In recent years there has been a well documented trend of cyber-security companies being the target of acquisitions, with the media focus particularly being on the defence sector as the acquirers (despite those organisations making up only a fraction of cyber-security related transactions). Stories such as these:

...have all supported this narrative.

A recent article on the topic - 'Cybersecurity Bubble Bursting for U.S. Contractors', online at Defense News - suggests that a dotcom-bubble-esque situation may have arisen over recent years, through which all cybersecurity businesses have been wearing the halo of opportunity and fast-growth, when in reality not all of them are gems.

It is guaranteed that not all the cyber security acquisitions over the last few years will work out well - but that is true of any grouping of acquisitions... If it was easy to buy and integrate companies, and create massive amounts of shareholder value through the process, it would happen a whole lot more than it does. It is hard, and many acquisitions fail. But there is nothing that currently suggests cyber security company acquisitions are any higher risk than any other inorganic entry or expansion into a related market. Just because they are highly valued, doesn't mean they are overvalued.

That said, it is worth retaining an awareness of the fact that a significant number of risks exist in the cyber security market, specifically including:

The low number of genuinely skilled cyber security professionals, and the associated costs in recruiting and keeping those staff, and the reliance of many organisations on a few exceptional individuals to provide their competitive advantage;
As with many new markets, a lack of clear definition and understanding about what exactly makes up the 'cyber security' market, which would allow organisations to get a better grasp on the market size, and hence the realistic opportunities for growth;
A high likelihood of government intervention in the market in the foreseeable future: Of the over 100 bills proposed in the last two terms of the US congress with cyber security provisions, exactly zero have been passed into law. It is highly unlikely this will continue to be the case (although that depends how the latest industry - cyber-security lobbying - throws its weight and money around);
Significant competition, with the cyber security market being targeted not just by the defence industry, but also by the global system integrators and telecommunications firms (HP, IBM, Tata, Wipro, NTT, Verizon, Telstra and others), the professional services firms (Deloitte, PwC, KPMG, EY, Accenture, Booz Allen Hamilton and others), the specialist security firms (Symantec, McAfee (now Intel), CheckPoint and many others), and many and varied other smaller providers of IT, consulting, or advisory services, who operate in specific parts of the cyber security market;
And more specifically for the defence companies, a lack of experience in some defence primes when it comes to dealing with private sector organisations on lower value / higher volume projects, and the widely varying approaches of these clients to contractual provisions and legal terms, which often clashes with a highly constrained risk model built for long-term Government-focused engagements;

The most obvious and significant difference between dotcom-era companies, and cybersecurity companies today, is that the former were generally aiming for growth (whether in revenue, in 'eyeballs', or in members) with little interest in profit; whereas the latter have generally been run to be profitable businesses and were perfectly viable companies in their own right without being acquired.

It has also hardly been a cyber-taking-over-defence story - the FT article Defence groups move to cybersecurity references the fact that "Jane’s Defence calculates that about 14 per cent of defence acquisitions had cyber as their target last year." While 14% is a significant number given the small contribution that cybersecurity currently makes to most defence industry companies' revenue figures, the fact remains that 86% of acquisitions were in 'non-cyber' areas, the employees of which are a long way from turning out the lights and retraining as hackers. Compare that with the dotcom era and AOL's take over of Time Warner, back when AOL and Compuserve thought they could build a better Internet than the Internet, and the market thought they might have a chance, and there's a pretty significant difference. Until we start seeing cyber-security companies taking over defence companies ("Sourcefire Lockheed", anyone?), we're a long way from a dotcom-sized bubble.

And using the final - and arguably most accurate - bubble gauge, I'm yet to have a Sydney taxi driver tell me to invest in cyber security stocks. Once that happens, I'm running for the exits.

Back in the Spring of 2000, I was finishing University and figuring out what to do next. Two main paths lay before me: Follow many of my peers into the strategy consulting world (McKinsey, BCG, Booz Allen & Hamilton, Bain, AT Kearney and others), or venture out into the great unknown of starting a business. I interviewed with the majority of the consulting firms, and received a couple of offers (although not the ones I really wanted). Weighing up my options, it seemed that it was as good a time as any to try my hand at starting a business, and in the worst case scenario, I'd go back to that consulting pool in a year or two's time.

I started the company which became "SIFT" with a good friend from University, who had similar aspirations to set our own agenda and prove that we could do it. We were very fortunate with SIFT that almost every early recruitment decision we made, worked out better than we could possibly have imagined, with that core team sticking with the company for many years, allowing us to build the company in their image, and believing passionately about the importance of doing things well - a passion that we could never have intended to 'teach', but that arose from a group of like minded people, seeking to make their mark on the world.

We grew slowly at first, then picked up pace in about 2005 once we had been in the market for a while, and started to be quite well known. By this point I was already a regular presenting on the conference circuit, and for five years had attended virtually every industry event I could get into without paying. Conferences, product launches, vendor drinks, breakfast forums, I was there, telling people who we were and what we did.

