Want to maximise your sale price? Build a product

When you run a cyber-security consulting firm, servicing hundreds of clients, and delivering thousands of projects over the course of many years, you get a pretty good idea of the problems that organisations are experiencing, as well as the problems you are experiencing, and would like to have solved.  From that position, invariably a discussion occurs within the leadership of the company, about whether or not to stay 'pure' as a consulting firm - and do what you know well, recruiting, delivering, and tracking utilisation - or reallocate some of the brainpower in your consulting team towards research & development and more specifically towards the development of some kind of 'product' that will solve the problems you have identified.

The obvious attraction is that products are (often) scalable.  People are not.

Part of the consideration in deciding whether to make this investment, is the expected return at the point of 'exit', particularly, the likely valuation differential that could be commanded at the point of a trade sale.  Having analysed the data for over 600 cyber-security industry transactions completed in the last decade, this is what that premium looks like:

Comparative valuation multiples - software, hardware & consulting led cyber-security businesses, 2004-2013

comparative-valuations.png

So what does the data tell us?

Breaking the organisations into consulting-led, software-led, and hardware-led categories (noting that not enough managed services company data is available for this category to stand alone), and comparing valuation multiples for revenue and profit, with consulting-led firms normalised for each category to '100%', we get the following differentials:

  • Compared to consulting-led firms, hardware-led firms have sold for revenue multiples between 3%-45% higher.
  • Compared to consulting-led firms, software-led firms have sold for revenue multiples between 101%-177% higher.
  • Compared to consulting-led firms, software-led firms have sold for profit multiples between 69%-109% higher.
  • (Insufficient comparative profit multiple data is available for the hardware firms so isn't included)

To put those figures in perspective, if your consulting-led cyber-security business is expected to sell for a revenue multiple of about 2 or a profit multiple of 6, a software-led cyber-security business next door will likely sell for a revenue multiple of between 3 and 5.4, or a profit multiple of between 10.1 and 12.5.  That is a significant difference.

In other words, if you have both consulting and software parts to your business, when valuing the business, it is likely that $1 of profit from your in-house developed software, is worth twice as much as $1 of profit from your consulting business.

Of course, this isn't without its exceptions.  Just looking at listed companies, it's easy enough to find cases of services-driven firms being valued more highly than product-driven firms.  As an example:

PE-mature.png

(Of course, I do acknowledge the significant growth of Checkpoint and Symantec in the services area of their businesses, and particularly Symantec with regard to managed services.  But I would be pretty confident that investors see them significantly as product companies first.)

But then those are all very mature businesses and realistically are well past the point of 'explosive growth'.  When you look at the younger crop of cyber-security product companies, you get some pretty crazy numbers:

PE-fastgrowth.png

To give some perspective on what a P/E of 319 means... Sourcefire's income (profit) for the last 12 month reporting period was a tad over $5 million.  Their current market capitalisation is $1.57 Billion.

But these companies have massive growth potential (Sourcefire has been growing revenue at 25-35% a year), and are also obvious acquisition targets for the more established firms in the market.  The enormous market capitalisations reflect this growth profile and the fact that investors are comfortable the companies will find a way to provide a return to shareholders.

It is also important to recognise, however, that building a successful product business is significantly more difficult than building a consulting practice, and the likelihood of a 'moderate' success is much lower.  In other words, building a consulting practice, it is reasonably easy to run a small team, build up a client base, and operate at a healthy level of profitability for as long as you are willing to continue driving the business.  Building a product business, this type of viability-without-being-the-market-leader is harder to come by, and success is much more likely to be all or nothing.  So while the payoff may be higher, the likelihood of getting a payoff at all is most likely lower.

Also of importance to consider is that the 'buyer universe' changes significantly when your consulting firm starts building a product-led business unit.  Companies that previously may have been interested suitors, may not want the R&D or support and maintenance expenditure necessary for an ongoing product-led operation.  

Ultimately, there are many ways to build a valuable company that will appeal to a sufficient number of potential buyers to achieve a healthy exit for the founders.  What is important, is understanding where the value is within your business, and how to stitch it together into a coherent story to maximise value during the sale process.

Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

At Delling Advisory, we believe that we can provide the best advisory services to our IT security industry clients, through having an unsurpassed understanding of the market, both from first-hand experience having started, built and run IT security companies, as well as from access to unique data and analytics.  

This year, we have collated the data on about 650 cyber-security related transactions around the world, dating back to 2004.  A significant amount of work has been completed to categorise each transaction based on the 'company type' of the acquiring firm, as well as the security-related services that the acquiring firm previously provided and that the target firm provided (professional services / hardware / software / managed services), the country of origin of the acquirer and target, as well as the financial details of the transaction where that information is available (either publicly or via our industry contacts).  An early version of this data set is graphically represented in the map at the start of this post - blue being the acquirer and yellow being the target of the acquisition.

Over the next few weeks, we will start presenting snapshots of this information, to provide a high-level picture of the trends and directions that have taken shape over the last decade, with respect to the cyber-security market.  Obviously there is a significant amount of proprietary data that we have compiled through this process, and we use this information in our advisory roles to better understand and communicate the state of the market, as well as valuation trends and trends in the 'buyer universe'.

To get started, a couple of initial data sets.

Q. Who is buying all these cyber-security companies?

In short, many different companies (and 'company types') are acquiring cyber-security companies.  The defence industry has been in the media for the last few years as one of the most significant buying groups, but back to 2004 they only account for about 12% of all transactions.  Just taking the years 2010 to 2012, when transaction volume was highest in the defence sector, those firms still only accounted for about 18% of transactions (since although their transaction volume went up significantly, so did everyone else's).

The most prevalent acquirers of cyber-security companies are now (and have been every year since 2004), other cyber-security companies, and other IT companies seeking to expand their security-related offerings.

(As an aside, I'm sure people will wonder what 'other' contains.  'Other' contains a mix of companies buying capability to build into their own products, or for diversification.  Some example transactions in the 'other' bucket:

The heavy acquirers - as can be seen from the transaction map at the start of this post, have tended to be companies such as Cisco, McAfee, Oracle, CA Technologies, Symantec, IBM, Microsoft, EMC Corporation and Dell - although the defence primes Raytheon and BAE Systems have also made a dent.

Q. Are transaction volumes sky-rocketing?

Not really.  There are certainly many more cyber-security related transactions now than there were in 2004... but there are many more cyber-security businesses now than there were in 2004.  In broad terms, from 2009 onwards, transaction volume has been about 50% higher than in the period 2006 to 2008.

Cyber-security has become very important to a lot of companies, very quickly.  As a result, and given the difficulties in recruiting cyber-security professionals, adding this capability by acquisition continues to be very attractive.