Demographics as destiny

by Brenon Daly

In sports, the old joke goes that to be successful, athletes need to pick their parents wisely. In much the same way, to be successful, tech startups not only need to pick their parents wisely, but also their birthdate. Demographics are destiny, at least when it comes to exits.

Consider the prevailing acquisition valuations for different age groups of information security (infosec) vendors in 451 Researchs M&A KnowledgeBase. (To be clear, the deals are sorted by the founding date of the target, regardless of when the transaction was announced. Our data covers all infosec sectors going back to 2002.) The conclusion: When a company comes to market goes a long way toward determining what it’ll be worth when it leaves the market.

Infosec providers born in the 1980s, on average, garnered 3.3x trailing revenue when they sold. Representative transactions of that vintage include big platform deals such as Symantec’s blockbuster sale of its enterprise security unit to Broadcom (4.5x) and the just-printed carve-out of RSA Security from Dell. (M&A KnowledgeBase subscribers can see our estimated terms for the most recent RSA transaction.)

Similarly, infosec vendors dating back to the 1990s were valued at an average 3.6x trailing revenue in their sales. For these ‘tweener’ companies – not quite massive platforms, not quite sprightly startups – we would point to the Avast Software-AVG Technologies consolidation (3.2x) and Webroot’s sale to Carbonite (2.9x) a year ago.

Valuations ticked higher for companies founded in the first decade of the current millennium. Our data shows this ‘teenage’ cohort got valued at 5x trailing sales. Deals include the recent take-private of ForeScout Technologies (5.5x) and our estimate of terms on AlienVaults sale to AT&T in mid-2018.

By far, however, the youngest vendors fetched the richest pricing. Companies born in just the past decade pocketed, on average, a stunning 23x sales when they exited. Boosting this valuation are the half-dozen startups acquired recently by Palo Alto Networks as well as Phantoms high-priced sale to Splunk, according to our understanding.

Of course, we would intuitively expect younger, less-developed companies to enjoy higher relative valuations, if just because of basic math. (In price/sales multiples, small denominators yield larger end results.) But that doesn’t fully account for the tremendous M&A premium lavished on the youngest startups. There’s also the allure of youth, which changes the calculation as well.

With their limited history, startups focus on the future. Extrapolating from early successes, these up-and-to-the-right startups are convinced that their businesses will only know success, that they will always have a triple-digit growth rate. Naturally, when it comes time to sell, fast-growing startups expect to be rewarded. That’s true even – or, especially – if their financials are more aspirational than actual.

Figure 1: M&A valuations
Source: 451 Research’s M&A KnowledgeBase

RSA Conference: Mammon and malware

by Brenon Daly

 

Ahead of next week’s RSA Conference, information security (infosec) companies are mastering their marketing and perfecting their pitches as they look to capitalize on the industry’s largest annual get-together. More than 650 companies will officially exhibit their security products and services, with probably at least that many vendors unofficially hawking their wares around the San Francisco-based conference. What’s drawing all of the interest in infosec?

The short answer is money. Or more specifically, the budget dollars that businesses allocate to secure themselves. Even in a time when overall IT is often being asked to ‘do more with less,’ IT folks are being given more for infosec. A lot more. That unprecedented growth is rapidly – and unalterably – reshaping the multibillion-dollar industry.

In a recent survey by 451 ResearchVoice of the Enterprise: Information Security, Budgets and Outlook, nearly nine of 10 IT buyers and users told us their infosec budget was fatter for the coming year than it was in the previous year. That was 10 times the percentage of IT professionals who said they have fewer dollars to spend in the coming year.

And when the respondents to our survey say they have more money to spend, they are talking real dollars. On average, they indicated that their infosec budgets would be 22% higher in 2019 than in 2018. Compare that with broader IT budgets that basically track the US GDP growth of a low-single-digit-percentage increase.

Of course, more money means more hands reaching for it. In infosec, we see that in the ever-increasing number of infosec-focused startups as well as the ever-increasing number of established vendors buying their way into one of the last growth markets for IT spending.

