Cyber security startups fall on harder times

SAN FRANCISCO (Reuters) – A wave of cyber attacks by criminals, spies and hacker activists should make these heady days for U.S. cyber security startups.

Instead, many in the crowded market are struggling to live up to their early promise. In some cases, the security products they developed have been overtaken by advances in cyber hacking, according to industry executives and venture capitalists. In others, larger competitors have come out with similar technology and locked down customers.

"I have never seen such a fast-growing market with so many companies on the losing side," said David Cowan, a partner at Bessemer Venture Partners, a venture capital firm that has invested in the cyber security sector.

Venture capital continues to pour into the industry, driven by the belief that there is no end in sight to cyber attacks or companies’ need to protect themselves. Yet only a handful of startups have successfully sold themselves or floated in the stock market in recent years. (Graphic: tmsnrt.rs/2mzClbR)

The result is a number of these start-ups have become corporate "zombies" with little prospect of fetching a good price in an initial public offering (IPO) or becoming acquisition targets, experts said. Their early investors have been left without an easy or profitable exit.

Not only is the technology behind cyber attacks rapidly evolving, the nature of how the corporate world uses security firms is changing. To save money and trouble, some companies have consolidated their security work, using just a few large players rather than spreading business around.

Companies are also diverting money to lower-cost "bug bounty" firms that contract out researchers who help identify security weaknesses.

"Suddenly, we are in this situation where there are just too many vendors and too few can be sustained," said Dave DeWalt, the former CEO of cyber security company FireEye Inc (FEYE.O).

"You’re starting to see companies go, ‘oh my gosh, what do I do? Can I get more capital, do I have to merge?’" DeWalt said.

Momentum Cyber, an advisory firm focused on cyber industry mergers and acquisitions, said it tracks 2,500 security companies today, almost double the number a few years ago. The firm’s co-founder, Eric McAlpine, estimates 300 cyber security startups launch every year.

Few of these are pulling off IPOs. What’s more, big software companies have become less willing to acquire cyber security products they believe they can develop on their own.

"The pipe dream days of selling companies at a rich price equivalent to ten times their revenue are gone," said Tom Kellermann, chief executive of venture capital firm Strategic Cyber Ventures.

ForeScout Technologies Inc (Fsct.o), a provider of software that helps companies keep the devices of their employees secure, was the only U.S. cyber security company, excluding identity management providers, to go public last year. This compares to three cyber security IPOs in 2016 and four in 2015.

http://snip.ly/91dbi Continue without interruption

Compliance4All is a professional trainings provider for the regulated industries. It offers professional trainings for regulatory compliance professionals and offers innovative strategic consulting and advice to a broad range of organizations.