tl;dr: Mattermark recently reported that the venture market appears to be very undead. That holds true for cybersecurity startups, for whom funding was supposed to have dried up.
Unless you live under a rock you’ve heard about the current fracas between the FBI and Apple. If you who need a brief but thorough crash course on the situation, I recommend Ben Thomson’s article Apple, the FBI, and Security.
The subject of Apple’s struggle with the US Government presents thorny political and legal issues. These issues have direct bearing on the technology industry, especially so for upstart companies that lack the broad product portfolio and depth of legal and financial resources that Apple or its megalithic allies in this struggle may take for granted.
Given the public debate, it might be tempting to believe that the threat of government interference may be the primary challenge facing new cybersecurity and encryption companies, but a more immediate danger presents itself in the short-run (it may take a year or more for all the court proceedings and government policy wrangling to take its course).
Some reports, such as the now widely-syndicated Reuters piece from last week, suggest that 2016 may be a particularly difficult year for upstart cybersecurity companies seeking outside investment. I decided to test this assumption.
2013 and 2014 were banner years for cybersecurity and encryption companies. Stemming from breaches of credit card data at JP Morgan Chase, Home Depot, and Target, and state-sponsored cyber-attacks in Singapore, Russia, the Republic of Georgia, demand for their products and services soared. Consequently, so did the price of shares in publicly-traded cybersecurity groups. As an example, FireEye’s IPO was priced at $20 in late 2013. When it opened, the first trades went through at $36.
FireEye shares vaulted to $96 in early March 2014, before embarking on a long but steady slide below its IPO price and the overall performance of the NASDAQ. The company closed at $16.70 this past Monday.
It’s no surprise, then, that there a lot of cybersecurity and encryption-focused startups were founded during these heady times. The mid-2010s, for example, set record pace for companies founded in the cybersecurity and encryption spaces.
At the same time though, one gets the sense from looking at lists of “hot” cybersecurity startups that the majority of attention falls on those founded in or before 2014. For example, InformationWeek’s DARKReading blog compiled a list of “20 Cybersecurity Startups to Watch in 2016” which included only two companies founded in 2015: Cynet and Twistlock.
All this being said, I find the somewhat gloomy outlook given by Reuters to be out of step with what the data show. Here, I pulled data for over 1,700 individual funding rounds made in 940 companies in the space between 2004 and March 1, 2016.
In 2015, $3.74 Billion was invested in security companies, up 67% from the year before. If aggregate funding activity keeps pace with what we’ve seen thus far in 2016, it’s possible that almost $5 billion will be invested in cybersecurity and encryption-related startups this year.
2015 was also a good year for cybersecurity startups raising Seed, Angel, Series A and Series B rounds. Dollar volume went up significantly, but so did the number of deals. In our dataset, there were 204 Seed, Angel, Series A and Series B rounds closed, compared to 137 rounds in 2014 and 152 rounds in 2013.
So, with this in mind, how might we reconcile what the data show with the belief that 2016 is going to be a tough year for cybersecurity startups? It’s true that cybersecurity stocks (FEYE, CUDA, PANW, CHKP, etc) have fared somewhat poorly as of late, but so have many tech companies, including those that IPO’d in the last year. While this may have led investors in public markets to reign in their expectations and enthusiasm in 2015, signs of that same restraint cannot be found in the data for investment in private companies.
This is not to say that it’s all butterflies and rainbows and an easy path toward ‘unicorn’ status for cybersecurity startups this year. Like the broader startup market, competition for early-stage investment is fierce and growing fiercer, especially as many investors shift their focus to investing in slightly later-stage companies with proven traction. And, cybersecurity startups face some unique challenges.
Monetization can be a challenge, and a combination of slow enterprise sales cycles and the rapidly-changing nature of threats mean that many cybersecurity solutions are obsolete on arrival. And, while I don’t have any data to back this up, I’d wager that the highly technical and specialized nature of cybersecurity technologies may slow down the deal-making process as savvy investors perform technical due diligence on prospective investments, even for those investors who specialize in cybersecurity.
In spite of all this, the market for cybersecurity products and services grows by the day. As the technology landscape grows ever more complicated, there are opportunities for upstart companies to patch security holes as they open up. Unlike the “on demand economy” or e-commerce, demand for cybersecurity solutions is not cyclical in the same way. There are always new threats, so a market for these solutions is unlikely to dry up soon. Whether or not investor interest in private cybersecurity and encryption companies eventually tapers off remains to be seen, but barring disaster, 2016 is looking just fine.