Investors tighten scrutiny of cybersecurity startups
Focus on profits instead of growth could be a trend
SAN FRANCISCO — A funny thing happened to Orion Hindawi while he was raising $120 million for his cybersecurity startup last month: Investors asked him about profits.
A year ago, Hindawi raised $90 million, followed by an additional $52 million this year from the Silicon Valley venture firm Andreessen Horowitz. Investors were willing to place a $900 million valuation on his company, called Tanium, without so much as a glance at revenue or profit margin.
This time, not so. As he made the rounds with such investors as Institutional Venture Partners and T. Rowe Price, Hindawi said, he was asked to show profits and sales margins. “A lot of the funders we spoke with are starting to get really scared,” he said. “This time the questions were, ‘Is this a sustainable business? Do you guys actually make money?’ ”
That sudden dose of skepticism about cybersecurity startups, which as a group recorded record investments last year, may be a harbinger of change across the entire technology sector. With global stock markets struggling, investors may be ready to move away from their emphasis on growth rather than profits.
If that shift persists, it will be a dramatic turnabout. Cybersecurity entrepreneurs in recent years have had an easy time raising money as breaches at the nation’s largest companies and government agencies have become front-page news.
In 2014, US venture capitalists poured $1.77 billion, a record amount, into private security startups, topping the previous record of $1.62 billion invested in 2000, at the height of the dot-com bubble, according to Dow Jones VentureSource.
“There was a big rush to fund cyber companies over the past 12 to 24 months,” said David Cowan, a partner at Bessemer Venture Partners. “But now there’s a sense that there are many, many out there already, and a good story is not enough to attract capital anymore.”
And there are too many companies trying to do the same thing: identify “anomalous” behavior on computer networks and respond to attacks in real time, Cowan said.
“That pretty much sums up 95 percent of the companies raising money at the RSA show,” he said, referring to the RSA cybersecurity conference held in San Francisco in April. “If that’s what you’re promising and you think you’ve found a really sexy value proposition, guess what — it’s not that sexy when the room is full of people just like you.”
If interest by venture firms is any indication, Tanium must still be sexy. The Emeryville, Calif., company’s technology can test the millions of computers attached to corporate networks, ask them questions, and patch them or shut them down in seconds, if need be.
Tanium, founded in 2007, became profitable shortly after it started working with customers in 2012. Hindawi and his father, David, were not initially interested in raising venture capital, but the value Andreessen Horowitz was willing to put on their company and the business connections the venture firm could provide were too good to ignore.
Still, Hindawi said he was surprised that venture capitalists were willing to place a $900 million valuation on a young company without so much as a glance at revenue or margin.
“Up until a year ago, nobody cared that we were cash flow positive,” he said. “None of those things factored in. They basically said, ‘We don’t really care. What’s the growth rate?’ ”
The diligence he encountered during the company’s latest funding round was almost a relief, he said, maybe an indication that some semblance of sobriety had returned to tech funding.
But it may be just a semblance. Hindawi turned away $400 million in cash offers in the latest round. The investors who made the cut — Institutional Venture Partners, TPG Capital and T. Rowe Price — valued Tanium at $3.5 billion, nearly four times the $900 million valuation it received last year and double the $1.75 billion valuation that Andreessen Horowitz gave it last March, according to two people familiar with the deal who spoke on the condition of anonymity because the terms were confidential.
Tanium did not need the cash, Hindawi conceded, but he chose to raise money now, in part, because word that he had recently turned down an acquisition offer sent investors flocking to the company’s door — and a quarter-billion dollars in the bank would help it survive if a downturn hit.
“I never want to raise money again,” Hindawi said. “If there’s a market downturn or a ‘black swan’ occurs, I want to make sure we cross that bar.”
Saving up cash from private investors may also be wise because the public markets have not been kind to security companies lately.
So-called next-generation security companies like FireEye, the company that owns Mandiant; Palo Alto Networks; Qualys; and Splunk have all experienced sharp drops in their share prices. Qualys’s stock is down to half the $55 it traded at last May, Palo Alto Networks’ stock is down nearly 18 percent since July, Splunk’s stock is down 20 percent since July, and FireEye’s stock, which reached a high of $85.64 last year, now hovers under $40.