Careers & People
07:00 AM
Connect Directly

Is The Cybersecurity Bubble About To Burst?

Cybersecurity stocks are way down in 2016 so far, but venture capital money still flows.

The stock markets in general have been delivering a lot of bloody noses in the year to date, but one of the particularly big surprises in this downward slide has been the absolute beating cybersecurity companies are taking. In this age of data breach fears and increasing security spend, these firms have long been vaunted as recession-proof. But the industry's notable public firms are looking worse for the wear in 2016.

So, the question is, have we reached peak cyber?

On one hand, the cybersecurity startup world experienced an explosion in financing in 2015, and a number of announcements in the last month and a half have shown that venture capital (VC) still continues to flow. But on the other, there's the aforementioned fact that the already established players have been hit hard. What's more, rumblings are growing louder of cybersecurity startups being overvalued. Word on the street is that VC scrutiny prior to financing has ratcheted up, even if the cash flow itself hasn't been cut off just yet.

The Good

First for the positive signs. Last year was a landmark in financing for cybersecurity, with deals totaling $3.8 billion, according to CB Insights analysis. That's a 235% growth rate over the last five years. According to Steve Morgan, CEO with Cybersecurity Ventures, the VCs have done "the math around cybercrime and it seems they've concluded there's a huge upside in the cybersecurity sector," in spite of poor public cybersecurity performance at the moment.

"I think the requirements are largely the same as they've always been - VCs look for strong founders with proven track records, strong management teams, fully developed technology platforms and products in large addressable markets, and ultimately a vision towards a liquidity event IPO, merger, acquisition that will pay dividends on their investment," Morgan says. "There's a lot of cybersecurity companies who line up to this criteria--and thus why we are seeing so much money flowing into startups and emerging players in cyber."

The 2016 continuation of that narrative has been backed by a slew of big VC deal announcements in the past month. ForeScout garnered $76 million and Shape Security scored $25 million in late stage funding in late January. Meanwhile a new name to the market is Fireglass, an Israeli firm in stealth mode with plans to launch at RSA, which announced $20 million in Series A funding. And Digital Shadows, which has been amassing a heavy-hitting roster of security veterans to its leadership ranks just Tuesday announced it picked up $14 million in Series B funding this week.

The question is, at what point does the market reach saturation? As one VC told Mahendra Ramsinghani, founder of Silicon Valley cybersecurity seed fund Secure Octane, for a piece recently in TechCrunch, “I have seen at least 40 FireEye killers in the past 12 months.”

In spite of that, Morgan points to the 126% growth of security spend predicted by analysts with MarketsandMarkets, combined with 1 million current cybersecurity job openings as evidence that the industry still has plenty of room to grow.

"At some point all markets saturate - but I don't think we are anywhere near a saturation point. IBM grew their security business by 12% last year, or by another half billion dollars," he says. "Cisco's security business saw similar growth. Dell is spinning out its SecureWorks business as an IPO. The large players do a lot of their own market research and they've made very calculated moves in to cybersecurity - because they recognize cyber is one of the fastest growing markets in the tech industry."

The Bad

Nevertheless, there are signs showing that 2015 likely was the peak for the time being for cybersecurity funding.  It could be that the recently announced funding rounds may be the tail end of the feeding frenzy. Last month, Mike DeCesare, CEO of ForeScout told Financial Times that he felt his firm barely squeaked through with its funding round before less optimistic investors really tightened the screws on cybersecurity funding, reporting that the investment environment has tightened up considerably in the last six months.

"Even people considering relatively small investments of [$5 million] are asking for five or 10 due diligence meetings to understand the assets,” he told FT. “I’ve never heard investors challenge the path to profitability.” 

And for its part, Forescout is also holding tight on long-held IPO plans due to worries that its $1 billion valuation would not hold its value if it went public at the moment.

These valuation concerns are likely what eventually drove iSight Partners into the arms of FireEye for $200 million in January. That was less than a quarter of its previous valuation. Back in August 2015, then-CEO John Watters told Bloomberg that the firm was planning a late 2016 IPO but that it wouldn't do so at anything less than a $1 billion valuation. 

The Ugly

And then let's look at those who have already made their exits or are part of the security old guard. Here are some of the ugly stock losses in the year to date:

·      Imperva: -46.44%

·      Barracuda -44.57%

·      Fireeye -42.04%

·      Rapid7 -37.48%

·      Fortinet -23.52%

·      Cyberark -22.09%

Bullish folks might say this can't be looked at in isolation.

"I think we are seeing a normalizing of the market, not a crash or anything like that.  There was not an isolated fallout in the cybersecurity sector," Morgan says. "Rather, cyber stocks came down with the rest of the tech industry - and I expect that cyber will be the cream that rises to the top of tech when the market rebounds."

Those like Morgan believe the cybersecurity losses are a function of a painful correction the market is experiencing as a whole. However, the current numbers tell that story with a twist.

Even as they drown in red ink, the markets overall are outperforming cybersecurity stocks. The NYSE composite is down only by 9.44% for the year and even the tech-heavy NASDAQ composite is only down by 14.76%. That's a brutal stat but nothing compared to the likes of Imperva, Barracuda, FireEye, and Rapid7, which more than double the losses. Things are looking badly enough at Barracuda--which has declined in value by 69% in the last 12 months--that it may be looking for buyers with the help of Morgan Stanley.

Cybersecurity stocks are also faring more poorly than the general tech sector. Using some of the popular tech sector ETFs as a benchmark, the losses are averaging around 10% to 15% at the moment.

