Security Feels Risky

I have been wondering about security startups recently.  We made a bunch of great security investments in the late 1990’s and at the time our underlying premise was pretty solid:  Many other types of software could be pushed off in the purchasing cycle, but important security functionality and protection could not.  This is what I called the “hair on fire rule”.  While a fortune 500 company could look at the hottest accounting, marketing, collaboration or governance software and think it was pretty nifty, they weren’t compelled to buy it RIGHT NOW.  Why not?

Largely because entrenched software vendors like Oracle, SAP or Microsoft would freeze out the startups by promising to bundle those same features into the next release within 9 months (whether they really planned to or not).  From a corporate executive point of view, why take a risk by paying more to an unknown startup company when my existing vendor will just give it to me for free for just waiting a little while.  However, security was an exception.  If your company is being broken apart by viruses, phishing or spam, then your hair is on fire.  You have to do something right now, not just wait for the future promises of larger companies.  So, you buy from the startup firms.  The startups would then get traction, ramp to $30mm in revenues, file to go public, and probably get bought. Good deal all around.

These days, however, even when the security startups seem to get to about $25mm in revenues (which are the fortunate ones) they get stuck.  What is happening?

First of all, there is a problem with the customers (and that is more true today than even last week when this post was originally written). Wall Street firms are the classic early adopters for security software.  Who needed to be more security-conscious than Citi, Lehman, Goldman, Merrill, and Morgan?   They frequently accounted for the first bunch of revenues the startups were able to book.  So what do you think is happening to those contracts today?  The big financial services firms’ own hair is on fire about staying solvent (or figuring out what to do post-insolvency). They aren’t focused on buying new software, even important software like security. At best, they are engaging in the type of endless pilots that kill startups.  So, our theoretical security startup starts to see revenue growth stagnate or start to drop.  And those who have taken corporate finance (or who have ever been part of a valuation or M&A process) will know that growth rate drives valuation, and that flattening growth kills it.

Secondly, and more troubling insofar as it’s not tied to current events quite so much, there is a problem with the public markets. Even getting to $40mm in revenues no longer means you are close to a public offering.  The public markets’ appetite for enterprise software generally (and technology even more generally) is demonstrably lower today that it’s ever been in the past, perhaps out of recognition of some of the above problems with the space.

A really smart CEO came in to see me this week.  He had been a very successful entrepreneur back in the late 1990s.  He had just finished selling a tired security company for cents on the dollar and felt lucky to have been able to do that.  As we talked, we thought about what happened to the security industry, and he had an interesting take on the situation:

He said that there used to be three levels in the security software ecosystem.

•    Big Fish: These were big companies like Microsoft;
•    Middle Fish: These were public (but not monolithic) companies like PeopleSoft;
•    Startups: New players with innovative technology.

The rules of the game were pretty well established. The Big Fish looked around and bought companies with $100 million in revenue. The Middle Fish were around to buy the startups.  So there were multiple exit points for smaller fish.

What happened is that the middle fish were eventually purchased by the big fish and by big fish in tangential spaces (like Oracle).  So now all you have are big fish, and none of the startups can grow large enough to get their attention in a meaningful way.

So where we are today is an environment where there are a number of security companies with between $5mm and $35mm in revenues that just cannot get the scale to be noticed by the big fish and don’t have the high growth rates necessarily to raise big rounds of capital to buy their way into higher revenues.  I don’t fish much but it makes sense to me – Marlins don’t eat minnows (I don’t think).

The problem isn’t the business case for security software – the hair on fire necessity around security is still there. But problems with the customers, the public exit opportunity and the difficulty of getting to acquirable scale make us very cautious in this space today. For us to get really excited about security, we’d need to believe that the problem being solved is monumental, and that the path to high revenue is both visible and achievable without large inflows of capital. That’s a high bar.