Published On: Sun, May 6th, 2018

Lessons from cybersecurity exits

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and dual good acquisitions – Zscaler’s good entrance on wall street,  a $300 million merger of Evident.io by Palo Alto Networks and a $350 million merger of Phantom Cyber by Splunk has gotten all of us excited.

Word on a travel is that in any of those exits, a founders took home ~30% to 40% of a proceeds. Which is not bad for ~ 4 /5 years of work. They can finally means to buy dual bedroom homes in Silicon Valley.

My math is not that good though looks like even some VCs finished a decent return. Back of a pouch scribbles prove that True Ventures scored an estimated ~44X mixed on a seed investment. Others like Bain snagged a ~10X on a A spin investment and Venrock that led a Series B spin took home ~6X.

We see a identical settlement with Phantom Cyber, that got acquired by Splunk for $350 million. A small bird told me that they had engagement in a operation of $10 million. But before we all get too self-congratulatory, lets ask – since did these companies sell during $300 million to $350 million when everybody in a hollow wants to float a unicorn? Clearly, supports like GV, Bain and Kleiner could have fueled some-more rounds to make unicorns out of Evident.io and Phantom Cyber.

(Data Source: Pitchbook)

Some of a house members competence have peeked during a exit information collected by a overworked analysts during Momentum Cyber, a cybersecurity advisory firm. Look during confidence exit trends from 2010-2017. You competence notice that ~68% of confidence exits were subsequent $100 million. And as most as 85% of exits start subsequent $300 million.

Agreed that there are really few well-developed confidence CEO’s like Jay Chaudhry who grew adult in a Himalayan village, and led ZScaler to an IPO. This was Jay’s fifth startup and he kept over 25.5% of a proceeds, with another 28.3% owned by his trust. TPG Growth owned reduction than 10%. After all, he himself saved a estimable partial of a association (which lifted a sum of $110 million).  But not everybody is as driven, successful and it’s ok to sell if a exit numbers are meaningful. Remember what that minstrel of avon once said:

For we contingency tell we accessible in your ear,

Sell when we can; we are not for all markets.

(Shakespeare, As we Like It, Act 3, Scene V)

(68% of confidence exits start subsequent $100 million. M A Data from 2010-2017. Source: Momentum Cyber)

My crony Dino Boukouris, a executive during Momentum Cyber, offers some virtuoso recommendation to all founders who are soft by unicorns. “Before a owner raises their subsequent round, we would simulate on a market’s ability to squeeze companies. The exit information says it all. As we lift some-more capital, your exit value goes up, timing gets stretched and a series of buyers who can means we drops.” Dino has a point, we see. As we increase valuations, your work, my dear CEO, becomes most harder.

If we don’t trust Dino, let’s demeanour during another new exit, PhishMe, that was acquired by a private equity consortium for $400 million. That’s a good number, correct? At a initial look, you’ll notice that a dilution and financial lapse patterns are identical to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and collateral potency matter as most as exit value. It’s not only a exit value ~ though how prolonged and how much. Back to my man, Dino who will kindly remind we that for a 175 M A exchange in 2017, a median value was $68 milion. Read that final judgment again — really slowly. $68 million. Ouch!

(Data Source: Pitchbook)

Two years ago  in Cockroaches contra Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders were urged to equivocate a unicorn hubris. A lot of bystanders, your ego included, will hearten we as we get aloft valuations. But aren’t we all receptive tellurian beings, always origination information formed decisions?

Marc Andreessen will remind we that his best friend, Jim Barksdale, once pronounced “If we have data, let’s demeanour during data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC friends have saved 1242 cybersecurity companies, investing a whopping $17.8bn. But arch information confidence officers contend that they don’t need 1242 confidence products. One tired CISO told me they get fifteen to seventeen cold calls a day. They censor divided from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating a successful sale of Evident.io. They forked out that a founders — Tim Prendergast and Justin Lundy had lived a open cloud confidence problem in their prior lives during Adobe. “Such low domain imagination authorised them to benefit credit in a market. It’s not easy to acquire a trust of their customers. But given their clever engineering team, they were means to build an “easy to deploy” resolution that could scale to business with 1000s of AWS / Azure accounts. Customers were some-more peaceful to be reference-able, given this aligned relationship.”

(Source: Momentum Cyber)

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner during Accel Partners says, “CISOs are pang from indigestion. They are looking to justify toolsets and supplement really selectively. New covering X for new hazard matrix Y is an increasingly tough sell.” According to Cack Wilhelm Partner during Accomplice, “Security analysts have warning fatigue, and CISOs have businessman fatigue.”  You are one of those possibly, wouldn’t we agree?

