Experimental feature

Listen to this article

Experimental feature

Last year was a boom time for cyber security start-ups. Just take a look at the deals. In November, Tenable Security, a Maryland-based company that specialises in spotting vulnerability in company networks, raised $250m in one of the biggest funding rounds for a cyber group to date.

The transaction capped off a bumper 12 months in fundraisings across the sector, with US peers including Cloudflare, Tanium and Zcaler each raising $100m or more.

But as the calendar flipped over to 2016 the boom was coming to an end.

Some entrepreneurs reported that securing funding had become increasingly difficult. Mike DeCesare, head of ForeScout, an internet-of-things security company, told the Financial Times in January that his company had raised $76m. But he said he felt like “the guy in the movie that slides right under the [closing door] . . . it is a very precarious investment environment right now”.

The reason seems to lie in the general downturn facing the technology industry as well as the attitude of investors towards the cyber defence sector. But why should this be when the number of high-profile hacks of major companies keeps growing?

Since 2014, JPMorgan Chase, an investment bank, TalkTalk, a telecoms provider, Target, a retailer, Anthem Healthcare and Fiat Chrysler, a carmaker, have had their cyber defences breached. Their corporate reputations suffered as a result.

In February last year, the co-chair of Sony Pictures, Amy Pascal, left her job following a high-profile breach that led to private and embarrassing staff emails being published on the web.

A few months later, in August, Noel Biderman, chief executive of Avid Life Media, the parent company of Ashley Madison, an adultery website, stepped down in a move described as being “in the best interest of the company”.

His departure followed a data breach that exposed the personal data of millions of customers who may have been seeking extramarital affairs. Weeks of damaging news stories followed.

Such attacks put some in the cyber industry in bullish mood for its future prospects. Take Austin Berglas, an executive at K2 Intelligence, a corporate investigations company and a former FBI agent.

Mr Berglas, who led probes into the Silk Road website, which sold illegal drugs and firearms on the “dark web”, says: “Sometimes it takes a JPMorgan Chase or a Target to make people realise that the only way you can help yourself is preparation as though it’s going to happen.”

The cyber bulls’ argument has some logic. Surely as companies and consumers wake up to the cyber threat they will want to spend more on defence?

Apparently not. Industry insiders give two reasons for the cooling in investor sentiment towards them.

The first affects all tech start-ups. A funding squeeze is hitting digital groups, with tech investors increasingly concerned about the soaring valuations enjoyed by start-ups, particularly in Silicon Valley.

According to figures from CB Insights, a research group, in a study published jointly with KPMG, a professional services firm, venture capital firms globally made $27.2bn of investments in start-ups in the fourth quarter of 2015, a fall of almost 30 per cent compared with the previous quarter.

In the US, venture funding fell to $13.8bn in the last quarter of 2015, down from $20.2bn in the third quarter. There were similar falls in Asia and Europe.

The second problem is more specific to cyber security outfits.

Investors in the sector, such as Mike Chalfen, a partner at London-based Mosaic Ventures, says that after years of bluster a more discerning eye is being cast over the efforts of cyber security groups.

A large number of fledgling companies are joining a crowded market offering “point solutions” that focus on one problem, such as firewalls and antivirus products.

Instead, true value is to be found in “platform” groups that have a broader range of products and services.

One example of this is Palantir, an artificial intelligence company that specialises in spotting cyber threats and helps identify terrorist suspects for US intelligence services.

Palantir has raised $2.3bn in funds so far, including an announcement of $880m in December.

“The market, in general, is getting more discriminating,” says Mr Chalfen. “It’s not just investor sentiment is more negative, but there is greater discrimination between companies you like and companies you love. To some extent, there’s a healthy recollection that security has always been a difficult area to invest in.”

He adds that too many start-ups were overvalued and their products were overpriced.

Norman Fiore, general partner at Dawn Capital, a venture capital group that is a keen investor in cyber security start-ups, says: “I don’t want to call it a bubble, but you did have valuations that ran away.

“You had lossmaking businesses growing fast but burning through lots of cash. There has been a move back to looking for companies with sound business models.”

Marcin Kleczynski, founder of Malwarebytes, which protects consumers and companies from malicious software, says it has been difficult for investors to differentiate between security companies in a frantic market.

He says: “There is a lot of noise in the security industry.”

Generating revenues helps to attract investors, Mr Kleczynski adds. His company grew more than 120 per cent to reach an income of more than $100m in 2015, the sort of figures that in December convinced fund manager Fidelity to invest $50m.

It may be the case the cyber start-up sector is experiencing a useful correction, forcing investors to look more carefully at the inner workings of inexperienced companies before making projections of their future performance. But that shift may prove painful.

Mr Chalfen adds that the market is suffering from “silver bullet” syndrome. “There are usually multiple ways of solving a security problem. There is rarely one.”

Mr Fiore says that cyber security companies need to avoid hype and explain clearly to their potential customers and investors that often they offer only part of a solution, not the whole answer.

Mr Fiore adds: “You layer and layer your technology so that, with a combination, [these layers] do more to provide protection.”


This article was updated on March 17 to clarify that the correct name of the company is Mosaic Ventures

Get alerts on Cyber Security when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.

Follow the topics in this article