The funding wave is usually driven by some new kind of overhyped problem, with dozens of companies launching largely the same ideas and technologies to solve said problems. In security we are fortunate to have 3. Between anything "cyber," BYOD, and advanced malware (which really means keep the Chinese out), security has become a board-level issue. And who hangs out with CEOs and board members? Right, the VCs. So inevitably VCs get interested in the market sector, especially if they perceive innovation happening. Especially if that innovation is magical and hard to understand (like security) for the typical business school pukes, who inhabit the lower rungs of the VC food chain and chase most of the deals.
No, I'm not talking out of my backside. I spent the better part of a decade working with VCs, both as a company founder and as a senior executive in venture-funded start-ups. When I was the company founder, we had pretty smart money for the first two investment rounds. This was when the Internet bubble was just forming and the investors had lots of security and telecom experience. By the time we were ready for the third round, we needed more money and the Internet bubble was exploding. We looked for smart money, but they didn't like the valuation or our momentum (or lack thereof). We found some dumb money and got the deal done. To be clear, they weren't dumb guys, but they didn't understand the security business. They were smart guys with too much money, trying to hard to get exposure to a hot market sector.
Then we learned that our technology partners were going to screw us. And they did. At around the same time the Internet bubble popped, and we sold that company for the remaining money on the balance sheet. But I learned a lot, so there's that.
Why do I bring up my tattered history? Because we are likely to see the same cycle repeat. It seems all a company has to do is say they do "BYOD," have an network anti-malware gateway, or do something related to security big data and they have VCs falling all over themselves to write checks. The companies will raise the money at valuations that are too high, setting expectations that are too high, and needing to spend like drunken sailors (for example, a 30x30 RSA Conference booth for a start-up) to perpetuate the myth of market leadership and momentum.
I've seen this movie before. So have you, but you may not have known that the catalyst for the crazy behavior was investors that paid too much to get a piece of these hot companies.
Contrast that with how smart VCs behave. These folks never left security. They've been in the market, usually as operating executives with extensive contacts with smart folks that build security products. They've been providing seed funding and early stage money for proven entrepreneurs for the past 5 years. You know, when security wasn't sexy. Before "cyber" became common CNN fodder. These investors provided the first money into companies like Palo Alto, even when it wasn't "cool" to build a new firewall. They stuck with a company like FireEye while they started and restarted three times to figure out and find their market. The smart VCs know the right security entrepreneurs and they will fund a company at any time, macro economics and hot market sectors be damned.
But even smart money isn't always right. I worked at a company that thought they were the next coming of Netscreen (you remember Netscreen, right?). They were wrong, but that didn't stop them from raising a lot of money at an insane valuation with a very smart VC leading the investment. That company ran into some challenges, which had nothing to do with hiring me as the marketing guy. That's my story and I'm sticking to it. They eventually got acquired, but the investors didn't make much money on that deal. Mostly because they bought too high and couldn't sell for enough to make it work. Even smart VCs don't always hit a home run, but they hit a lot of singles and doubles.
Turns out the dumb ones pretty much never home runs, and they don't hit many singles, either. When the lemmings start jumping into the frigid waters of security investing, it means the market is ready for a correction. We're starting to see some weakness from the public security companies, albeit after a stellar 2012 and very tough year over year comparisons. Does that mean we won't see innovation from some cool security companies? Of course not, innovation continues to happen every day. But the beanstalk doesn't grow to the sky and at some point, even the hot companies come back to Earth.
Why do you care? You just make this stuff work, right? You care because you lived through the Internet bubble, right? If you were in middle school or something back then, ask one of the grumpy old guys in your shop what happened when you made a big commitment to the "market leader," who then went belly up. You can probably still buy a Cobalt Server on eBay, just in case you were wondering. Now is the time to do extra diligence before making a strategic purchase on a product or service.
Or you can buy high and sell low. That's usually a good strategy for success.
Mike Rothman is President of Securosis and author of The Pragmatic CSO