Locking the doors opened by new technology

by Brenon Daly

For most technology, security is somewhat of an afterthought. That’s particularly true for emerging enterprise technology, where shiny new gadgets and slick new software dazzle us with promise. Under the spell of early adoption, we focus on all of the great things the technology makes possible for us and our businesses. And then we get hacked.

Or something else happens to take off a bit of the luster of the new products. Reality intrudes on dream technology. Belatedly, we find that we just might need to put a lock on some of the doors opened by the new products. That’s one way to think about the recent record surge in acquisitions done to secure all of the ‘things’ that businesses are offering to make their current products more valuable or expand into more valuable markets.

The term ‘IoT security’ has popped up an unprecedented number of times so far this year in 451 Researchs M&A Knowledgebase. In fact, deal volume in this rapidly emerging field is set to triple in 2019, compared with both 2018 and 2017. And to underscore the seriousness of the challenge around shoring up all of those IoT implementations, big buyers are doing these deals. Cisco Systems, Check Point Software and Palo Alto Networks have all put up IoT security prints so far this year, according to our data.

Yet all of this M&A activity may be too little, too late. Even with this dramatic acceleration in the number of IoT security deals, our data shows this crucial component for all of those implementations still accounts for only a lowly single-digit percentage of all IoT dealmaking. In other words, vendors are still overwhelmingly focused on shopping for IoT technology that they can add to their portfolios rather than making sure their IoT technology is secure.

Those priorities, however, are not necessarily serving customers. In fact, customers who plan to boost their IoT spending in the coming year told us that they plan to spend more on shoring up the IoT technology than anything they can necessarily do with the new technology they plan to buy. Almost half (46%) of respondents to 451 Research’s Voice of the Enterprise: Internet of Things, Budgets and Outlook 2019 indicated ‘improved security’ is the single biggest driver for their increase in overall IoT spending.

Figure 1: Drivers of increasing IoT spending in 2019

Source: 451 Research’s Voice of the Enterprise: Internet of Things, Budgets and Outlook 2019

Infosec’s next-gen acquirer

by Brenon Daly

Fittingly enough, Palo Alto Networks took it to record levels. The next-generation information security kingpin has done more acquisitions than any other company in the sector this year, by our tally. And with its latest purchase – the $150m reach for Aporeto – the overall infosec M&A volume in 2019 has now matched the highest annual total in history.

According to 451 Researchs M&A KnowledgeBase, Palo Alto’s purchase of micro-segmentation security startup Aporeto stands as the vendor’s fifth transaction in 2019. (451 Research subscribers can look for our full report on that acquisition later today on our site, including the prevailing valuation the company is paying.) No other buyer in the sector comes close to that cadence of more than one deal every quarter this year.

Even infosec acquirers with well-worn M&A playbooks are putting up a fraction of the number of prints that Palo Alto has done in 2019. For instance, since the start of the current decade, Symantec and Cisco top the list in the M&A KnowledgeBase of most-active infosec acquirers. Yet both of those once-active buyers have announced just a single transaction in the sector this year. (And, of course, Big Yellow doesn’t appear likely to add to its total anytime soon, following the sale of its enterprise security division to the sharp-penciled operators at Broadcom.)

In that way, Palo Alto has now emerged as the next-gen acquirer in the infosec market, just as it emerged as a next-gen vendor in the infosec market a decade ago. It has displaced the traditional providers of exits (Symantec, Cisco) as surely as it has displaced the traditional supplier of firewalls (Check Point Software). To underscore how the firewall market has shifted, consider this: 14-year-old Palo Alto Networks sells more than $1bn worth of gear each year than 26-year-old Check Point, and is growing more than three times faster.

Figure 1:

Source: 451 Research’s M&A KnowledgeBase

Get rich or die trying

by Brenon Daly

As we saw in this week’s offering from Ping Identity, there’s virtually no middle ground for IPOs from the information security (infosec) market. More than any other tech segment, infosec prices its chosen few at astronomical heights, while relegating the rest to a far more earthbound valuation.

