For Cybersecurity Startups, Warning Signs Loom

Global venture capital investments reached a record $4.9 billion in 2017, according to Reuters, while global cyber mergers and acquisitions fell 30% year to year, from $11.1 billion to $7.8 billion.

For daily updates, subscribe to our newsletter by clicking here.

These statistics should be raising a red flag for investors, and startups courting capital may discover that raising equity is not as easy as it used to be.

Venture capitalist Yuval Shachar. Photo: Amit Sha'al

“I have never seen such a fast-growing market with so many companies on the losing side,” David Cowan, a partner at cybersecurity-oriented venture capital firm Bessemer Venture Partners, told Reuters in an interview Wednesday.

Many firms continue to infuse capital into this sector, but hints of change could be detected over the past year, especially as the fragmentation of the market becomes more apparent. Many cybersecurity companies tend to develop a single product that answers a specific, narrow need, with no added value.

“There are too many companies with similar solutions to the same problems, each only offering a slight improvement,” Israeli-born technology entrepreneur and venture capitalist Yuval Shachar said in an interview with “30 Minutes or Less”, a podcast by Microsoft Accelerator TLV that aired on Calcalist last week.

Mr. Shachar is the co-founder of Innovation Endeavors, a venture capital firm owned by former Google CEO Eric Schmidt, and a partner at Tel Aviv-based cybersecurity startup-foundry, Team8 Labs Ltd. he thinks the market's fragmentation scattered talent over many small problems, while the industry actually needs to gather critical mass to solve large problems.

Udi Mokady, CEO and co-founder of CyberArk Software Ltd., had a similar opinion in a November interview with Calcalist, saying the use of the term “cyber” has been in inflation. “Lots of companies that come from unrelated fields have added the term to their product even though it’s not really what they are supplying,” he said, “sometimes all there is is a feature.”

“In 2015 or 2016, a company like that could have raised a lot of money," he added. "Now investors waver and wait to see what happens.”

Another reason is that many institutional clients are fed up with having to purchase dozens of different products, and are increasingly searching for a limited number of companies that offer all-in-one products. Other clients prefer to contract cyber companies when there is a specific problem, offering a reward to on a case-to-case basis.

These processes have led to the creation of "zombie companies," as they are known in the industry, meaning that companies that generate enough revenue to cover operating costs but only have enough on hand to cover the interest on their financing and not the debt itself, essentially operating on the brink of bankruptcy, sometimes for years.

“Suddenly, we are in this situation where there are just too many vendors and too few can be sustained,” Dave DeWalt, former CEO of cybersecurity company FireEye Inc., said in an interview with Reuters.

The trend is reflected in a decreasing number of initial public offerings of cyber companies. In 2017, only ForeScout Technologies Inc. decided to be listed, raising $116 million on its Nasdaq debut, compared to three IPOs in 2016 and four in 2015. Some companies that were testing out the waters for an IPO, like Massachusetts-based Carbon Black Inc., backed down when they found rivals launching similar products.

“Some have compared some cybersecurity companies to cockroaches,” DeWalt said to Reuters. “They can’t die, but they aren’t smoking hot either.” But what does this mean for the market, and for investors?"

Investing in cyber requires a certain expertise. Furthermore, political or legal events can have a big impact on the interest levels of investors. While experienced investors may be cooling down, big headlines can still cause green investors to put money into cyber.

Cyber is also undergoing specialization, with more and more companies differentiating into niche offerings like vehicle security, autonomous cars or Internet of Things security. These companies may be a safer bet in the long term, but it is doubtful whether they will raise the same amounts.