Lessons from cybersecurity exits

Lessons from cybersecurity exits
From TechCrunch - April 15, 2018

Dear F0und3r:

What a month this has been for cybersecurity! One unicornIPO and two nice acquisitionsZscalers great debut on wall street, a $300 million acquisition of by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited.

Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley.

My math is not that good but looks like even some VCs made a decent return. Back of the envelope scribbles indicate that True Ventures scored an estimated ~44X multiple on its seed investment. Others like Bain snagged a ~10X on the A round investment and Venrock which led the Series B round took home ~6X.

We see a similar pattern with Phantom Cyber, which got acquired by Splunkfor $350 million. A little bird told me that they had booking in the range of $10 million. But before we all get too self-congratulatory, lets askwhy did these companies sell at $300 million to $350 million when everyone in the valley wants to ride a unicorn? Clearly, funds like GV, Bain and Kleiner could have fueled more rounds to make unicorns out of and Phantom Cyber.

(Data Source: Pitchbook)

Some of the board members might have peeked at the exit data gathered by the hardworking analysts at Momentum Cyber, a cybersecurity advisory firm. Look at security exit trends from 2010-2017. You might notice that ~68% of security exits were below $100 million. And as much as 85% of exits occur below $300 million.

Agreed that there are very few exceptional security CEOs like Jay Chaudhry who grew up in a Himalayan village, and led ZScalerto an IPO. This was Jays fifth startup and he kept over 25.5% of the proceeds, with another 28.3% owned by his trust. TPG Growth owned less than 10%. After all, he himself funded a substantial part of the company (which raised a total of $110 million). But not everyone is as driven, successful and its ok to sell if the exit numbers are meaningful. Remember what that bard of avon once said:

For I must tell you friendly in your ear,

Sell when you can; you are not for all markets.

(Shakespeare, As you Like It, Act 3, Scene V)

My friend Dino Boukouris, a director at Momentum Cyber, offers some sage advice to all founders who are smitten by unicorns. Before a founder raises their next round, I would reflect on the markets ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops. Dino has a point, you see. As we inflate valuations, your work, my dear CEO, becomes much harder.

If you dont believe Dino, lets look at another recent exit, PhishMe, which was acquired by a private equity consortium for $400 million. Thats a nice number, correct? At the first look, youll notice that the dilution and financial return patterns are similar to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and capital efficiency matter as much as exit value. Its not just the exit value ~ but how long and how much. Back to my man, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median value was $68 milion. Read that last sentence againvery slowly. $68 million. Ouch!

(Data Source: Pitchbook)

Two years ago inCockroaches versus UnicornsThe Golden Age of Cybersecurity Startupscybersecurity founders were urged to avoid the unicorn hubris. A lot of bystanders, your ego included, will cheer you as you get higher valuations. But arent we all rational human beings, always making data based decisions?

Marc Andreessen will remind you that his best friend, Jim Barksdale, once said If we have data, lets look at data. If all we have are opinions, lets go with mine. Since 2012, my VC friends have funded 1242 cybersecurity companies, investing a whopping $17.8bn. But chief information security officers say that they dont need 1242 security products. One exhausted CISO told me they get fifteen to seventeen cold calls a day. They hide away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating the successful sale of They pointed out that the foundersTim Prendergast and Justin Lundy had lived the public cloud security problem in their previous lives at Adobe. Such deep domain expertise allowed them to gain credibility in the market. Its not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an easy to deploy solution that could scale to customers with 1000s of AWS / Azure accounts. Customers were more willing to be reference-able, given this aligned relationship.

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner at Accel Partnerssays, CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.According to Cack Wilhelm Partner at Accomplice, Security analysts have alert fatigue, and CISOs have vendor fatigue. You are one of those possibly, wouldnt you agree?


Continue reading at TechCrunch »