A volatile public market and bandwagon investors will have a trickledown effect on the cyber startup community during 2022 – driving more modest funding rounds and fewer initial public offerings.
As Night Dragon Founder Dave DeWalt sees it, “2022 is all about getting ready for 2023.”
This more conservative preview of the year to come is in stark contrast to the surge of the two most recent years past. According to DeWalt’s cybersecurity focused investment bank Momentum Cyber, which just released its Cybersecurity Almanac market assessment, total investment into cybersecurity soared in 2021, more than doubling over the previous year. Investors poured $29.5 billion in total venture capital financing across 1,000+ deals, up from $12.4 billion in 2020 – a year that experienced explosive year-over-year growth in its own right. Of the 1,043 total transactions in 2021, 84 were greater than $100 million and total financing value was up 138% over the year prior.
Such growth reflects what DeWalt calls a “golden age of cyber,” where you have “more technology, more vulnerabilities, more attack surface, more attackers, more levels of danger.” And that leads to more investment. Consider this: In 2010, when DeWalt was CEO of McAffee, Intel bought the company for $8 billion, with $2.5 billion in revenue; CrowdStrike, which was formed by former McAfee leaders, was valued at $7 billion revenue at the time it went public, with only about $250 million in revenue on the books.
“It just shows the size of the market and the environment,” DeWalt said.
But 2022 promises to be quite different said both DeWalt and Bob Ackerman, founder and managing director of AllegisCyber Capital, in an interview with SC Media. The threat landscape will continue to drive demand for cyber development, but outside forces will make investors a little more cautious: oversaturation in certain areas of the market will result in underwhelming growth for some and eventual failure for others; and a market correction happening among publicly traded companies will suppress valuations among private cyber businesses, and delay IPOs.
“There's this dislocation of value that's emerged,” DeWalt said. “Go to the threat intelligence space or endpoint space, or networking space, and count hundreds of vendors. A lot of that innovation is wasted because the market shifted; the network as we know it dissolved in front of our eyes in the last two years for SASE -like cloud networking. So what happens to all those vendors?"
The fallout of the ‘venture herd’
Indeed, Ackerman said that oversaturation comes at least in part from “the venture herd,” which creates a bifurcation between startups of great promise and more of the same.
“How do you get a hundred threat intelligence companies when you probably need five? The venture ecosystem will do that,” Ackerman said. “On the flip side, there is the really disruptive stuff where we begin to stop playing whack-a-mole and get proactive in terms of building. And whatever you think is zero trust as a moniker, when you begin to think how we can design more secure systems, secure by design, how we get proactive as opposed to reactive – that is the frontier of where innovation needs to take place.”
Those areas are actually under invested, he added – requiring a level of domain expertise to predict where the puck is going. They also can struggle to get the necessary talent, because the pool of underwhelming startups “suck the oxygen out of the room."
For that reason, in fact, Momentum Cyber – which tracks 6,850 cybersecurity startups – is going to start tracking failures for the first time this year: how many went bankrupt? How many just closed the doors? How many merged for less than where their value was in the last round? How many experienced down rounds?
“Innovation is a game of inches," DeWalt said. "But can they scale their business with the go to market strategy – sales, marketing, partnerships, alliances, global distribution? That's a game of miles. That’s what's going to decide who will win and lose.”
The number of failures that emerge will also be influenced by the market correction underway among public companies, which have experienced significant contraction in just the last couple of months.
CrowdStrike, for example, is trading at its lowest multiples since 2020, despite pretty phenomenal performance and a five-year revenue growth averaging in at 99 percent, according to Investor Place. This is not specific to cyber, both DeWalt and Ackerman note; market corrections emerge with any fast and furious surge. But it nonetheless trickles into the private sector, usually a couple quarters later.
Simply put, the days of being able to raise whatever you wanted at any price will be over, said Ackerman.
“Companies still need to show innovation, but their capital efficiency is also going to become much more apparent,” he said. “Because suddenly there is a cost of capital.
“There's a period of adjustment happening, which is painful, but this is healthy at the end of the day.”
IPOs will also be put off. Just last week, Arctic Wolf CEO Nick Schneider walked back a bit from prior comments about a 2022 IPO, telling SC Media that he couldn’t comment on timing of financial moves, and that an IPO is one option, “but there are other options we can consider and we’ll make that known when we get to that point in time.”
Considering that public companies are growing in the mid thirties as a percentage, DeWalt said, and trading at four times revenue, “you're going to go public and go down hard. That is pretty much out of the cards unless you're in the top 1% category.”
So is this a bad sign? A bubble preparing to burst? More the natural cycle, said both DeWalt and Ackerman, who pointed to the resiliency of the cyber market. Companies should use 2022 to get ready for 2023, when they expect the pendulum to swing back, which changes the strategic imperatives. How is SOX readiness and FedRAMP support? Is the company internationalized as a product and a capability? Are advisory councils in place? Can the company build the foundation it takes to sustain a public offering for 6, 8, 12 quarters after going public? These are the questions they should be focused on. It will all culminate in a powerful 2023.
As the company’s vice chairman, DeWalt was a part of the successful IPO of ForgeRock a year ago, which raked in $275 million and saw its stock price rise by 40 percent to give the enterprise digital identity management provider a valuation of $2.8 billion. And yet, he wonders if waiting would have been wiser.
“We're paying a little bit of a price for that now, because had we waited, we could have even been a stronger company going public in 2023 potentially than we were going public in 2021,” he said.
DeWalt and Ackerman are now telling their own portfolio companies that 2022 should be seen as a readiness year, versus an accelerate year, and to not race to an IPO.
“The venture herd is very reactionary,” said Ackerman. “It will pull back, and that will deny some oxygen to the marginal companies or even the good companies that just get caught up in the correction. It's not the rush for the gates. But it's okay; now we get to build.”