We have already looked at how the growth in VC funding has distorted infosec, with freely flowing venture dollars leading to an overpopulated ecosystem. Our Darwinian take on the market, which we published ahead of the 2016 RSA Conference, is arguably even more relevant today. In the intervening four years, venture firms have poured billions of dollars into infosec startups.

In addition to those freshly formed and richly capitalized startups, existing vendors have also recast their strategies so they can pursue the growth in infosec. Typically, this means a combination of buying and building. Large-cap companies such as Cisco and IBM have both built infosec divisions that measure revenue in the billions of dollars through a series of acquisitions coupled with in-house development: 451‘s Research M&A KnowledgeBase shows the two giants have spent $11.5bn on nearly 40 infosec purchases since 2002.

As to what will dominate the talk on the RSA Conference show floor and at the cocktail events that follow, our infosec analyst team has some thoughts on the trends that are shaping the industry expansion as well as acquisition activity. See our recently published 2020 Tech M&A Outlook: Information Security to get a glimpse of the deals that are likely to get done after the conference packs up and heads out of town.

Figure 1: Infosec spending
Source: 451 Research’s Voice of the Enterprise: Information Security, Budgets and Outlook

Buyout shops buy big in infosec

by Brenon Daly

Buyout shop Symphony Technology Group will carve out most of the information security (infosec) assets from Dell, paying $2.1bn in cash for RSA Security and several other businesses the namesake company picked up over the past decade and a half. The transaction, which had been rumored for months, represents the latest first-generation infosec vendor to land in a private equity (PE) portfolio.

STG will be joined in the purchase by Ontario Teachers’ Pension Plan Board and AlpInvest Partners, with the deal expected to close by Q3. The PE trio’s reach for 32-year-old RSA shares more than a few similarities with several other recent sponsor-led infosec transactions.

For instance, Sophos, which is also a 30-something-year-old veteran of the security industry, went private with Thoma Bravo last fall in a $3.8bn deal. Additionally, ForescouTechnologies is in the process of getting absorbed by a buyout group as it endures a sharp slowdown in sales. And, of course, six months ago, the enterprise security business of industry kingpin Symantec got cleaved off by Broadcom, a corporate acquirer that has built its software division borrowing heavily from the PE playbook.

For Dell, which also tends to operate a bit like a buyout shop, the divestiture wraps up a long holding period for RSA. Dell inherited the security business as part of its 2015 blockbuster $63bn acquisition of EMC. Since that transaction, Dell has shed a number of massive businesses, announcing multibillion-dollar sales of its services unit and infrastructure software division, as well as unwinding EMC’s earlier Documentum buy.

EMC used a similar ‘string of pearls’ M&A strategy with both Documentum and RSA, as the storage giant looked to expand into content management and security, respectively. However, based on proceeds that Dell is pocketing by undoing those two deals, RSA has lost a bit of luster.

According to 451 Research’s M&A KnowledgeBase, EMC paid $2.1bn for RSA in mid-2006. However, the ultimate tab kept climbing because RSA had been a fairly active acquirer. Our data shows the company put up at least one print every year for the first few years under EMC’s ownership. (Under Dell, RSA’s pace dropped sharply, with the most recent transaction being the relatively small purchase of Fortscale Security in April 2018.)

Altogether, by our calculation, EMC/RSA would have spent roughly an additional $1bn on M&A, on top of the original $2.1bn price tag for RSA. Subscribers to the M&A KnowledgeBase can see our proprietary estimates for key acquisitions for the EMC/RSA division, including the 2010 purchase of Archer Technologies, the 2011 reach for NetWitness and the 2013 pickup of Aveksa.

Infosec inflation: Slowing sales, rising prices

by Brenon Daly

Even in a slump, it pays to be an information security (infosec) vendor. The latest company to realize the advantage of doing business in this red-hot market is Forescout Technologies, which is heading private in a $1.9bn deal with a pair of buyout shops. The network access control provider is set to exit Wall Street with a rather rich sendoff, given the mediocre numbers it has put up recently.

Despite a few brief slips, Forescout held itself together for most of last year. Through the first three quarters of 2019, shares soared some 45%. But all of those gains were wiped out overnight in early October as the company whiffed on its sales and losses widened.