Broadly speaking, on a price-to-trailing-sales multiple, infosec IPOs inevitably come to market at either a high-single-digit valuation or at greater than 20x. Nothing in between. None of those deals that price at twice the low end, but half the high end. As a result, when we survey the IPO valuation landscape, we see a very unusual distribution: cybersecurity tends to stack up in two camel-like humps rather than a conventional bell shape.

According to our analysis, Ping is the ninth debutant from the infosec market on US exchanges in the past two years. (See our full preview on Pings offering.) The identity and access management vendor created some $1.6bn in (undiluted) market value in its IPO. That works out to about 7.5x its trailing sales of $215m through midyear.

Ping’s price-to-sales valuation slots right next to the current trading multiples of other recent infosec IPOs such as Tufin Software Technologies (6x), Tenable (7x) and SailPoint Technologies (7x). (SailPoint, like Ping, came public from a private equity portfolio, after being acquired for a fraction of its current valuation.) Similarly, Carbon Black, which came public last year, is being erased from the Nasdaq by VMware in a deal that gives the endpoint security provider a terminal value of 9x trailing sales.

Further out on the histogram of trading multiples, there are the vertiginous valuations of Okta (25x), which came public in 2017, as well as last year’s entrant Zscaler (20x). Both of those are bargains compared with CrowdStrike, which listed three months ago and currently trades at twice the multiple of either of the other highfliers.

Of course, valuation is always relative. Even as some of infosec’s recent debutants look longingly up at the market caps and multiples of others in the industry, there are whole sectors of IT that would gladly take the valuation of a ‘left behind’ infosec vendor like Ping. For a great number of tech startups, even the lowliest infosec valuation would be a trade up.

Figure 1: Infosec IPO valuations

Infosec’s valuation inflation

by Brenon Daly

Acquirers looking to go shopping in the information security (infosec) market had better bring a big bankroll. Valuations are stretched well beyond the going rates for deals in virtually any other IT sector. For instance, a solid-but-unexceptional 20% grower that commands a double-digit multiple in infosec (like Carbon Black) would almost certainly drop into the high single digits in any other industry. And even an infosec vendor that’s shrinking and faces the real possibility of being terminally disrupted (hello, Symantec) still manages to trade for an above-market valuation.

To highlight the recent valuation inflation in the infosec M&A market, consider a pair of $2bn-plus deals that are separated by just a half-decade but clearly belong to different eras nonetheless: Cisco Systems mid-2013 acquisition of SourceFire and VMware’s just-announced purchase of Carbon Black. (Subscribers to 451 Research’s Market Insight Service can see a full report on the latter transaction on our website today.)

Although the two security firms sell into different segments of the markets, both SourceFire and Carbon Black had a similar scale (revenue north of $200m) and similar exits (selling to strategic buyers for double-digit valuations in $2bn-plus deals). While all of those metrics line up very closely, a closer look at the companies shows that SourceFire, at least on paper, had a far more valuable business:

Carbon Black, which is losing $15-20m per quarter, is growing at just 20%.

SourceFire was growing at a mid-30% rate, while also turning a profit.

We highlight the valuation gulf between the two transactions because, in many ways, it exemplifies a recurring complaint we hear about the infosec market from both investors and acquirers: A dollar just doesn’t buy nearly as much right now as it once did.

Cofense removes the Red Threat

by Brenon Daly

 

After a long and torturous process, email security startup Cofense has landed where it appeared headed pretty much the whole time: deeper in the portfolio of existing investor BlackRock. The private equity firm, which picked up roughly one-quarter of Cofense in a recap of the company in early 2018, added the 43% stake that had been held by a Russian investment firm. But it wasn’t an easy deal.