In 2007, the opportunity presented itself to complete our first corporate transaction, the acquisition of Safecoms Secure IT. As with so much of the business, this arose primarily through the relationship between the founder of Safecoms Secure IT, and myself. I have always believed that the market in Australia is too small to treat 'competitors' badly. Your competitor today could easily be your client or partner tomorrow.

We acquired Safecoms Secure IT, some staff and some clients, and set about making 2007 the strongest year we had yet recorded.

At the end of 2008, I met the Stratsec founders in Melbourne, and immediately felt I was with friends. Within hours of meeting we had started putting together the framework for how SIFT and Stratsec could come together to form the largest information security consulting firm in Australia; and in May 2009, that's exactly what happened. Our 'exit strategy' at that point - loose as it was - was that we expected within a 3 year timeframe, to be at a point where we could look at being acquired. Within 18 months, we were sold.

After approaches by a number of potential acquirers in early 2010, we decided that a piecemeal approach responding to our suitors was both inefficient and likely to result in a sale on someone else's terms rather than our own. I put together our Information Memorandum, and we took it both to companies who had already expressed interest, as well as others who we felt would be a good fit.

BAE Systems Australia was the last company into the process; but ultimately were the successful acquirer. The strategic fit was unquestionable, and their integrity, approach, and growth ambitions, were all a fit for how we did business. When Stratsec was acquired at the end of 2010, we had about 60 staff. By December 2012, that had doubled to about 120 and was continuing to grow rapidly, providing some great opportunities for our young leadership team and creating a genuine 'Tier 1' information security firm in the Australian market.

In December 2012, I finished at BAE Systems Detica (as we had rebranded Stratsec in the weeks before my departure), bringing to a close an adventure which ran for 12 years, 3 months, 2 weeks and a few days. It is something I am very proud of, to have started, acquired, merged, and ultimately sold the company successfully. Very few entrepreneurs get such a 'neat' end-to-end start/build/sell experience.

As time closed in on my departure date, a colleague in the industry, upon hearing that I was moving on, said “That’s a shame, Nick… you were always one of the guys who gave a shit.” It was meant sincerely, and I took it that way. And as I explained at my farewell party, I am more than happy for that to be my main contribution to the culture of Stratsec. These aren’t just projects, it is real life. At Stratsec, that meant that testing a system to ensure a malicious hacker couldn't break into your bank account or your health records, was more than just a 'testing project' - after all, it could just as easily be my, or your, account or record that could be compromised. And now at Delling Advisory, I see the same thing, when I look at how enmeshed many founders are with the businesses they have started and run. These are not just companies to be sold; they are years, if not decades, of long days and nights, and trying to make the business a little bit better every day.

A number of people have asked me what my greatest 'lessons learnt' were, or greatest inspirations, to help make their entrepreneurial journey shorter and easier. The best advice I received was from Bob Metcalfe (inventor of Ethernet and founder of 3Com). Of course, the advice wasn't directly from Bob to me, it was in the form of his 1999 article "Invention is a Flower, Innovation is a Weed" (still online at http://www.technologyreview.com/featuredstory/400489/invention-is-a-flower-innovation-is-a-weed/).

A snippet from the article:

I have a six-story townhouse in Boston overlooking MIT on the Charles River. I often invite young engineers and would-be entrepreneurs over to schmooze. Many of them tell me my townhouse is beautiful and they hope to invent something like Ethernet that will get them such a house.

The picture they have in their heads is of me lounging around on the beanbag chairs in a conference room at Xerox PARC in 1973. They see me having this idea for a computer network and submitting it as an invention proposal to Xerox. Then they envision me putting my feet up and letting the royalties roll in until I have enough to come up with the down payment on the townhouse with the river view.

My picture - the actual picture - is different. It’s the picture of innovation rather than invention, the weed instead of the flower. In my picture it’s the dead of winter and I am in the dark in a Ramada Inn in Schenectady, New York. A telephone is ringing with my wake-up call at 6 a.m., which is 3 a.m. in California, where I flew in from last night. I don’t know yet where I am, or where that damn ringing is coming from, but within the hour I’ll be in front of hostile strangers selling them on me, my company, and its strange products, which they have no idea they need.

If I persist, selling like this for 10 years, and I do it better and better each time, and I build a team to do everything else better and better each time, then I get the townhouse. Not because of any flowery flash of genius in some academic hothouse.

And that is exactly my experience of building Australia's largest information security consulting firm from the ground up. That's Bob's lesson number 1 - "Selling Matters."

"Don't Hire - Recruit", and "Be an Entrepreneur, Not a Visionary" are two others that have resonated with my journey; but they're all great lessons. I cannot recommend highly enough that you read it, think about it, and put it into action.

Is there a bubble in cyber-security company valuations?

Being an Entrepreneur: The Best Advice I Received

Categories

Authors

Tags

Dates