These are numbers that can't be ignored and may affect the way public companies--as well as late-stage privates approaching their exits--make their management and go-to-market decisions. Meanwhile, if venture capital does drop off, those less mature start-ups may not have as much capital to make good on the product roadmaps promised to their early customers.

Ultimately, in a volatile market like this one, its caveat emptor for security decision makers as due diligence plays an even more important role than ever in products and services acquisition.

Interop 2016 Las VegasFind out more about security industry trends  at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/12/2016 | 9:23:47 AM
InfoSec profession needs to mature
Agreed. It can be hard to compete with the $$ thrown around by the next shiny object. For the most part, these new VC-funded firms have developing "competitive" technology that looks pretty and provides enough services (bells and whistles) to get the market's attention. And, the market is there ($75B per Gartner). What's amazing is how many of these firms provide reactive services (analzye and fix a problem) instead of proactively preventing it in the first place. Why would an enterprise allow itself to be compromised knowing they have a vulnerability? 

The smart buyers who see the bigger picture know this. Unfortunately, infosec is a frantically-growing profession and lacks the maturity to see beyond the flashn. Eventually, the profession will mature and realize that their bandaid approach will only work for so long and eventually it will fail (and the market will respond). The market will look vastly different in the next few years. The smart buyers who see the bigger picture know this. 

User Rank: Apprentice
2/12/2016 | 9:08:29 AM
Bulls on Parade
Cybersecurity isn't going anywhere.   What you have seen in the past two years with new public offerings are race to the gate companies with unproven technology that can quickly be overcome buy more established players in the space.   They are all buyout targets at this point.

The threat landscape will never stop changing, and the protection of data will continuously evolve as that landscape changes.   It is literally a never ending self fueling industry with huge upside.

Problem is with unknowledgeable investors who do not know jack about the underlying technology and evolving threat landscape.   They pour money into companies based upon guess work, rising tides, and high valuations.   When markets rattle, this high valuers pull out of their low information investment decisions, which is why you will see the high swings up and down.

PANW is stellar.   Great product, great company, went out and is beating the pants off the old guard in that particular segment of cyber.    Cyberark, great product, great at what it does in that particular niche.   Fireye, an amalgamation of splinters of threat identification...good at some and not so good at others.   It's trying to acquire it's way out of obsoletion.

The rest of the bunch rapid, fortinet, et al...rising tide players only.   Never had it together in the first place.

Forescout is 15 years old, proven, robust...does what it says it can do and very well.   They too will be a force and long term player.

Don't jump in if you don't know what you are doing.   This isn't picking a cell phone company stock, or energy company stock, or other well known space offering tied to some transparent traded commodity.   If you don't know how and how frequently the cyber security space is elvoving, then stay out of the winner picking business in this space.   There will be many winners, but many more who fail.
User Rank: Strategist
2/10/2016 | 6:36:37 PM
what was the meaning of PETS.COM?
last time we explosively overheated an internet technology market was 1999 or so. this ended messily, and the signal of the end was the failed PETS.COM IPO. apparently there was no there there, and everybody knew it, but i guess folks were hoping they could squeeze out one more vapid also-ran before the party was over.

i didn't involve VC's in my current venture, because i wanted to do a bunch of crazy stuff like reach breakeven and then grow organically on a single small seed round, rather than trading dilution to get fast -- but usually brittle and unsustainable -- growth. so far i'm pretty happy with that decision, and it puts me in mind to speak as an outsider in the current mess:

competing with someone who doesn't have to earn money before they can spend it, is irritating.

so, if the VC community gets cold feet about my industry for a little while, i'm OK with that.

which means i challenge this article's assumption that the industry's health can be determined by deal size and exit size trends. customers and employees matter a lot, it's not just the shareholders who need to be counted here.
User Rank: Guru
2/10/2016 | 4:34:54 PM
Cyber Security is Beyond the Tipping Point
The Cyber Security has reached the tipping point. The cat is out of the bag. Even Corporate Board members are getting the idea... since these individual may be liable for damages.

Cyber Security is an intractable problem without a known, provably correct solution. This presents an irreconcilable dilemma for board members who have a responsibility to safeguard the enterprise. Congress recognized this in the Cyber Security Disclosure Act of 2015 designed to encourage disclosure of Cyber Security expertise on corporate boards.

In a quandary and caught in a paradox between an incomplete Cyber Security theory and practice and the more complete and well specified fiduciary duties and risk oversight responsibilities, no amount of compliance monitoring or Cyber insurance can fully protect the enterprise. Just how to thread the needle of this legal quandary! How can board member failure be avoided when the organization insists on trusting data and information it cannot afford to lose to an Internet which cannot be protected? Corporate board members who find themselves overseeing overcommitted Internet dependencies are looking for a new way of thinking.

So no wonder the bloom is off the rose in the stock market for Cyber Security offerings.
Sara Peters
Sara Peters,
User Rank: Author
2/10/2016 | 11:22:12 AM
I confess that I generally don't pay much attention to the vacillations of The Market -- something I'm sure my 401K would scold me for, if it were a sentient being -- but I find this both intriguing and a little disconcerting.

I wonder, is it just that people aren't buying into the one-stop security shop anymore? What is it they're looking for -- something more tailored, more cutting-edge, more affordable, more flexible -- that they don't think the big names can give them? Or are the investors' behaviors entirely disconnected from the behaviors of the buyers right now?

Help me out here, people.


Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.