Security is needed - but that doesn't make it a good VC investment

VC's are predictable animals. They go to where they think they can make money. Evidently that is not security anymore. Though if you check out Richard Steinnon's map mash-up showing the number of security companies in the Valley - we'll be working through the overhang of when they thought they could make money for years to come. Of course, many folks (myself included) took David Berlind to task last week about his comments regarding Microsoft driving everyone out of the security business.

But let's look at it from the investor's perspective. Lord knows, if there is no investment capital to fund the next wave of innovation for security companies - the bad guys are going to have a field day. VC's are concerned about the liquidity paths for many of these investments and they should be - that's what they get paid for.

In a post yesterday, Sagi Rubin of Gemini Israel Funds - frets about the state of the security market and whether investing further capital in the space makes sense in this post. This is a good quote that sums up some of his concerns:

The underlying statement was - No big exit potential for security startups (in other words - acquisitions will be sub $50m). This is also the sentiment of many VCs (VC investment fell 20% in 2005)

Moreover, some of the reasoning was this:

• A maturing industry (that's consolidating)
• No IPO activity in security (only 3 IPOs in NASDAQ the last 5(!) years)
• The fact that the startups end up as "point" solutions which large companies like to view as "off balance sheet R&D" acquisitions
• And the fact that many segments are considered overfunded...

So what? These VC's think they are going to get another Google in the security space. They aren't. There's never been a Google or eBay in the space. If you look at the public companies that do security, the biggest pure play is now McAfee. Sure they have a nice valuation, but Google they ain't.

It's because security is largely still considered insurance. It's a defensive tactic - not an offensive one. No one (well, almost no one) considers buying a security product to sell new innovative products through totally unforeseen channels. But everyone needs insurance. Unfortunately it's not sexy. So pure play insurance companies have crappy valuations relative to "financial services supermarkets." Similarly we'll see pure play security companies will similarly crappy valuations relative to folks that do everything (or say they do anyway).

Security also touches every aspect of the technology infrastructure. Thus, it's virtually impossible to control the entire security environment. Many are trying and that's why Cisco, Symantec, McAfee, and CA keep buying everything that isn't chained to the radiator. But there is no panacea, no silver bullet, no single vendor that will make all the problems go away. None, nada, zilch. Let's be very clear on that.

Given my current role, I don't much care whether the VC's will get great exits out of the way too many security companies that already exist. They have no one to blame but themselves for pumping too much money into crappy teams that had non-innovative ideas. That's Darwin at work and I love to see it.

Sagi ends with some wisdom, which I believe is the future funding model for security technologies.

Given the low exit valuations, entrepreneurs need to find out ways to create companies that have highly capital efficient models (i.e. will need less than $5m or $10m investment over their lifetime). Such companies could still make great returns for their investors (although they still might not fit into the VC model)

Amen to that. Starting a company is cheap now and with open source distribution and the blogosphere to magnify the impact of new innovative technologies - you just don't need to raise as much money. $5 million in and the potential of $35-50 million out. What's wrong with that?