BlackRock’s transition from minority investor to majority owner of Cofense only came after some highly unusual – and highly disruptive – regulatory scrutiny from a secretive US national security agency. A few months after the deal was announced last year, the Washington DC-based Committee on Foreign Investment in the US (CFIUS) began pushing for the Russian investor, Pamplona Capital, to be removed from the syndicate. The reason? Perceived threats to national security.

Under scrutiny from CFIUS, business at Cofense stalled. Customers didn’t want to be buying from a potentially insecure security vendor. (Is the Kremlin reading your email?) Cofense’s growth rate, which had topped 40%, fell to about half that level, according to our understanding. The company had to do some layoffs due to the slowdown.

As growth tailed off, valuation followed suit. Although the exact price couldn’t be learned that BlackRock paid Pamplona for its stake, the transaction is understood to value Cofense at less than the $400m the two buyout shops paid for the company a year and a half ago. For comparison, rival email security provider KnowBe4 raised money this summer at a valuation of more than $1bn.

Still, with the removal of the Red Threat, Cofense at least has the opportunity to get back to business. And a fair amount of business is available. Our surveys of information security buyers and users continually show, broadly, that phishing and the related concern of user behavior is the top-ranked security ‘pain point’ facing organizations. That’s the good news for the company. The bad news: Cofense didn’t even make it into the top-five most-popular vendors for security awareness training, according to the 451 ResearchVoice of the Enterprise: Information Security, Workloads & Key Projects 2019.

Figure 1: Security awareness vendors

A rare trip into rarified air

by Brenon Daly

Symantec’s blockbuster $10.7bn divestiture of its enterprise security business to Broadcom marks a rare trip into rarified air for the information security (infosec) M&A market. Through the first seven-plus months of 2019, 451 Researchs M&A KnowledgeBase shows not a single deal in the segment valued at more than $1bn.

Obviously, the unusual carve-up of Big Yellow blows past that threshold. But setting aside this transaction, which we would very much describe as a one-time deal, a couple of trends are playing out in the infosec market that may make it tough to see many more of those three-comma deals coming for the rest of 2019. We suspect that this year’s total will end up looking up at the three separate billion-dollar transactions we tallied last year.

Helping to keep a lid on deals at the top end of the infosec sector right now are factors including:

Several of the industry’s largest vendors appear unlikely to pursue big-ticket transactions. In some cases, that’s due to internal upheaval (e.g., Symantec, which has announced five billion-dollar acquisitions in the past 15 years). In other cases, it’s due to a likely period of digestion (e.g., Palo Alto Networks, which has dropped $1.6bn in a half-dozen high-valuation deals over the past 18 months).

After only recently starting to print big purchases, private equity firms have slowed their activity at the top end of the market. That move down-market comes after buyout shops have been behind significant infosec take-privates in the past two years, including Barracuda and Imperva.

And most notably, VC dollars have replaced M&A dollars in the ‘unicorn universe.’ In just the past four months, Auth0, SentinelOne, Cybereason and Sumo Logic have all landed funding rounds that value the infosec startups at more than $1bn, according to the premium version of 451 Research’s Private Company Database.

As long as startups only have to give up a portion of their equity to VCs (rather than full ownership to an acquirer), funding will likely be the option of choice for popular infosec startups. Of course, taking money now at such an elevated level assumes that billion-dollar buyers will return at some point to provide big exits. That may well be the case, but it’s a pretty high-stakes gamble nonetheless.

Broadcom broadens into security

by Brenon Daly

What began last summer as a head-scratching novelty has now become a consistent strategy at chipmaker-turned-software vendor Broadcom. A year after the semiconductor giant inked the second-largest software acquisition in history, Broadcom has made a big splash in information security (infosec), paying $10.7bn for Symantec’s enterprise security business.

Although the transaction is ‘just’ an asset purchase, it nonetheless stands as the largest infosec acquisition in history, according to 451 Research’s M&A KnowledgeBase. Another way to look at it: Broadcom’s massive bet on Symantec basically equals a full year’s worth of M&A spending for the entire infosec market. (The M&A KnowledgeBase shows annual spending across the infosec sector over the past two decades has ranged widely from $2bn to $28bn, depending on blockbuster deals.)

