The stock markets in general have been delivering a lot of bloody noses in the year to date, but one of the particularly big surprises in this downward slide has been the absolute beating cybersecurity companies are taking. In this age of data breach fears and increasing security spend, these firms have long been vaunted as recession-proof. But the industry's notable public firms are looking worse for the wear in 2016.
So, the question is, have we reached peak cyber?
On one hand, the cybersecurity startup world experienced an explosion in financing in 2015, and a number of announcements in the last month and a half have shown that venture capital (VC) still continues to flow. But on the other, there's the aforementioned fact that the already established players have been hit hard. What's more, rumblings are growing louder of cybersecurity startups being overvalued. Word on the street is that VC scrutiny prior to financing has ratcheted up, even if the cash flow itself hasn't been cut off just yet.
First for the positive signs. Last year was a landmark in financing for cybersecurity, with deals totaling $3.8 billion, according to CB Insights analysis. That's a 235% growth rate over the last five years. According to Steve Morgan, CEO with Cybersecurity Ventures, the VCs have done "the math around cybercrime and it seems they've concluded there's a huge upside in the cybersecurity sector," in spite of poor public cybersecurity performance at the moment.
"I think the requirements are largely the same as they've always been - VCs look for strong founders with proven track records, strong management teams, fully developed technology platforms and products in large addressable markets, and ultimately a vision towards a liquidity event IPO, merger, acquisition that will pay dividends on their investment," Morgan says. "There's a lot of cybersecurity companies who line up to this criteria--and thus why we are seeing so much money flowing into startups and emerging players in cyber."
The 2016 continuation of that narrative has been backed by a slew of big VC deal announcements in the past month. ForeScout garnered $76 million and Shape Security scored $25 million in late stage funding in late January. Meanwhile a new name to the market is Fireglass, an Israeli firm in stealth mode with plans to launch at RSA, which announced $20 million in Series A funding. And Digital Shadows, which has been amassing a heavy-hitting roster of security veterans to its leadership ranks just Tuesday announced it picked up $14 million in Series B funding this week.
The question is, at what point does the market reach saturation? As one VC told Mahendra Ramsinghani, founder of Silicon Valley cybersecurity seed fund Secure Octane, for a piece recently in TechCrunch, “I have seen at least 40 FireEye killers in the past 12 months.”
In spite of that, Morgan points to the 126% growth of security spend predicted by analysts with MarketsandMarkets, combined with 1 million current cybersecurity job openings as evidence that the industry still has plenty of room to grow.
"At some point all markets saturate - but I don't think we are anywhere near a saturation point. IBM grew their security business by 12% last year, or by another half billion dollars," he says. "Cisco's security business saw similar growth. Dell is spinning out its SecureWorks business as an IPO. The large players do a lot of their own market research and they've made very calculated moves in to cybersecurity - because they recognize cyber is one of the fastest growing markets in the tech industry."
Nevertheless, there are signs showing that 2015 likely was the peak for the time being for cybersecurity funding. It could be that the recently announced funding rounds may be the tail end of the feeding frenzy. Last month, Mike DeCesare, CEO of ForeScout told Financial Times that he felt his firm barely squeaked through with its funding round before less optimistic investors really tightened the screws on cybersecurity funding, reporting that the investment environment has tightened up considerably in the last six months.
"Even people considering relatively small investments of [$5 million] are asking for five or 10 due diligence meetings to understand the assets,” he told FT. “I’ve never heard investors challenge the path to profitability.”
And for its part, Forescout is also holding tight on long-held IPO plans due to worries that its $1 billion valuation would not hold its value if it went public at the moment.
These valuation concerns are likely what eventually drove iSight Partners into the arms of FireEye for $200 million in January. That was less than a quarter of its previous valuation. Back in August 2015, then-CEO John Watters told Bloomberg that the firm was planning a late 2016 IPO but that it wouldn't do so at anything less than a $1 billion valuation.
And then let's look at those who have already made their exits or are part of the security old guard. Here are some of the ugly stock losses in the year to date:
· Imperva: -46.44%
· Barracuda -44.57%
· Fireeye -42.04%
· Rapid7 -37.48%
· Fortinet -23.52%
· Cyberark -22.09%
Bullish folks might say this can't be looked at in isolation.
"I think we are seeing a normalizing of the market, not a crash or anything like that. There was not an isolated fallout in the cybersecurity sector," Morgan says. "Rather, cyber stocks came down with the rest of the tech industry - and I expect that cyber will be the cream that rises to the top of tech when the market rebounds."
Those like Morgan believe the cybersecurity losses are a function of a painful correction the market is experiencing as a whole. However, the current numbers tell that story with a twist.
Even as they drown in red ink, the markets overall are outperforming cybersecurity stocks. The NYSE composite is down only by 9.44% for the year and even the tech-heavy NASDAQ composite is only down by 14.76%. That's a brutal stat but nothing compared to the likes of Imperva, Barracuda, FireEye, and Rapid7, which more than double the losses. Things are looking badly enough at Barracuda--which has declined in value by 69% in the last 12 months--that it may be looking for buyers with the help of Morgan Stanley.
Cybersecurity stocks are also faring more poorly than the general tech sector. Using some of the popular tech sector ETFs as a benchmark, the losses are averaging around 10% to 15% at the moment.
These are numbers that can't be ignored and may affect the way public companies--as well as late-stage privates approaching their exits--make their management and go-to-market decisions. Meanwhile, if venture capital does drop off, those less mature start-ups may not have as much capital to make good on the product roadmaps promised to their early customers.
Ultimately, in a volatile market like this one, its caveat emptor for security decision makers as due diligence plays an even more important role than ever in products and services acquisition.