CyberWarfare / ExoWarfare

Zombies: Rate of Cybersecurity Venture Funding Not Sustainable, Investors Say

By Kevin Townsend on January 18, 2019


Venture capital firm Strategic Cyber Ventures (SCV) considers itself a part of the overall security industry. “First and foremost we are cyber operators,” it states on its website. “We advance cybersecurity through expert investment in synergistic teams and technology solving the world’s security problems.”

This week it published a report titled ‘The State of 2018 Cybersecurity Investing; being an analysis of venture capital funding in the security industry over the last 12 months. The first and most obvious point is that venture funding has continued to grow. In 2018 it exceeded $5 billion compared to under $3 billion in 2016. This, says the report, is simply unsustainable.

To make it worse, it is not unsustainable in terms of available financing, it is unsustainable in terms of the security industry generating enough profit to give the venture firms a return on their investment. Put another way, says the report, “there are likely many zombies out there.”

In the finance industry, a zombie company is one that earns just enough money to continue operating and service debt, but is unable to pay off debt. Such companies cannot afford to invest for growth, and are perhaps just one problem issue away from insolvency.

“Essentially,” SCV’s Chris Ahern told SecurityWeek, “they are there, not growing at particularly attractive rates that would command additional external investment. And their investors are tired of keeping them alive with additional internal rounds of capital.” More graphically accurate, SCV is suggesting that there are several cybersecurity companies that are just dead men walking.

Although the amount of financing grew last year, the number of deals was similar or less to those of 2017. There were three investment deals in 2018 each totaling more than $200 million (Tanium and CrowdStrike) or more (Anchorfree with $295 million). The largest individual deal in 2017 was the £180 million raised by Rubrik.

Noticeably, non-U.S. investment is growing, with $1 billion going to Asian and European firms, split evenly between the two regions. But this needs to be seen in context. California alone attracted around twice this investment; while the U.S. overall attracted four times the amount (just over $4 billion).

The DMV (D.C., Maryland, Virginia) region of the U.S. attracted just $1 billion in cybersecurity investments over the last four years — which is a bit surprising since the area is considered one of the best educated and most affluent areas in the U.S. (Wikipedia) — but of this amount, a paltry $80 million went to DC venture-backed start-ups. “As DC residents,” comments SCV, “we have to think there is more the city could do to entice cybersecurity companies to establish their headquarters in the city.”

Mergers and acquisitions (M&A) grew to about $12 billion from around $9 billion in 2017 — but still well short of the $15+ billion of 2015. As usual, the greatest part of the M&A activity occurred in the U.S., accounting for around $11 billion of the total $12 billion.

The most significant acquisitions were Duo Security by Cisco ($2.4 billion), AlienVault by AT&T ($1.6 billion), and Cylance by Blackberry ($1.4 billion). Private equity got involved. Here the most significant acquisitions were Barracuda by Thoma Bravo ($1.6 billion), Bomgar by Francisco Partners ($739 million), and Centrify by Thoma Bravo ($400 million). IPOs were also strong in 2018. The most significant were Avast ($811 million), Tenable ($251 million), Zscalar ($192 million), and Carbon Black ($152 million).

“This is the second consecutive year of 4 cybersecurity IPOs. On deck for 2019 are rumored to be: CrowdStrike, DarkTrace, Pindrop, Tanium, and Illumio. Looking forward, we expect significant investment (both equity financings and M&A) in cybersecurity companies to continue in 2019, but at or just below the levels we saw in 2018.”

In fact, SCV believes the cybersecurity market — with all those zombies staggering around — will need both IPOs and M&As. “I think too much money is going into cybersecurity companies in general,” Ahern told SecurityWeek. “M&A and IPOs will have to keep up to see this money be returned to its investors. I think the M&A and IPO market will be strong, but perhaps not at the rates we’re seeing and the rates that are necessary to return this massive amount of capital that’s been put to work in 2018.”