According to S&P Capital IQ, revenue growth in 2019 was less than half the 30%+ rate it had been in recent years. Further, the tepid performance is expected to continue, with Capital IQ reporting that the consensus forecast calls for just 12% sales growth at Forescout in 2020.

Yet the vendor’s slowdown barely shows up in the valuation being paid by Advent International and Crosspoint Capital Partners. By our math, the buyout duo is paying 5.5x trailing sales for Forescout. That’s significantly richer than the average valuation of 3.8x trailing sales for all take-privates recorded over the past year in 451 Researchs M&A KnowledgeBase. Our numbers show that Forescout is valued fully two turns higher than both LogMeIn and Cision in their recent leveraged buyouts (LBOs).

Even in the infosec market – where premium valuations are the prevailing prices – Forescout’s looks heady. For comparison, the 5.5x trailing sales multiple for Forescout exactly matches the multiple paid in the industry’s most recent significant take-private, Thoma Bravos $3.8bn LBO of Sophos last October.

That’s the same valuation, even though Sophos has a much more attractive financial model, particularly to cash-flow-focused operators. Sophos put up roughly the same growth rate as Forescout heading into their LBOs, but brings in almost twice as much revenue. Probably more important for the new private equity owners, Sophos throws off several hundred million dollars of cash flow each year, while Forescout is still burning cash.

Locking the doors opened by new technology

by Brenon Daly

For most technology, security is somewhat of an afterthought. That’s particularly true for emerging enterprise technology, where shiny new gadgets and slick new software dazzle us with promise. Under the spell of early adoption, we focus on all of the great things the technology makes possible for us and our businesses. And then we get hacked.

Or something else happens to take off a bit of the luster of the new products. Reality intrudes on dream technology. Belatedly, we find that we just might need to put a lock on some of the doors opened by the new products. That’s one way to think about the recent record surge in acquisitions done to secure all of the ‘things’ that businesses are offering to make their current products more valuable or expand into more valuable markets.

The term ‘IoT security’ has popped up an unprecedented number of times so far this year in 451 Researchs M&A Knowledgebase. In fact, deal volume in this rapidly emerging field is set to triple in 2019, compared with both 2018 and 2017. And to underscore the seriousness of the challenge around shoring up all of those IoT implementations, big buyers are doing these deals. Cisco Systems, Check Point Software and Palo Alto Networks have all put up IoT security prints so far this year, according to our data.

Yet all of this M&A activity may be too little, too late. Even with this dramatic acceleration in the number of IoT security deals, our data shows this crucial component for all of those implementations still accounts for only a lowly single-digit percentage of all IoT dealmaking. In other words, vendors are still overwhelmingly focused on shopping for IoT technology that they can add to their portfolios rather than making sure their IoT technology is secure.

Those priorities, however, are not necessarily serving customers. In fact, customers who plan to boost their IoT spending in the coming year told us that they plan to spend more on shoring up the IoT technology than anything they can necessarily do with the new technology they plan to buy. Almost half (46%) of respondents to 451 Research’s Voice of the Enterprise: Internet of Things, Budgets and Outlook 2019 indicated ‘improved security’ is the single biggest driver for their increase in overall IoT spending.

Figure 1: Drivers of increasing IoT spending in 2019

Source: 451 Research’s Voice of the Enterprise: Internet of Things, Budgets and Outlook 2019

Infosec’s next-gen acquirer

by Brenon Daly

Fittingly enough, Palo Alto Networks took it to record levels. The next-generation information security kingpin has done more acquisitions than any other company in the sector this year, by our tally. And with its latest purchase – the $150m reach for Aporeto – the overall infosec M&A volume in 2019 has now matched the highest annual total in history.

According to 451 Researchs M&A KnowledgeBase, Palo Alto’s purchase of micro-segmentation security startup Aporeto stands as the vendor’s fifth transaction in 2019. (451 Research subscribers can look for our full report on that acquisition later today on our site, including the prevailing valuation the company is paying.) No other buyer in the sector comes close to that cadence of more than one deal every quarter this year.

