Over the last thirteen years, the cybersecurity market has grown faster than any other technology market worldwide. According to data published by Gartner Inc., the research company, this market has grown by a factor of 35 during said period. In 2017 it is expected to reach a value of US$ 98 billion and by 2021 it is expected to grow further to a value of US$ 132 billion.
The massive growth of the cybersecurity market has created a convenient and sympathetic environment for raising venture capital for cyber companies and for capital invested in start-up companies involved in this field to soar. While in 2010 the total capital raised in the cyber market was about US$ 800 million, in 2016 the total was between three and a half and four billion US dollars. The number of global capital raising transactions in this field increased from 120 transactions in 2010 to more than 300 capital raising transactions in 2016.
Over the last few years, we have also witnessed quite a few 'exits' in the field of cyber, some of which involved amounts of hundreds of millions of US dollars. Impressive 'exits' have continued into the present – like the recent acquisition of the Fireglass startup company by Symantec. In short – a proper celebration in the cybersecurity market.
The direct outcome of this venture capital celebration has been the astonishing increase in the number of active cybersecurity companies worldwide. Current estimates list about 1,500 active companies. Israel plays an active and substantial role in this global process and in this country, too, the number of cybersecurity companies has more than doubled between 2011 and 2016: from 150 to 350 companies. This increase has taken place owing to the massive inflow of foreign investors who invest their money in Israeli cyber. However, most of the active companies in this field are still in the initial stages of operations – young, recently-established companies that do not yet generate substantial revenues and may not even generate any revenue. Other companies have already raised hundreds of millions of US dollars, but their sales only amount to a few dozen million US dollars, so that the difference between their value and their actual sales is substantial.
Fighting for Every Investment
Evidently, the current situation where 1,500 companies are trying to sell their products in the market, while hundreds are still young and struggling to raise the next round of capital, is approaching a turning point. Two different forces are pushing the industry toward that turning point: the clients of the cybersecurity solutions and the venture capital investors.
The flood of cybersecurity solution providers along with the aspiration to acquire the best solutions have led to a situation where organizations work opposite a large number of cybersecurity solution providers. Among the largest organizations, the average number of cybersecurity solution providers is around 70 per organization, with some extreme cases of organizations working opposite more than 100 solution providers. The global average is 9 to 10 cybersecurity solution providers per organization – much higher than any other technological activity.
The need to work opposite a large number of cybersecurity solution providers has reached a point where the clients can no longer continue to increase the number of suppliers, and some of them have even begun to dismiss some of the suppliers they had contracted previously. In this situation, the clients' ability to continue and incorporate dozens of new cybersecurity suppliers is doubtful. We may witness a trend where the number of suppliers per organization will be reduced, and clients will prefer suppliers who offer a more extensive range of high-quality cybersecurity solutions simultaneously.
The other factor that pushes the industry toward the turning point is the ecosystem of the venture capital industry. A huge number of startup companies succeeded in raising initial "seed" funding within a relatively very short period of time (two to three years). This phenomenal success now makes it difficult for those companies to raise subsequent funding, particularly in the 'A' and 'B' stages. Companies are beginning to encounter a much more challenging capital raising environment when searching for the next capital raising stage. As far as the venture capital industry is concerned, it is not logical to finance the 'A' and 'B' stages for hundreds of companies all operating in the same field of activity.
The venture capital industry makes its investments for the purpose of seeing companies growing at a meteoric rate and generating substantial returns (hundreds of %) on their investments within a relatively short period of time (five to seven years), and it is unreasonable to expect that hundreds of companies will succeed in fulfilling this goal. The scope of the 'seed' investments of the last few years calls for capital on the scale of 3 to 4 billion US dollars only for the present 'A' stages. This process, where difficulties are encountered when raising the 'A' stages after a significant momentum of seed investments, is a familiar phenomenon, and a similar process had taken place in 2013, for example, in Silicon Valley – a period when many young companies went out of business. Apparently, the world of institutionalized investments in cyber currently faces a funnel that is narrower than it used to be in the last few years.
These two factors, namely – the clients' tendency to work opposite a tolerable number of cybersecurity solution providers, and the 'A' stage capital raising funnel, both push for a reduction of the number of active cybersecurity companies in the market, but even the companies that manage to survive will have to adapt to the changing reality of the market.
Nevertheless – the Market is Optimistic
Although it appears that the near future holds a certain reduction in the number of cybersecurity companies around the world, in the long run there is still a reason for optimism regarding the continued growth of the cybersecurity market. The problem itself has not subsided. On the contrary – it still shows a trend of worsening. The average cost of a hack per organization is about US$ 4 million. Other costs, like those associated with the effect on the company's long-term reputation and client and shareholder loyalty and even legal expenses can increase dramatically. The race of mankind toward a more digital, more automatic and more networked future (as reflected by the introduction of such technologies as IoT, AI, Deep Learning, etc. into such industries as transportation, banking, healthcare, commerce, et al.) only enhances the risk potential.
Apparently, the more significant growth opportunities for cybersecurity solutions are to be found in relatively new areas that have not yet been saturated with cybersecurity solutions, like the world of networked and autonomous vehicles, the world of digital medicine and the FinTech world.
The recommendation for entrepreneurs considering entering the cyber field is to consider these and other new worlds, rather than attempting to enter the overcrowded swamp of cybersecurity solutions for organizational networks. Entrepreneurs must realize that they will be required to demonstrate more patience and perseverance in order to grow at the same pace at which cybersecurity companies had grown three and five years ago. They should find the investors who would walk the longer, more time-consuming road with them in the coming years, while focusing more on the development of the business and less on raising the company's value in anticipation of the next round.
Apparently, patient investors interested in investing in post-seed and preliminary 'A' stages are likely to find interesting opportunities in the near future, but they are advised to familiarize themselves with the cyber market in order to select the right opportunities out of the massive supply.
In conclusion, it seems that within the next two years we should expect a certain reduction in the number of cyber companies and maturation of the cybersecurity solution market among clients as well as among investors. Someone has to say this explicitly, as it is not necessarily a bad thing.
Zohar Rosenberg is VP Cyber Investments at Elron. In the past, he had served as Head of the IDF Cyber Department