When security companies raise big funding rounds and spend big bucks at security conferences, be afraid -- very afraid

Mike Rothman, Analyst & President, Securosis

March 26, 2013

5 Min Read

It was amazing to see how excited folks were at the recent RSA Conference. Things were great! Every company was doing great! It was like hanging out with Tony the Tiger for a week. When things seem too good, they usually are and the contrarian in me goes into overdrive. I'm constantly looking for chinks in the armor, and over the past weekend I found it. I read two articles over the past week all excited that venture capital money is flowing back into security. We are now seeing security companies raising huge rounds of funding at what must be huge valuations. Being an analyst, I'm approached by lots of new security companies overflowing with VC cash, trying to get my attention. Having seen this cycle more than once, I know what time it is. It's the time when the dumb money returns to security.

The funding wave is usually driven by some new kind of overhyped problem, with dozens of companies launching largely the same ideas and technologies to solve said problems. In security we are fortunate to have 3. Between anything "cyber," BYOD, and advanced malware (which really means keep the Chinese out), security has become a board-level issue. And who hangs out with CEOs and board members? Right, the VCs. So inevitably VCs get interested in the market sector, especially if they perceive innovation happening. Especially if that innovation is magical and hard to understand (like security) for the typical business school pukes, who inhabit the lower rungs of the VC food chain and chase most of the deals.

No, I'm not talking out of my backside. I spent the better part of a decade working with VCs, both as a company founder and as a senior executive in venture-funded start-ups. When I was the company founder, we had pretty smart money for the first two investment rounds. This was when the Internet bubble was just forming and the investors had lots of security and telecom experience. By the time we were ready for the third round, we needed more money and the Internet bubble was exploding. We looked for smart money, but they didn't like the valuation or our momentum (or lack thereof). We found some dumb money and got the deal done. To be clear, they weren't dumb guys, but they didn't understand the security business. They were smart guys with too much money, trying to hard to get exposure to a hot market sector.

Then we learned that our technology partners were going to screw us. And they did. At around the same time the Internet bubble popped, and we sold that company for the remaining money on the balance sheet. But I learned a lot, so there's that.

Why do I bring up my tattered history? Because we are likely to see the same cycle repeat. It seems all a company has to do is say they do "BYOD," have an network anti-malware gateway, or do something related to security big data and they have VCs falling all over themselves to write checks. The companies will raise the money at valuations that are too high, setting expectations that are too high, and needing to spend like drunken sailors (for example, a 30x30 RSA Conference booth for a start-up) to perpetuate the myth of market leadership and momentum.

I've seen this movie before. So have you, but you may not have known that the catalyst for the crazy behavior was investors that paid too much to get a piece of these hot companies.

Contrast that with how smart VCs behave. These folks never left security. They've been in the market, usually as operating executives with extensive contacts with smart folks that build security products. They've been providing seed funding and early stage money for proven entrepreneurs for the past 5 years. You know, when security wasn't sexy. Before "cyber" became common CNN fodder. These investors provided the first money into companies like Palo Alto, even when it wasn't "cool" to build a new firewall. They stuck with a company like FireEye while they started and restarted three times to figure out and find their market. The smart VCs know the right security entrepreneurs and they will fund a company at any time, macro economics and hot market sectors be damned.

But even smart money isn't always right. I worked at a company that thought they were the next coming of Netscreen (you remember Netscreen, right?). They were wrong, but that didn't stop them from raising a lot of money at an insane valuation with a very smart VC leading the investment. That company ran into some challenges, which had nothing to do with hiring me as the marketing guy. That's my story and I'm sticking to it. They eventually got acquired, but the investors didn't make much money on that deal. Mostly because they bought too high and couldn't sell for enough to make it work. Even smart VCs don't always hit a home run, but they hit a lot of singles and doubles.

Turns out the dumb ones pretty much never home runs, and they don't hit many singles, either. When the lemmings start jumping into the frigid waters of security investing, it means the market is ready for a correction. We're starting to see some weakness from the public security companies, albeit after a stellar 2012 and very tough year over year comparisons. Does that mean we won't see innovation from some cool security companies? Of course not, innovation continues to happen every day. But the beanstalk doesn't grow to the sky and at some point, even the hot companies come back to Earth.

Why do you care? You just make this stuff work, right? You care because you lived through the Internet bubble, right? If you were in middle school or something back then, ask one of the grumpy old guys in your shop what happened when you made a big commitment to the "market leader," who then went belly up. You can probably still buy a Cobalt Server on eBay, just in case you were wondering. Now is the time to do extra diligence before making a strategic purchase on a product or service.

Or you can buy high and sell low. That's usually a good strategy for success.

Mike Rothman is President of Securosis and author of The Pragmatic CSO

About the Author(s)

Mike Rothman

Analyst & President, Securosis

Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and compliance. Mike is one of the most sought after speakers and commentators in the security business and brings a deep background in information security. After 20 years in and around security, he's one of the guys who "knows where the bodies are buried" in the space.

Starting his career as a programmer and a networking consultant, Mike joined META Group in 1993 and spearheaded META's initial foray into information security research. Mike left META in 1998 to found SHYM Technology, a pioneer in the PKI software market, and then held VP Marketing roles at CipherTrust and TruSecure - providing experience in marketing, business development, and channel operations for both product and services companies.

After getting fed up with vendor life, he started Security Incite in 2006 to provide the voice of reason in an over-hyped yet underwhelming security industry. After taking a short detour as Senior VP, Strategy and CMO at eIQnetworks to chase shiny objects in security and compliance management, Mike joins Securosis with a rejuvenated cynicism about the state of security and what it takes to survive as a security professional.Mike published "The Pragmatic CSO" in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He also possesses a very expensive engineering degree in Operations Research and Industrial Engineering from Cornell University. His folks are overjoyed that he uses literally zero percent of his education on a daily basis.

He can be reached at [email protected]. Follow him on Twitter @securityincite

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights