Next-Generation Technologies & Secure Development
Late-Stage Startups Feel the Squeeze on Funding, ValuationsStartups Are Slowing Hiring and Pruning Operating Expenses as Storm Clouds Amass
Mature cybersecurity startups are beginning to slow hiring and prune operating expenses as macroeconomic storm clouds obscure future funding sources.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
Late-stage vendors want to make their cash on hand last longer as financial backers grow more cautious with their money, angel investor and SentinelOne and CyCognito board member Dan Scheinman tells Information Security Media Group. Emerging vendors have to grapple with an initial public offering market that has essentially dried up and investors unwilling to offer valuations anywhere near 2021 levels (see: PE Firms 'on Prowl' for Take-Private Cybersecurity Deals).
"People are really starting to realize that we've had it great for a long period of time and we may be in for a belt-tightening," Momentum Cyber founder and Managing Partner Eric McAlpine tells ISMG. "That's just the cyclical nature of what we do."
The three-headed monster of runaway inflation, rising interest rates and a prolonged war between Russia and Ukraine that shows no signs of stopping has prompted investors to dramatically shift their strategy. Gone are the days of speculators trying to predict the next big thing; instead, investors are looking to stockpile their money in security vendors with a large base of revenue and healthy margins.
"When they realize that the market is changing, all of a sudden they retreat and say, 'Oh, the growth is not going to continue. There's a new dynamic that I don't understand,'" Forgepoint Capital Managing Director Alberto Yépez tells ISMG. "And therefore, we see that huge slowdown."
Closing the Door on IPOs
Last year's cybersecurity IPOs pose a cautionary tale to any company considering going public right now. KnowBe4, SentinelOne and ForgeRock all did IPOs last year and have seen their stock prices plummet by 32%, 64% and 36%, respectively, over the past six months. Appgate and IronNet went public via special purpose acquisition companies and witnessed stock price drops of 52% and 76%, respectively, over the same time frame.
The downturn has forced public companies to shut down experiments and innovative projects in an effort to cut costs, says Rama Sekhar, partner at Norwest Venture Partners. This has given early-stage startups an opening to go after new markets and product opportunities that public companies can't afford to pursue themselves, Sekhar tells ISMG. Norwest is shifting its money toward early-stage firms.
"The IPO market tends to be either feast or famine. And currently, it looks to be more famine," Scheinman tells ISMG. "There is less capital chasing the late-stage companies. There's a lot of pressure on valuations and capital for late-stage companies." Across the entire market, IPOs are down 80% as compared with this point a year ago, according to Renaissance Capital.
Established security vendors are seen as safer bets and have therefore weathered the economic storm better, with Check Point and Palo Alto Networks stock rising 4% and falling 5%, respectively, over the past half-year. The market took a turn for the worse in April, with stock prices dropping for 24 of 25 publicly traded security companies, according to Momentum Cyber. Only KnowBe4 registered a 2% gain.
"When the market multiples turn down, it's harder," Scheinman says. "Investors are less enthusiastic about buying into companies, and companies can't get valuations that are higher than their last round or might not even be able to find enough investors to invest."
In the private market, the appetite for massive funding rounds is starting to wane following a ravenous 2021. Between 12 and 15 cybersecurity startups received series funding of at least $100 million during each quarter of 2021, with the total amount raised each quarter via nine-figure series rounds coming in between $2.61 billion and $4.97 billion, according to data provided by Momentum Cyber.
But in the first three months of 2022, only nine security startups received series funding of at least $100 million, with the companies combining to raise just $2.28 billion, according to Momentum Cyber. Across the entire market, venture funding in the U.S. fell 8% in the first three months of 2022 to $71 billion, according to PitchBook.
"In Q1, we've seen a slowdown in private growth and a refactoring of valuations," Yépez tells ISMG. "New players investing in the private markets were paying up and giving high valuations in order to get deal access for themselves, but the reality is that is not sustainable. We've already seen a retrench of that wave before taking a pause. And I think that trend will continue."
Preparing for a Rainy Day
Concerns over interest rates and inflation prompted companies who were have funding conversations in late 2021 and early 2022 to pad their coffers with cash. Toronto-based zero trust VPN startup Tailscale decided to raise $100 million despite employing just 35 people due to suspicions CEO Avery Pennarun harbored for months that the market was going to get a little shaky, which turned out to be prescient.
"Seeing the way the market is going, we decided to raise more money instead of less," Pennarun tells ISMG. "In case there's an extended downturn or anything funky going on in the market for a few years, we wanted to make sure we could live all the way through it … I'm very familiar with what happens to companies that don't plan for the worst-case scenario. So we opted to plan for the worst-case scenario."
Fear of having to write down prospective investments when they are up for funding again is prompting some private equity and venture capital firms to pull back until they get a better sense of where the market is going, Yépez says. Uncertainty over whether startups can get more funds at their current valuation will prompt some founders and existing investors to seek an exit via M&A.