Besides indigestion and fatigue, a CISO roles have spin demanding. William Lin, Principal during Trident Capital Cyber, a $300m account forked out that “the purpose of CISO has bifurcated into handling risk same to an auditor and during a same time, handling formidable engineering and record environments.”  So naturally, they are handling their time some-more carefully and not looking brazen to assembly one some-more startup.

Erik Bloch, Director of Security Products during SalesForce says that while he keeps an open mind and is peaceful to demeanour during innovative startups, it takes him weeks to arrange calls with a right people, and months to range a POC. And let’s not forget a towering of paperworks and authorised agreements. “It’s good to contend we have a Fortune 100 as an early customer, though only be warned that it’ll be a long, tough highway to get there, so devise appropriately” he forked out.

So, my dear founder, as a highway gets harder, appropriation slows down. Look during 2017 —  despite all those large hacks, Series A appropriation forsaken by 25% in 2017. Clearly, many of a seed saved companies are not delivering those Fortune 100 POC milestones. And are incompetent to lift a Series A.  Weep, if we must, though let us remind ourselves that out indicate solutions are not that considerable to a CISOs.

All a founders we know are perplexing to lift a formulaic $8m Series A on $40m pre. But not any startup that wants 8 on 40 deserves it. Revenues and expansion rate, those old-fashioned metrics matter some-more than ever. And some investors demeanour for a peculiarity of your customers.  Aaron Jacobson of NEA, a multi-billion dollar try account says, ”A pivotal value motorist is a thought-leader CISO as a customer. This is mostly a good indicator of value creation.“

When markets get swarming and all startups sound a same, investors find quality, or pierce to after stages.  They like to see good proven companies, that have solved a lot of elementary problems. And separated riskier stumbling blocks. Like product-market fit, pricing and go-to-market issues. Naturally, a after theatre valuations are rising faster. Money is chasing quality, expansion and returns.

Median Post-Money Valuation by theatre for cybersecurity companies (Source: Pitchbook)

The confidence IPOs offer a sobering view. This is a prolonged journey, not for a gloomy of heart. Okta changed fast, consumed ~4X some-more collateral as compared to Sailpoint and delivered good returns.

Innovating with go-to-market strategies

In a nearby term,  the large plea for you, dear confidence founder, is offered in an over swarming market. If we were you, I’d remember that creation should not be limited to merely technology, though can extend into sales and marketing. We miss creativity when it comes to selling – ask Kelly Shortridge of Security ScoreCard. She should get some kind of BlackHat endowment for building this godforsaken Infosec Startup Bingo. If we find any startup businessman that uses all these words, and wins this bingo, greatfully DM me ~ we will soon trim my conduct in shame. We got here since we do not possess elementary selling muscles. We duplicate any other while a business hurl their eyes when we representation them.

Sid Trivedi of Omidyar Technology Ventures wants to work with a developer focussed startups. He says, “Look during companies like Auth0. The sales potency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and indicate out that X series of developers are profitable to use my technology. Here are their names, since don’t we speak to them? And then, let’s plead an craving permit for a full company?” That proceed works like magic. Overwhelming infancy of a program IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If we go top-down in a hurry, we can pile-up and burn. we am wakeful of an desirous confidence businessman who used executive spin vigour during a Fortune 50 company. They kicked their approach into a POC. And got kicked out by a infosec team. The furios infosec group broken a businessman in a technical assessment. we was told that a product was organic though a vendor’s impatience and domestic gymnastics killed a deal. Let us not forget elementary truth: many times CISOs spin to their subordinates for recommendation and decision-making, so don’t only sell to a top. Nor omit a rest of a people in a room.

With some-more noise, a buyers freeze. Margins shrink. Revenues and expansion slows down. Which means it’s harder to get to your milestones before your subsequent round. Running out of money is not fun. Nor is a down round, layoffs and such. So while this is easier pronounced than done, greatfully lift reduction and do more. And maybe, only maybe, we can keep 40% of a $350 million exit.

If we have questions or existential dilemmas, we can always find me, chatting with a accessible VC in South Park.  Or I’m always around in a devoted secure universe of Signal.

Stay protected during that annual confidence bolt called RSA.

Kindly,

Mahendra

PS: Let’s not forget to demonstrate a thankfulness to those analysts during Momentum Cyber and Pitchbook for painstakingly tracking any investment, examining and presenting suggestive data. They assistance us demeanour during a forest, and make a tour easier. Send them a thank-you tweet, some wine, chocolates, flowers or home-baked cookies.

About the Author

Leave a comment

XHTML: You can use these html tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>