The US government spent $4.7bn on cyber defence last year (while the UK spent just £650m). So how is the cyber security industry shaping up?
The US Department of Defence has requested more funds to support cyber-related operations in 2014 – some $800m (£500m) more than in 2013, when the spend was $4.7bn – emphasising the importance of cyber capability as part of the US government’s overall defence strategy.
In contrast, the UK is spending £650m on cyber security, including £210m on the National Cyber Security Programme.
Cyber fever has also reached the private sector, where businesses are starting to realise the importance of defensive measures.
Q: What has deal activity in the cyber security market been like? Can you really talk about a ‘cyber bubble’?
The cyber security market is not at bubble point and has room to grow. The number of deals is still relatively low, especially in the context of the broader technology space, and demand for cyber security products will keep growing.
If anything, there might be bubbles with individual companies’ valuations because it is hard to value cyber companies in a consistent and precise way.
One challenge is the tremendous speed with which a technology can change from being ‘emerging’ to being at the centre of the action to being overtaken by new threats or defences. There is no way to predict this.
Another challenge for valuation is that some companies are achieving success and even having strong IPOs before reaching profitability. Next-generation threat protection company FireEye, which recently went public, is one example. It lost $36m the year before its IPO and went on, in the first half of this year, to record a loss of $67.2m. Its shares rocketed to more than twice the amount they were put on the market for – a testament to the attractiveness of next-generation, non-signature-based cyber defence technologies.
Nevertheless, the company had good timing and great revenue growth, and it managed to raise about $304m from the offering and has a present valuation of about $2.3bn.
The CEO of another anti-malware company, Zscaler, told Reuters recently that FireEye’s skyrocketing share price was a factor in his decision to advance his own company’s IPO date by some nine months.
Q: Which areas are still seeing some level of growth?
The cloud and mobile sectors will likely spearhead growth because organisations realise how important it is to be able to centralise information and keep it secure yet accessible.
Data analytics and situational awareness are also growing, as they are fast becoming prerequisites for any business. The challenge with the cyber sector is that it is all about the right technology at the right time. Also, investors are keen to put money behind not only good ideas but also good and proven management.
We are still in the early stages of this industry, with many years of growth to go. As the threats evolve, the solutions will adapt. The need for innovative cyber security solutions will not go away.
Growth in cyber is in the double digits, with some organisations growing by 30 per cent year-on-year for several years, so we are nowhere near what some might call a cyber bubble.
As far as government cyber is concerned, authorities have taken on board that it is vital and are involved in the innovation process. This is why there are a growing number of cyber companies clustering around Washington DC rather than Silicon Valley.
Q: What kind of future can we expect for the cyber market?
One of the main problems with the market is that it is fragmented: neither the technology, the market size, nor the basic definition of the sectors are constant.
Furthermore, no single company has guaranteed staying power.
For companies trying to manage their cyber risk, this means constantly spending time and capital to stay on top of the newest technologies. The most sophisticated companies, for example in banking and defence, may keep up-to-date and stitch together several cutting-edge, niche solutions to stay secure. But for many companies that is too hard and they look for an established one-stop-shop that integrates a suite of tools.
For emerging technology companies this leaves two main options: they can either gain investment from an IPO or private backers or get bought up by a technology integrator. Giant IT organisations such as Cisco, Dell and RSA play a consolidating role in the market by acquiring smaller companies with sophisticated technologies and niche offerings which they can integrate into their portfolios.
These larger companies already have comprehensive IT capabilities, so it is a question of fitting security into what they already do rather than deploying a whole new solution. This is what happened with IBM’s recent acquisition of Israeli endpoint protection company Trusteer.
We can expect to see more technologies, more IPOs and more consolidating acquisitions in the next few years.