Click here for PDF

Table of Contents
Recession Tests High Security Valuations...read more>>
Sector Is On The Mend...read more>>
Security Beyond The Recession...read more>>
IT Evolution Drives Innovation-Investment Cycle...read more>>
Opportunity Drivers Ahead...read more>>
The Broadening Purpose Of IT Security...read more>>
Recent Updata Advisors IT Security Transactions...read more>>
References...read more>>

Contact Information...read more>>

IT Security: The Worst Is Over

Over the years, IT security has received considerably higher M&A and trading valuations than other technology sectors (see Figure 1 and Figure 2). This is attributable to security's consistently above-average growth (see Figure 3), with emerging subsector demand often rising more than 40% annually (see Figure 4). According to data culled from Updata's internal database, as well as publicly-available documents, the IT security sector has drawn more than $6 billion in venture investment and $25 billion in acquisitions since 2004.
 
Figure 1 Mean IT Security Versus Overall IT M&A Valuations


 
Figure 2 Mean Security Versus IT Public Trading EV / Last 12-month Revenue Valuations


 
Figure 3 IT Security Outperforms Overall IT Spending Growth


 
Figure 4 Projected Annual Growth Rates Of IT Security Subsectors At Emergence



Beginning late last year, the economic slowdown put security's robust growth prospects in question, which negatively affected Q4 2008 security M&A valuations, and deal and investment volumes (see Figure 5). First-quarter 2009 performance fared no better: the number of M&A transactions declined 47% from Q1 2008, deal volume fell 50%, and mean enterprise value (EV) to last 12 months (LTM) revenue multiples fell below 2.0x.¹ While all technology sectors have suffered in the recession, these declines, coupled with VC and lender retrenchment, have led some to question whether security's golden days of premium valuations and frenetic deal activity - 450+ M&A deals and 950+ venture investments since 2004 - are over.²

We do not believe security's best days have passed. Surveys continue to show that security remains a a high-priority budget item for consumers and organizations.³  In fact, the industry's underlying growth trends have never been as strong as they are now:

• As technology permeates more of our lives, physical and digital boundaries are blurring, resulting in progressively greater reliance on IT infrastructures.
  
• New computing, network, and web technologies and applications are creating more vulnerabilities, helping to fuel an explosion of rapidly evolving malware (see Figure 6).
  
• Disruption and data theft by hackers, thieves and spies are rising (see Figure 7).
  
• International web usage growth is driving rapid exploit growth overseas.
  
• Security is critical in order to satisfy compliance mandates and performance/uptime needs.
  
• Dangers to national security have never been more acute.⁴
  
• The 'trust gap' borne of weak security is the primary limiter to Internet commerce expansion.⁵
  

Security Beyond The Recession

Regardless of recently improved public vendor performance, some critics assert that IT security will never return to headier days, nor should it. Proponents of the "security is dead" school of thought (so-named after the statement to that effect by RSA's president at the 2007 RSA Conference) include Microsoft Chairman Bill Gates, Symantec Chairman John Thompson and others.⁹ Their position is that large public vendors have effectively consolidated the maturing security market. This can be seen in the multi-year decline in security venture investment volumes (see Figure 8), the steady reduction in public pure-play vendors (four - Aladdin, Certicom, Entrust, and Hifn - have been acquired, or are in process of being acquired, year-to-date), and the estimated 75-85% IT security spending share controlled by leading broad-based IT vendors.¹⁰  Security-is-dead proponents believe that the gradual dissolution of security as a standalone industry is good because multi-vendor solutions add unnecessary complexity, and that it is better for security to be 'baked' into broader platforms.
 
We believe that security remains a vibrant standalone market and will remain so for the foreseeable future, fueled by changing needs and growing risks. As is often noted, security is a process; it is not completed by one-time purchases of particular products or services.¹¹ Security continually evolves to combat new vulnerabilities and threats. This evolution requires focused private vendors, from which most major security innovations have emerged. Venture capital-backed businesses have shown themselves more adept in tackling emerging opportunities with multi-year horizons than public corporations. This is particularly so today, in an environment where publics are reducing development initiatives to protect profit margins. The security gap created by IT evolution will thus drive continuing investment in start-ups and acquisitions by larger vendors seeking to maintain product leadership, customer loyalty, and growth.
 
So while major industry categories and subsectors are relatively well-established (see Updata taxonomy in Figure 9), incessant demand remains for new and better solutions in these areas driven by change.¹²

Figure 8 IT Security Venture Investment Volume ($M)

 
 

Figure 9 Summary IT Security Taxonomy


 
IT Evolution Drives Innovation-Investment Cycle

In the 1990s, mainstream Internet adoption created the need for antivirus and firewall software, resulting in the IPOs of such leaders today as McAfee, Trend Micro, and Check Point, and major M&A transactions such as Symantec's merger with Axent (Updata advised Axent in this transaction). Widespread broadband availability around the turn of the millennium drove demand for intrusion prevention, web filtering, anti-spam, and access management software, resulting in the IPOs of major players including Internet Security Systems, Vasco Data Security, and Websense, as well as notable acquisitions of Netscreen by Juniper Networks, Brightmail by Symantec, Rainbow by SafeNet and many others. In the past three years, massive digitalization of content created the data loss prevention market (DLP), leading to a string of mostly high-multiple deals in the space (see Figure 10).

