Instead, many in the crowded market are struggling to live up to their early promise. In some cases, the security products they developed have been overtaken by advances in cyber hacking, according to industry executives and venture capitalists. In others, larger competitors have come out with similar technology and locked down customers.
“I have never seen such a fast-growing market with so many companies on the losing side,” said David Cowan, a partner at Bessemer Venture Partners, a venture capital firm that has invested in the cybersecurity sector.
Venture capital continues to pour into the industry, driven by the belief that there is no end in sight to cyber attacks or companies’ need to protect themselves. Yet only a handful of start-ups have successfully sold themselves or floated in the stock market in recent years.
The result is a number of these start-ups have become corporate “zombies” with little prospect of fetching a good price in an initial public offering (IPO) or becoming acquisition targets, experts said. Their early investors have been left without an easy or profitable exit.
Not only is the technology behind cyber attacks rapidly evolving, the nature of how the corporate world uses security firms is changing. To save money and trouble, some companies have consolidated their security work, using just a few large players rather than spreading business around.
Companies are also diverting money to lower-cost “bug bounty” firms that contract out researchers who help identify security weaknesses.
“Suddenly, we are in this situation where there are just too many vendors and too few can be sustained,” said Dave DeWalt, the former CEO of cybersecurity company FireEye.
“You’re starting to see companies go, ‘oh my gosh, what do I do? Can I get more capital, do I have to merge?’” DeWalt said.
Momentum Cyber, an advisory firm focused on cyber industry mergers and acquisitions, said it tracks 2,500 security companies today, almost double the number a few years ago. The firm’s co-founder, Eric McAlpine, estimates 300 cybersecurity start-ups launch every year.
Few of these are pulling off IPOs. What’s more, big software companies have become less willing to acquire cybersecurity products they believe they can develop on their own.
“The pipe dream days of selling companies at a rich price equivalent to ten times their revenue are gone,” said Tom Kellermann, chief executive of venture capital firm Strategic Cyber Ventures.
ForeScout Technologies, a provider of software that helps companies keep the devices of their employees secure, was the only US cybersecurity company, excluding identity management providers, to go public last year. This compares to three cybersecurity IPOs in 2016 and four in 2015.
ForeScout raised $116 million in an IPO in October that valued the company at about $800 million, down from its $1 billion valuation in the private markets a year earlier. ForeScout’s backers, including Intel Capital and Accel Partners, had to moderate their valuation expectations for the IPO to be successful. The company is now trading at a $1.2 billion market capitalisation.
To be sure, many venture capital firms are sticking with the sector. Some are curbing their bets or backing smaller start-ups. “Start-ups that are likely to reach between $100 million and $300 million in value are still offering excellent opportunities for an exit,” said Yoav Leitersdorf, whose investment firm YL Ventures was an investor in Hexadite, a cybersecurity incident investigation company that announced a sale to Microsoft last June.
Some larger start-ups, such as Carbon Black, have delayed their IPOs. Founded in 2002 by former US government cybersecurity experts, Carbon Black, formerly known as Bit9, was a pioneer in developing tools that detect and respond to threats targeting corporate networks.
Within a few years, its market became more competitive, as rivals such as Cylance, CrowdStrike, and SentinelOne came out with similar technologies. Some larger companies, including Symantec Corp, also developed similar products.
Carbon Black filed confidentially for an IPO in 2016, while also exploring a sale to other companies, including IBM Corp, people familiar with the matter said. IBM did not respond to a request for comment.
The Boston-area company has yet to move ahead with the IPO, stranding investments from venture capital backers such as Kleiner Perkins Caufield & Byers and Sequoia Capital. Both firms declined to comment.
A source close to Carbon Black said it is now hoping to go public this year, and that it delayed its IPO to integrate an $100 million acquisition of a company called Confer. Carbon Black CEO Patrick Morley, in an interview, declined to comment on plans around a possible IPO, or any merger discussions.
But Morley said the company has rolled -out several cybersecurity offerings that make it more diversified than its rivals. He also predicted more consolidation in the market.
Another start-up, Zscaler, which specializes in cloud security, hired investment banks to go public last year but has delayed its offering until at least March to focus on growing its revenue, according to sources. Zscaler declined to comment. “Some have compared some cybersecurityfirms to cockroaches,” DeWalt said. “They can’t die, but they aren’t smoking hot either.”
To read the full story, Subscribe Now at just Rs 249 a month
Already a subscriber? Log in
Subscribe To BS Premium
₹249
Renews automatically
₹1699₹1999
Opt for auto renewal and save Rs. 300 Renews automatically
₹1999
What you get on BS Premium?
- Unlock 30+ premium stories daily hand-picked by our editors, across devices on browser and app.
- Pick your 5 favourite companies, get a daily email with all news updates on them.
- Full access to our intuitive epaper - clip, save, share articles from any device; newspaper archives from 2006.
- Preferential invites to Business Standard events.
- Curated newsletters on markets, personal finance, policy & politics, start-ups, technology, and more.
Need More Information - write to us at assist@bsmail.in