Investing in Cybersecurity: A refined practice
By Annemie Ress, COO, and Boaz Kantor, CTO Cybersecurity, innogy Innovation Hub
The pressure to digitise is intense – regardless of industry. From mobile and cloud platforms to emerging technologies such as AI, companies must keep up or fall behind. With greater digital capabilities however comes a wider surface area of assets to attack. It is no wonder that cybertheft is now recognised as the fastest growing crime in the world and global spending on technology security solutions is expected to increase to $133.8 billion by 2022, according to IDC. The coronavirus pandemic has put cyber security considerations into even sharper focus; with millions of people now working from home, companies and other institutions are scrambling to secure sprawling networks and demand for cybersecurity solutions is likely to escalate at an even faster rate.
At the innogy Innovation Hub, our interest is in cybersecurity as it relates to the energy industry; as part of the critical infrastructure of all nations, it is of particular concern. The proliferation of the Internet of Things (IoT) and a shift towards smarter grids is opening up a whole new set of threats. Recent large-scale disruptions to the industry include a first-of-its-kind cyber attack on the U.S. power grid in March 2019 and hacks to Ukrainian utilities in 2015 and 2016 that resulted in long-term outages.
With so much money going into cybersecurity, growth and innovation in the space is only set to continue. Competition is heating up among solution providers and the pool of targets for eagle-eyed investors is rising. For these investors, the key challenges lie in picking the right company, growing them and making them attractive to sell on in this saturated market.
Over the last few years it has been a great time for cybersecurity-focused start-ups looking for funding or to be acquired, but of utmost importance to look beyond the financial sum and find the right investor that can drive value creation while supporting product and new business development – ideally one with a blend of perspectives as a financial and strategic investor and partner.
Ripe for picking
Demand for cybersecurity start-ups can come from anywhere. 2019 saw a string of high-profile acquisitions from within the cybersecurity industry, with incumbents looking at start-ups as a means of building out their product offering, advancing their enterprise IT and boosting their agility in networks at lower price points. GlobalData counted a minimum of five acquisitions per leading vendor for 2019.
Palo Alto Networks is a prime example, having carried out an average of one major acquisition per quarter since the beginning of 2018. Another example of a highly credible vendor targeting a specific area within the cybersecurity value chain is Mimecast, which purchased Segasec from us earlier this year. Through Segasec’s machine learning capabilities, Mimecast is now able to provide brand exploitation protection to identify potential hackers at the earliest stages of an attack.
Another group driving M&A activity in cybersecurity are corporates. Weighed down by the sheer multitude of solutions on the market, today’s chief security officers are grappling with an overload of data, overlapping functionality, limited oversight and mounting costs. The solution for the firms that have the resources: bolstering and streamlining their cyber defences via the acquisition route. For example, Accenture’s acquisition in January of Symantec’s cybersecurity services business is set to make Accenture Security one of the world’s leading providers of managed security services.
Focusing on the energy industry, innovative and targeted start-ups can help extend the scope of cybersecurity to meet new and emerging needs with next-generation technologies as digitisation takes hold. As part of the energy transition, utilities are looking to innovate their retail business models, enrich customer experience and deepen their engagement with users. The solid trust between brands in the energy industry and adjacent industries becomes fragile on the digital platform and is susceptible to compromise by cyber attacks.
Meanwhile, venture capital (VC) investments into cybersecurity have been rampant. According to research by the National Venture Capital Association and PitchBook, 2019 marked a record year for VC deals involving US cybersecurity firms, both in terms of number, at 311, and value, at $5 billion. So how are acquisitive incumbents and corporates affecting VC returns? Pitchbook research shows that Series A and B investments often do not pay off, whereas later stage ones are more likely to. This is typically because market leaders tend to acquire earlier in the company lifecycle or compete in new business segments internally to limit the start-up’s competitive advantages.
Cutting through the noise
Early-stage investing in cybersecurity companies, whatever the motivation, is a challenging endeavour and reaping the desired returns, be they strategic or financial, is far from straightforward. Investors must be judicious in spotting potential, identifying the right market opportunity and then providing the start-up with the right direction to capitalise on the problem they are solving or to develop new use cases. Strategic and corporate investors who are looking to use something in the business they are investing in, risk overlooking budding trends within the industry while financial investors with a pure returns-first mentality may be lured by the momentum of the cybersecurity market and fail to refine the proposition to fit the end-market need.
A solid foundation of industry, corporate, technology and investment expertise is key to investing in cybersecurity; finding the right company without that blend of expertise is difficult.
A powerful blend
At the innogy Innovation Hub, we have found success using this blend in our multidimensional role as a collaboration platform, mentor and investor in the future of energy. Our informed, comprehensive outlook strengthens not only our judgement when investing – as Segasec’s first investors in 2018, we saw promise in the Israeli cybersecurity start-up before anyone else got there – but also our approach to the mentoring and acceleration of the business. We were able to provide the team with first-hand insights into the energy industry, help to finetune the solution for market needs and immerse the start-up into the customer’s world through pilot projects. Fast forward to January 2020, and we have helped steer Segasec to a successful exit to Mimecast.
Being a hybrid of financial and strategic investor and partner allows us to take financial risk and hedge it with good strategic alignment. We can support strategic explorations with our capital strength and therefore capture early cybersecurity trends before they become financially attractive or widely deployed. While we sought to bring Segasec’s business value to our own cybersecurity organisation, which ultimately led to a commercial agreement, we were also able to bring the start-up new customers in Israel and Europe, help it to enter new markets and provide other tailored growth support, including workshops, ongoing guidance, and opportunities to meet and pitch to potential investors and business partners.
Ultimately, investors who approach a start-up or portfolio company from a corporate and industry angle will have a special advantage in finding the businesses most likely to succeed, with the additional insight for an in-depth understanding of what the firm is up to and a targeted approach to mentoring. As investment momentum continues to build, the size of the global cybersecurity market is forecasted to grow to $248.3 billion by 2023. But the success stories will be limited to those that take a start-up focused approach and foster a symbiotic relationship, with both parties working towards a shared mission.