so is the $1.9 billion raised by 350 Ed Tech deals in 2014. And the $12 billion in 730 deals in Fin Tech, and the $11.7 billion for 1,127 SaaS companies.
For every dollar in an innovative digital service for education or finance or the business cloud — not to mention mobile, healthcare, energy and transporation — we certainly need a few cents for innovations in security. If Software is Eating the World, then the Cyber Security industry has a lot to digest.
Another popular CB Insights meme is that the value of every venture unicorn combined is less than one Facebook. Similarly, if we assume the average venture financing might buy 20% of a company, then the aggregate post-money valuation of all 269 cyber security companies funded in 2014 is almost exactly the same as one Palo Alto Networks. Not every one of these companies is going to generate venture returns. But as of yet the funding does not seem out of line with the opportunity.
Amit makes a good point that the majority of recently-funded companies are point solutions. (I will admit to sometimes confusing ThreatTrack, ThreatStack and ThreatStream.) Each one cannot expect to sell directly to CISOs who must buy platforms, if for no other reason than there are only 24 hours in a day. This is surely true, but probably not a sign of a bubble. Venture capital has long succeeded in funding point solutions (in cyber security and elsewhere) which find their way to market through a combination of direct sales, channel and strategic partners, and acquisition. Moreover, while it sometimes seems easy to distinguish platform companies from the others, we shouldn’t be quite so sure of ourselves. Checkpoint was a point solution. And I would be willing to bet the early investors in Palo Alto Networks and FireEye saw a path to a venture return as a point solution, even if they had platform stars in their eyes at the same time. (Making a $1 billion acquisition of a services company was certainly not part of the initial FireEye business plan!) So of course, the vast majority of these new companies will not achieve $10 billion-value platform status. The more important thing is to invest in teams who have a demonstrable track record and capability of getting their products and services to market.
Amit’s most compelling point is “there is a big difference between building a great new malware detection/protection/evasion tool and building a large company.” This is certainly true. Sitting at a global platform like Bessemer, Amit has access to probably 50 times more early-stage companies than I do, as I look primarily at seed deals in the D.C. Cyber Corridor. So if the majority of the deals out there are more-automated-malware-detection-with-better-machine-learning-for-the-modern-corporate-network-infrastructure, that would be somewhat dispiriting. Another trend in venture capital is that large funds seem willing to anoint winners earlier in the cycle (e.g., before customers have fully voted.) As such, I’d be nervous about launching a new Advanced Persistent Threat tool into the teeth of Illumio’s $140m of funding, among others.
However, in my modest little corner of the cyber security start-up universe, this is not what I’m seeing. I’m seeing brilliant, innovative, orthogonal, out-of-the-box concepts from deeply experienced technicians, security practitioners and entrepreneurs:
* New APIs so that the world’s 30 million developers can easily employ advanced encryption without needing to be experts at what’s under the hood.
* New approaches to keep vital corporate information from being sold on the dark web.
* Platforms to organize the daily work of security analysts and SOCs, whose workflows remain far too ad-hoc for the threats they have to fight.
* New approaches to training the thousands upon thousands of new security analysts global industry will need in the coming years.
* New paradigms for protecting networks in a containerized world, when the (virtual) nodes number not in the thousands, but in the hundreds of thousands.
* And new ways for CISOs to digest all these changes and find and buy the best solutions for their networks.
Just to name a few. Investing in a boom cycle can be scary stuff. And we all have a responsibility to force ourselves to stay grounded to some form of reality. Amit has served us well to remind us of this central fact. But as more and more of the world’s activities are digitized, and as bad actors have ever-increasing incentives to exploit weaknesses, I am confident that the cyber security industry needs to continue to push forward as well.