Figure 10 Data Loss Prevention Deals
 

 
Each wave of IT innovation drives a pattern of security subsector development, growth, investment, acquisition, and maturation that we call the Security Lifecycle (see Figure 11). This cycle must be fueled by industry innovators as long as IT advances. The current recession has created market distortions due to temporary, but significant, reductions in valuations and available investment/debt capital. The result has been a slowdown in progression along steps of the Security Lifecycle. However, when the market heals, the normal functioning of the Security Lifecycle - and the investment and acquisitions that result - will resume.

Figure 11 Security Lifecycle



While investment and deal activity are strongest in emerging subsectors, opportunities remain even in mature security spaces with large markets. A good example of this is antivirus. Antivirus is entering its 21st year as an industry, has a 90%+ penetration rate on the desktop, and is 85%+ captured by three large public vendors.¹³ Yet 33% of small and midsize businesses still lack antivirus protection, and most antivirus vendors grew revenues in the double-digits in 2008.^{14 15} Furthermore, acquisitions and investments in the antivirus space continue.

Changing threat types and vectors preclude static approaches to the virus problem. Antivirus spending growth has spurred investment in improved and related technologies (anti-spyware, anti-phishing, zero-day detection, behavioral blocking, etc.). This is the "off-shooting" part of Figure 11 above which invigorated an established market, broadening it into anti-malware. There are now at least six private antimalware vendors (AVG, ESET, Kaspersky, Panda, Sophos, and Webroot), each with revenues likely exceeding $100 million, that are taking share from the public market leaders. Similar examples can be seen in other security subsectors including the evolution of intrusion detection to intrusion prevention (host and network), and the combination of standalone subsectors into integrated offerings such as unified threat management, network access control, and post-access monitoring.

Opportunity Drivers Ahead

We expect several meta-developments to stoke IT security demand over the next several years including:

• Government cyber-defense. According to the U.S. Department of Defense, government databases and websites are getting attacked and broken into at alarming rates - cyber attacks increased 31% in 2007.¹⁶  As a result, national governments are integrating the Internet into their defense strategies. All this speaks to large increases in government-led IT security spending. Estimates vary but reasonably suggest an IT security spending boost of $5 billion per year over the next five years at a 15% CAGR in the United States.¹⁷ Areas well-positioned to benefit include strong authentication, identity-based monitoring, vulnerability assessment and discovery, behavior-based intrusion prevention, and data loss prevention (DLP).
  
  
• Cloud computing. The Internet's coming-of-age as an IT platform, the rise of major SaaS vendors, virtualization technology, open source, and hardware standardization are pushing the evolution of computing from a client-server to browser-based model. This will simplify security by pushing certain functions - including patch management, vulnerability scanning, security event monitoring, web and email filtering, and database security - offsite to centralized data centers, reducing the need for as many premise-based security products. There will also be a need for cloud-friendly versions of established products as well as new security management capabilities.
  
  
• IT consumerization. Home and SMB IT spending are rising faster than at enterprises, and comprise half of total IT demand.¹⁸ At-home and at-work activities are blending as dual-use mobile devices (laptops, smart phones, digital storage) and applications (Google, social networks, email) become ubiquitous, and as home and wireless broadband proliferate. Spending for IP-enabled products, such as digital entertainment appliances, facility monitoring systems, picture frames, and TV monitors, is also rising rapidly. All this is driving demand for security to protect consumer and small business IT assets, identities and data, as well as networks accessed remotely and by dual-use devices. Complex mixes of mobile devices and applications, even in smaller businesses, necessitate stronger endpoint security and device management solutions.

• Global development. In 2005, more than 60% of global web content was in English, and 75% of IT spending was in North America and Western Europe. In 2010, these proportions are expected to decline to 40% and 50%, respectively. Broadband access and IT spending in developing regions are rising much faster than in the U.S. and Western Europe. Not surprisingly, IT security spending post-recovery is similarly expected to grow much faster in emergent markets.¹⁹
  
  
• New communications. Voice-over-IP (VoIP), IP-enabled digital kiosks and billboards, mobile data services, and unified communications are each large, rapidly growing markets into which security will figure prominently. The perennial problems of hacking (and with respect to IP-enabled displays, defacement), eavesdropping and data theft all require solutions that are not yet there for these areas and represent substantial growth opportunities.

The Broadening Purpose Of IT Security

One particularly significant change has the potential to dramatically enlarge security's addressable market in the coming years by broadening the concept of what is protected. Since the inception of IT security, security strategy and spending have revolved around protecting technology assets - such as PCs, networks, and applications. But in recent years, we have been steadily migrating toward using technology to protect hard assets - data, facilities, people, and money. The move from technology protecting technology toward technology protecting everything stands to be a powerful secular trend tying the industry into even bigger markets. This is clearly seen in such areas as facility monitoring and access control, anti-fraud protection, and real-world threat detection.

In conclusion, we believe that IT security will steadily regain momentum, reverting toward historical norms with regard to valuations and deal/investment volumes in a noticeable way beginning late this year and continuing through 2010. While there will be failures among established-but-modest-sized security vendors, irresistibly powerful trends point to ongoing sector opportunities and growth led by private vendors in the near future. Figure 12 and Figure 13 show historical transaction activity by subsector and vendor.

Figure 12 Active Acquirers: IT Security M&A Deals Since 2004


 
Figure 13 IT Security M&A Transactions By Sector


 

Updata Advisors has been recognized as a Top 3 Investment Bank in IT Security in 2007, 2008, and 2009 by The 451 Group.