Infosec’s valuation inflation

by Brenon Daly

Acquirers looking to go shopping in the information security (infosec) market had better bring a big bankroll. Valuations are stretched well beyond the going rates for deals in virtually any other IT sector. For instance, a solid-but-unexceptional 20% grower that commands a double-digit multiple in infosec (like Carbon Black) would almost certainly drop into the high single digits in any other industry. And even an infosec vendor that’s shrinking and faces the real possibility of being terminally disrupted (hello, Symantec) still manages to trade for an above-market valuation.

To highlight the recent valuation inflation in the infosec M&A market, consider a pair of $2bn-plus deals that are separated by just a half-decade but clearly belong to different eras nonetheless: Cisco Systems mid-2013 acquisition of SourceFire and VMware’s just-announced purchase of Carbon Black. (Subscribers to 451 Research’s Market Insight Service can see a full report on the latter transaction on our website today.)

Although the two security firms sell into different segments of the markets, both SourceFire and Carbon Black had a similar scale (revenue north of $200m) and similar exits (selling to strategic buyers for double-digit valuations in $2bn-plus deals). While all of those metrics line up very closely, a closer look at the companies shows that SourceFire, at least on paper, had a far more valuable business:

Carbon Black, which is losing $15-20m per quarter, is growing at just 20%.

SourceFire was growing at a mid-30% rate, while also turning a profit.

We highlight the valuation gulf between the two transactions because, in many ways, it exemplifies a recurring complaint we hear about the infosec market from both investors and acquirers: A dollar just doesn’t buy nearly as much right now as it once did.