By virtually any measure, Broadcom is paying up for Symantec’s castoff business. Divestitures, particularly those involving low- or no-growth businesses, invariably garner a discount to broad-market M&A multiples. Depending on the segment and the assets, divestitures can get done at 1-2x sales, or half the prevailing prices in outright acquisitions.

At a purchase price of more than $10bn, Broadcom is valuing the enterprise security division at 4.5x sales. (In the most-recent fiscal year, Symantec’s enterprise group posted sales of $2.4bn, a level that hasn’t really changed in three years.) That’s even slightly richer than the 4.3x that Broadcom paid in its landmark acquisition last summer of CA Technologies.

The most-significant portion of Symantec falling into the portfolio of a financially minded consolidator comes after a prolonged slump at Big Yellow, which has served – not entirely fairly – as a company caught on the wrong side of disruption. As one indicator, consider that its stock price has basically been stuck in place for the past half-decade. During that same period, other business-focused security vendors have emerged and created somewhere in the neighborhood of $100bn – or 10x the terminal value of Symantec’s enterprise business – in both the public and private markets. We’ll have a full report on this transaction for subscribers to 451 Research’s Market Insight service later today.

What might have been (and what may still be) for Symantec

by Brenon Daly

If not for a last-minute snag in talks to sell itself, Symantec would be headed to this week’s Black Hat not as the single-largest vendor in the information security (infosec) market, but as a subsidiary. Negotiations with chip giant Broadcom reportedly broke down over price (what else?), meaning Big Yellow will be unattached and unchaperoned as the hacker’s ball opens in the desert. We wonder, though, how many more industry confabs will Symantec be attending in its current standing?

A public company for 30 years, Symantec generates almost $5bn of sales each year. Part of the difficulty for Symantec right now is embedded in those two facts about the company. Symantec isn’t moving any closer to the $5bn. In fact, in its most-recent fiscal year it actually slipped further away, as Big Yellow got a little smaller in 2018. Declining revenue doesn’t do much for Wall Street investors.

That’s particularly true in infosec, where budgets across the board are fat and getting fatter. A stunning 87% of IT professionals told 451 Research’s Voice of the Enterprise (VotE): Information Security, Budgets & Outlook 2019 that their companies will have more money to spend on security this year than they did last year. On average, respondents to our VotE survey said their security budgets are up 22%, an enviable bump compared with GDP-like growth rates for overall IT budgets.

And yet, Symantec hasn’t been able to enjoy much of the bountiful budgets. That led to the abrupt departure of the company’s chief executive earlier this year, with an interim CEO still leading the industry giant. Symantec’s new chief, who cut his teeth in the semiconductor industry, has a reputation as a straight-talking operator, and he serves a board of directors that tips far more toward finance than technology. Fully half of Symantec’s 12 board members, including virtually all of the directors added in the previous three years, are out-and-out financial professionals.

Given the composition of Symantec’s board and executives, reports of a sale to a financially focused operator such as Broadcom shouldn’t have surprised anyone. (At least not after the chipmaker-turned-enterprise-software-provider shelled out $19bn for CA Technologies, a diversified software vendor that nonetheless shares a similar financial profile and vintage as Symantec.) Although Broadcom wasn’t able to consolidate the infosec giant, the reported negotiations did give a useful glimpse into the most likely outcome for Symantec: a full sale to a financial firm.

The company currently garners an enterprise value of about $16bn, or roughly 3.3 trailing sales. Even with an acquisition premium, Symantec’s LBO valuation would likely be slightly below the prevailing multiple of 4.1x trailing sales in take-privates announced so far this year on US exchanges, according to 451 Researchs M&A KnowledgeBase. Looking specifically at the infosec market, our data shows buyout firm Thoma Bravo has paid 4-5.5x trailing sales in its three purchases of publicly traded security companies in the past three years.

