Long-term business success is rarely (if ever) a result of stumbling into opportunities and making makeshift decisions.
In cybersecurity, as in any other industry, one might start with a good idea and an adequate first realization of it, but if there is no plan for the future, there will be no desired future.
The cybersecurity industry
The advent of modern computer and digital information systems, their widespread use in all aspects of our private and business lives and endeavors and the fact that they have weaknesses that are exploited by malicious actors have spurred the creation and exponential growth of the cybersecurity industry. The latest bout of globalization, which coincided with the rise of IT, also played an important part.
Because of the steady introduction of new IT technologies, the cybersecurity industry continues to be open to newcomers with a good-enough product and plan. For most, that plan involves outside capital/strategic investment or an acquisition/merger at some point in the future.
In order to come to that point, a cybersecurity company must become an attractive target.
A good target for acquisition
Investors and acquirers generally look for companies that meet the following criteria: great team, great technology, great product market fit, strong customer traction, strong unit economics, and so on.
“Acquirers keep in mind additional considerations such as strategic fit with their product portfolio/roadmap, customer profile (both current and future targets), go to market/sales motions, potential cross-sell/up-sell opportunities, and more,” noted Dino Boukouris, Founding Director at Momentum Cyber, which specializes in offering strategic advice for companies in the cybersecurity industry.
“These aspects also factor into the consideration of how feasible it will be to integrate the acquired company into the larger company’s operations post-acquisition.”
Though it might seem counter-intuitive, a cybersecurity company suffering a breach will not always be a deal-breaker for potential acquirers.
“For the most part it is assumed that a cybersecurity company selling cybersecurity products/services has a robust internal security program and any potential breaches would be a concerning signal for a potential acquirer (i.e., if a company cannot protect itself from a breach, why should a customer trust them to be a vendor in their security stack?),” he told Help Net Security.
“That being said, valuation exercises aren’t yet directly influenced by breaches in a formulaic manner. While a breach or any other type of liability for that matter would be disclosed during an acquisition, depending on the magnitude of the breach, associated response, and any potential future liability, it may or may not have a meaningful effect on valuation.”
Raising capital for your cybersecurity venture
Strategic planning must address every aspect of the business. For best overall results, knowing how the market works and always thinking a few steps ahead is crucial.
To founders who find themselves at the strategic crossroads that is raising the next round of capital for their cybersecurity venture, Boukouris, who also teaches the Private Equity & Venture Capital course for MBA students at the University of California Berkeley – Haas School of Business, offers the following advice:
“Always consider that at each round you typically want a step up in valuation, which in turn brings in new investors at this higher valuation who will expect you to exit at an even higher valuation to make an exit worthwhile for them. This often raises the bar for the desired exit value by at least 2-3x at each round. As you raise the bar for an exit, your potential acquirer universe actually gets smaller and smaller since the number of companies who are able to do large deals naturally decreases as deal size goes up. Thus, you should evaluate all strategic options that are on the table every time you are raising their next round of capital, ensuring the risk vs. reward profile of that next round is worthwhile for the company and for yourself as well.”
Also: getting an incredibly high valuation does not mean they have to (or should) take it.
“While the thought of giving up a much smaller percentage of your company may seem appealing at the time of your capital raise, by doing so you’ll only raise the bar that much higher when you go out for your subsequent round of capital,” he explained.
“Future investors will expect that you’ve ‘grown into’ your (for lack of a better word) inflated valuation and will expect your company and associated operating metrics be solid enough to support this valuation. If they are not, you may have trouble finding new investors for the subsequent round, or you may have to raise the round at a decreased valuation (a ‘down round’) – both of which are worrisome outcomes.”
Looking for strategic investors
Looking for strategic investors should be done well before you actually need them.
“Companies often think that they should search for strategic investors either concurrently with or after their search for a lead institutional investor. The reality is most strategic investors move quite slowly, and as such they often take a few months longer than a typical VC to make an investment in a company,” he shared.
“Additionally, many companies don’t get to know these strategic investors until they need them, meaning, until they are looking for funding. Instead, I always recommend reaching out to strategic parties well in advance of ever needing an investment to establish a relationship based on mutual strategic fit, thus organically starting the courting process months, if not years ahead of a potential investment.”