"I would argue that we're a bit overdue for a consolidation," Scheinman says. "How many platforms or how many products does a CISO want to manage?"
Across the market, the share prices of billion-dollar startups have plunged by 22% to 44% in recent months, EquityZen found, while Better Tomorrow Ventures reduced the valuations of seven of the 88 startups it's currently invested in, The New York Times reported this week. And D1 Capital Partners decided to stop making new investments for six months after participating in 70 startup deals last year.
'A Day of Reckoning'
Norwest's Sekhar expects it'll take a few quarters for the declining valuations and industry compression to work its way downstream from late-stage startups to companies at the Series A, Series B or Series C phase. But for companies that last year got $1 billion valuations despite having less than $10 million of annual recurring revenue, or ARR, Sekhar said they'll need to buy time to grow into their lofty valuations.
"It's a day of reckoning," Sekhar tells ISMG. "Last year, it was growth at all costs. Investors were rewarding companies that were growing more than 100%. With these crazy valuations, they weren't looking at burn rate. Now, the picture has completely flipped. It's not growth at all costs anymore. Its growth with reasonable cost structures."
Investors are now tracking not only a prospect's burn rate but also their burn multiple, which Sekhar says measures how much cash a startup is spending relative to the amount of ARR it is adding each year. As a result, he says, deals that last year took two days to get done are this year taking two weeks since investors are engaging in far more due diligence to ensure they're betting on a quality asset.
"We've seen this in the past where companies spend irresponsibly and just run off a cliff expecting that they'll raise yet another round," Sekhar says. "I think we're going back to basics and focusing on building great businesses."
Midstage and late-stage security startups have begun examining how many months of capital they have and whether they should slow hiring to buy more time to prove their value, Scheinman says. Startups want to extend how long they can operate before they have to approach investors for more money, given all the uncertainty in the market, he says.
As a result, Scheinman says, venture-backed firms have cut back on hiring and technology purchases and placed greater emphasis on hitting their sales numbers. These cuts will sometimes - but not always - slow the growth curve, and many startups will become more efficient and learn how to do more with less while still hitting their numbers.
"If you're investing beyond what you're making, at some point you're going to run out of money," Scheinman says. "Given the current uncertainties right now, people are saying, 'Wow, we're better off if we can use our money in the bank and extend the period we can go until we have to raise.'"
Trimming the Fat
The lack of mega funding rounds in excess of $200 million might actually be healthy for the industry since many recipients end up burning the money on sales and marketing and creating hype around a product that may be no better than the competition, says Momentum Cyber's McAlpine. There were 16 funding rounds of more than $200 million in 2021, which he says is completely unprecedented.
"They're sort of being anointed as princes," McAlpine tells ISMG. "There's almost like a fait accompli that they're going to be mega cap public companies one day, so people are getting a little bit ahead of themselves in terms of investing in their future."
One of 2021's most-hyped startups was cloud security vendor Wiz, which raised $130 million in March, $120 million in May and another $250 million in October on a valuation of $6 billion. Calcalist reported in April that Wiz flew all of its employees to Mauritius for a week at the end of 2021 and hired top Israeli singers to perform Disney songs for Wiz employees on the Jewish holiday of Purim in March 2022.
Wiz declined an ISMG request for comment.
At least 80% of the CISOs budget is used to maintain a company's existing security infrastructure with established vendors, leaving only 10% or 15% to spend on innovation in emerging fields such as API security, container security and cloud-based email security, says Forgepoint Capital's Yépez. CISOs want to make sure they're picking startups that are keeping up with growth rates across the industry, he says.
"CISOs are always on the lookout for companies that provide the right technology and fill a need," Yépez says. "They need to be cautious in their own investments to make sure they're buying technology that is going to survive."
Focus on Product, Not Pitching
Reduced access to capital will force cybersecurity startups to focus on getting their product into the hands of practitioners that work with and report in to the CISO, says Norwest's Sekhar. Product-led growth is the norm for technology companies such as Atlassian, Datadog and PagerDuty, but very few security companies have figured out how to build a loyal user base before even meeting with the CISO.
Geneva-based SonarSource rode a developer-centric sales model to a $412 million funding round and $4.7 billion valuation last month, with 5 million of the world's 70 million developers already relying on the code security vendor as it pushes to also address code maintainability and reliability. Embracing clean code helps developers be more productive by making code easier to change and less fragile.
"Our promise is not only focused on security," SonarSource CEO Olivier Gaudin told ISMG last month. "It is actually much wider than this. Our promise to engineers is that we are going to help to get all the benefits from the software."
Startups that want product-led growth need technology that stands on its own and is easily downloadable or installable without the need for a long proof of concept in which a technician is in the lab with a client, Sekhar says. CISOs are increasingly tuning out inbound sales and marketing pitches and relying on their peer networks for purchasing decisions, making product-led growth an effective way to get CISO buy-in.
"We're really excited about the next generation of security companies that might get created during this downturn because we've seen this movie play out before," Sekhar says.