Even infosec acquirers with well-worn M&A playbooks are putting up a fraction of the number of prints that Palo Alto has done in 2019. For instance, since the start of the current decade, Symantec and Cisco top the list in the M&A KnowledgeBase of most-active infosec acquirers. Yet both of those once-active buyers have announced just a single transaction in the sector this year. (And, of course, Big Yellow doesn’t appear likely to add to its total anytime soon, following the sale of its enterprise security division to the sharp-penciled operators at Broadcom.)

In that way, Palo Alto has now emerged as the next-gen acquirer in the infosec market, just as it emerged as a next-gen vendor in the infosec market a decade ago. It has displaced the traditional providers of exits (Symantec, Cisco) as surely as it has displaced the traditional supplier of firewalls (Check Point Software). To underscore how the firewall market has shifted, consider this: 14-year-old Palo Alto Networks sells more than $1bn worth of gear each year than 26-year-old Check Point, and is growing more than three times faster.

Figure 1:

Source: 451 Research’s M&A KnowledgeBase

Get rich or die trying

by Brenon Daly

As we saw in this week’s offering from Ping Identity, there’s virtually no middle ground for IPOs from the information security (infosec) market. More than any other tech segment, infosec prices its chosen few at astronomical heights, while relegating the rest to a far more earthbound valuation.

Broadly speaking, on a price-to-trailing-sales multiple, infosec IPOs inevitably come to market at either a high-single-digit valuation or at greater than 20x. Nothing in between. None of those deals that price at twice the low end, but half the high end. As a result, when we survey the IPO valuation landscape, we see a very unusual distribution: cybersecurity tends to stack up in two camel-like humps rather than a conventional bell shape.

According to our analysis, Ping is the ninth debutant from the infosec market on US exchanges in the past two years. (See our full preview on Pings offering.) The identity and access management vendor created some $1.6bn in (undiluted) market value in its IPO. That works out to about 7.5x its trailing sales of $215m through midyear.

Ping’s price-to-sales valuation slots right next to the current trading multiples of other recent infosec IPOs such as Tufin Software Technologies (6x), Tenable (7x) and SailPoint Technologies (7x). (SailPoint, like Ping, came public from a private equity portfolio, after being acquired for a fraction of its current valuation.) Similarly, Carbon Black, which came public last year, is being erased from the Nasdaq by VMware in a deal that gives the endpoint security provider a terminal value of 9x trailing sales.

Further out on the histogram of trading multiples, there are the vertiginous valuations of Okta (25x), which came public in 2017, as well as last year’s entrant Zscaler (20x). Both of those are bargains compared with CrowdStrike, which listed three months ago and currently trades at twice the multiple of either of the other highfliers.

Of course, valuation is always relative. Even as some of infosec’s recent debutants look longingly up at the market caps and multiples of others in the industry, there are whole sectors of IT that would gladly take the valuation of a ‘left behind’ infosec vendor like Ping. For a great number of tech startups, even the lowliest infosec valuation would be a trade up.

Figure 1: Infosec IPO valuations

Infosec’s valuation inflation

by Brenon Daly

Acquirers looking to go shopping in the information security (infosec) market had better bring a big bankroll. Valuations are stretched well beyond the going rates for deals in virtually any other IT sector. For instance, a solid-but-unexceptional 20% grower that commands a double-digit multiple in infosec (like Carbon Black) would almost certainly drop into the high single digits in any other industry. And even an infosec vendor that’s shrinking and faces the real possibility of being terminally disrupted (hello, Symantec) still manages to trade for an above-market valuation.

To highlight the recent valuation inflation in the infosec M&A market, consider a pair of $2bn-plus deals that are separated by just a half-decade but clearly belong to different eras nonetheless: Cisco Systems mid-2013 acquisition of SourceFire and VMware’s just-announced purchase of Carbon Black. (Subscribers to 451 Research’s Market Insight Service can see a full report on the latter transaction on our website today.)

Although the two security firms sell into different segments of the markets, both SourceFire and Carbon Black had a similar scale (revenue north of $200m) and similar exits (selling to strategic buyers for double-digit valuations in $2bn-plus deals). While all of those metrics line up very closely, a closer look at the companies shows that SourceFire, at least on paper, had a far more valuable business:

Carbon Black, which is losing $15-20m per quarter, is growing at just 20%.