Source: 451 Research’s Voice of the Enterprise: Macroeconomic outlook – Business Trends Q2 2019

Dual tracks: A singular path to infosec riches

by Brenon Daly

Fittingly enough, there are two main types of ‘dual tracks.’ In most cases, dual track refers to a company simultaneously pursuing both the two exits available to startups, M&A and IPO. By keeping one foot on both roads to an exit, an in-demand startup can cultivate new sources of capital on Wall Street while, at the same time, pressuring any acquirer to effectively outbid the public market. Assuming the laws of economics hold, when supply remains constant, any additional demand invariably boosts pricing.

There is also a smaller-scale version of that process, which happens at a level below Wall Street. In a ‘dual track lite,’ a startup also explores an outright sale and a capital raise at the same time. But in this case, the funding comes once again from private-market sources, such as VCs, rather than the public market.

Of course, to be able to effectively – and profitably – dual-track, a startup needs strong interest from the demand side, from both potential backers and potential buyers. And right now, no other segment of the enterprise IT market has more dollars available from both investors and acquirers than the information security (infosec) market.

When it comes to M&A, the 451 Research M&A KnowledgeBase shows acquirers pay two to three times higher valuations in infosec deals than they do in the overall broad market. (Since 2017, our data shows the prevailing multiple in infosec transaction at nearly 6x trailing sales.) And for those security startups pursuing the other track (funding), there is an unprecedented amount of money available from VCs. In just the past month, for instance, we’ve seen big-money fundings for infosec startups, including:

$120m for SentinelOne. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for SentinelOne revenue from 2016-19.)

$100m for Auth0. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Auth0 revenue from 2016-18.)

$100m for Vectra Networks. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Vectra revenue from 2016-19.)

But this flood of VC money has skewed the dual track, highlighting just how inflated funding valuations have gotten recently. Consider the two different outcomes, separated by less than three years, for a pair of rival firms. At the end of May, Dashlane raised $110m. We would note that’s exactly the same amount of money that rival password manager LastPass got when it sold the whole company to LogMeIn in October 2015. All in, Dashlane’s funding valuation was roughly 5x richer than the terminal value of LastPass, according to our understanding.

Instant gratification in CrowdStrike’s IPO

by Brenon Daly

Other recent high-flying debutants in the information security (infosec) market have had to take some time to grow into their multi-unicorn status on Wall Street. Not so for CrowdStrike. The endpoint security vendor smashed all pricing expectations on its way to creating a stunning $12bn of initial market value in its IPO.

To put that number into perspective, CrowdStrike’s valuation is roughly equivalent to the M&A spending across the entire infosec market for any given year, according to 451 Research’s M&A KnowledgeBase. Or, sticking to comparisons in the IPO market, CrowdStrike’s debut market cap is twice the initial value created in IPOs by two other recent fast-growing cloud security startups:

Okta came public in April 2017 at a valuation of $2.4bn, and now commands a $14.5bn market cap.

Zscaler came public in March 2018 at a valuation of $3.7bn, and now commands a $10bn market cap.

In its most recent fiscal year, CrowdStrike posted revenue of $250m. Revenue more than doubled last year, helped in part by an astonishingly high dollar-based retention rate of roughly 140%. Although not yet profitable, the company showed some leverage in its model by holding its net loss at the same level over the past two years, even as it doubled revenue.

In the IPO, Wall Street is valuing CrowdStrike at nearly 50 times trailing sales. That’s a heady multiple, significantly eclipsing the current mid-30x price-to-sales multiples for both Okta and Zscaler.

CrowdStrike is, however, still looking up at the current trading multiple of Zoom Video Communications. Zoom shares have tacked on roughly 50% since debuting in April, giving the profitable and fast-growing videoconferencing startup a price-to-sales multiple of nearly 70x. If CrowdStrike could replicate Zoom’s trading in the aftermarket, the infosec startup would be tracking to nearly the same astronomical trading multiple later this summer.