SourceFire was growing at a mid-30% rate, while also turning a profit.

We highlight the valuation gulf between the two transactions because, in many ways, it exemplifies a recurring complaint we hear about the infosec market from both investors and acquirers: A dollar just doesn’t buy nearly as much right now as it once did.

Cofense removes the Red Threat

by Brenon Daly

 

After a long and torturous process, email security startup Cofense has landed where it appeared headed pretty much the whole time: deeper in the portfolio of existing investor BlackRock. The private equity firm, which picked up roughly one-quarter of Cofense in a recap of the company in early 2018, added the 43% stake that had been held by a Russian investment firm. But it wasn’t an easy deal.

BlackRock’s transition from minority investor to majority owner of Cofense only came after some highly unusual – and highly disruptive – regulatory scrutiny from a secretive US national security agency. A few months after the deal was announced last year, the Washington DC-based Committee on Foreign Investment in the US (CFIUS) began pushing for the Russian investor, Pamplona Capital, to be removed from the syndicate. The reason? Perceived threats to national security.

Under scrutiny from CFIUS, business at Cofense stalled. Customers didn’t want to be buying from a potentially insecure security vendor. (Is the Kremlin reading your email?) Cofense’s growth rate, which had topped 40%, fell to about half that level, according to our understanding. The company had to do some layoffs due to the slowdown.

As growth tailed off, valuation followed suit. Although the exact price couldn’t be learned that BlackRock paid Pamplona for its stake, the transaction is understood to value Cofense at less than the $400m the two buyout shops paid for the company a year and a half ago. For comparison, rival email security provider KnowBe4 raised money this summer at a valuation of more than $1bn.

Still, with the removal of the Red Threat, Cofense at least has the opportunity to get back to business. And a fair amount of business is available. Our surveys of information security buyers and users continually show, broadly, that phishing and the related concern of user behavior is the top-ranked security ‘pain point’ facing organizations. That’s the good news for the company. The bad news: Cofense didn’t even make it into the top-five most-popular vendors for security awareness training, according to the 451 ResearchVoice of the Enterprise: Information Security, Workloads & Key Projects 2019.

Figure 1: Security awareness vendors

A rare trip into rarified air

by Brenon Daly

Symantec’s blockbuster $10.7bn divestiture of its enterprise security business to Broadcom marks a rare trip into rarified air for the information security (infosec) M&A market. Through the first seven-plus months of 2019, 451 Researchs M&A KnowledgeBase shows not a single deal in the segment valued at more than $1bn.

Obviously, the unusual carve-up of Big Yellow blows past that threshold. But setting aside this transaction, which we would very much describe as a one-time deal, a couple of trends are playing out in the infosec market that may make it tough to see many more of those three-comma deals coming for the rest of 2019. We suspect that this year’s total will end up looking up at the three separate billion-dollar transactions we tallied last year.

Helping to keep a lid on deals at the top end of the infosec sector right now are factors including:

Several of the industry’s largest vendors appear unlikely to pursue big-ticket transactions. In some cases, that’s due to internal upheaval (e.g., Symantec, which has announced five billion-dollar acquisitions in the past 15 years). In other cases, it’s due to a likely period of digestion (e.g., Palo Alto Networks, which has dropped $1.6bn in a half-dozen high-valuation deals over the past 18 months).

After only recently starting to print big purchases, private equity firms have slowed their activity at the top end of the market. That move down-market comes after buyout shops have been behind significant infosec take-privates in the past two years, including Barracuda and Imperva.

And most notably, VC dollars have replaced M&A dollars in the ‘unicorn universe.’ In just the past four months, Auth0, SentinelOne, Cybereason and Sumo Logic have all landed funding rounds that value the infosec startups at more than $1bn, according to the premium version of 451 Research’s Private Company Database.

As long as startups only have to give up a portion of their equity to VCs (rather than full ownership to an acquirer), funding will likely be the option of choice for popular infosec startups. Of course, taking money now at such an elevated level assumes that billion-dollar buyers will return at some point to provide big exits. That may well be the case, but it’s a pretty high-stakes gamble nonetheless.