The hackers appear to be winning. Each month, it seems, another company’s records get compromised and another shadowy group amasses millions of private documents.
The result: Today, any consumers, companies or entrepreneurs who have been paying attention to the news are thinking long and hard about cybersecurity. And so are Silicon Valley’s sharpest investors.
Investment into security start-ups has soared in recent years, creating opportunity for entrepreneurs and risk for venture capitalists trying to avoid the kinds of bandwagon companies that fade away as a market starts to mature.
Special Section: Security
After a year of record-setting hacking incidents, companies and consumers are finally learning how to defend themselves and are altering how they approach computer security.
Last year, there were 240 investments worth a combined $1.7 billion in such companies, up from 83 investments worth just $340 million in 2009, according to CB Insights, a research firm that follows venture money. Those numbers continue to grow. The second quarter of this year was the biggest ever for such investments by dollar value, with $767 million put to work through 56 deals.
“When everybody gets a new credit card mailed out to them because Home Depot got hacked, it’s on everybody’s minds,” said Scott Weiss, a partner at Andreessen Horowitz, the venture capital firm.
More important than proverbial mindshare, security spending is a growing part of corporate technology budgets.
A decade ago, most large information technology customers would spend 2 to 6 percent of their budget on security, estimates Asheem Chandna, a partner at Greylock Partners, a venture capital firm. These days, it is more like 5 to 15 percent, creating an estimated $80 billion-a-year market for security products and services.
The rush of money backing security companies is skewing valuations, just as in other pockets of the tech industry across Silicon Valley. While that can be good news for entrepreneurs and employees at start-ups, it makes it more difficult for venture capitalists to place prudent bets.
“There’s an inflation of valuations across the board,” said Karim Faris, general partner at Google Ventures. “It’s an entrepreneurs’ market. That makes life a bit more difficult as you look to take early-stage risks.”
Several types of security companies are attracting the attention of investors. One is the business of making sure that the person getting access to certain information is authorized to do so. So-called access control and identity management companies are becoming ever more important as employees work from the road, using their own mobile devices to read and edit confidential documents.
Google Ventures has backed one such company, Duo Security, which lets people use their mobile phones to complete two-factor authentication — a type of security that requires a password and another item like a fingerprint or randomly generated number to be used before access is allowed to a secure network.
Other companies are trying to create online environments that limit the risk of contagion. Bromium, a start-up that Andreessen Horowitz has invested in, creates secure spaces on computers for different processes, making it less likely that hackers can expand their reach if they have infiltrated a laptop or PC.
And then there are companies like Skyhigh Networks, backed by Greylock, which monitors networks for unusual activity and alerts administrators if something goes awry — as it often does.
“High-profile security breaches have piqued the interest of new investors,” Mr. Faris said. “You see an incident a week these days in the popular press and a lot more in the security press.”
The recent totals were also bolstered by two late-round investments: a $40 million Series C round for Skyhigh Networks in June and a $42 million Series E round for Centrify, which makes identity management software.
Start-ups are at the vanguard of these specialized products and services. As a result, established security companies — like Juniper, Symantec and others — are working to compete. Over the last five years, the venture capital arms of companies like Salesforce.com and Samsung have spent $1.4 billion investing in security companies, through more than 140 deals, according to CB Insights.
Executives at some older security companies are aware that the industry is changing around them. “The way we deliver information to customers is not as compelling as some of these other solutions,” said Jeff Scheel, who leads strategy, partners and alliances for Symantec. But Mr. Scheel said that technology was changing so fast that even some startups could be outdated soon. “The computing infrastructure is going to change even more dramatically,” he said.
What is more, Symantec has a much larger customer base than start-ups. “We have an opportunity to do it at a scale that doesn’t exist at some of these other companies that are growing fast but that are an order of magnitude smaller than what we’re doing on a daily basis,” Mr. Scheel said. “We’re in 200 million enterprise endpoints and 120 million consumer endpoints.”
But a problem for the big companies is what they can’t offer: a chance at striking it rich with an initial public offering. Among engineers who are coveted for their coding skills, working at a fast-growing security company can be just as attractive as working at popular Internet companies like Dropbox or Box.
“There’s a war raging out there for security talent,” said Mr. Faris, alluding to the sky-high salaries top engineers can earn.
The war is raging for good reason. Successful security companies can become worth billions. Since going public in 2012, Palo Alto Networks stock has doubled in value and is now worth nearly $9 billion. Barracuda Networks, which went public in 2013, is up more than 66 percent, with a valuation of nearly $2 billion. And while FireEye, a network security company that went public in 2013, is trading below its offer price, it is still richly valued and has already struck a $1 billion deal to acquire the cyberforensics firm Mandiant.
But how do investors pick the winners and losers? After all, it is unlikely that all of these companies will survive, and most that do will be acquired rather than go public, Mr. Chandna said.
“The landscape is littered with ‘me too’ companies,” he said. But the security companies that survive could have more staying power, so some investors are professing patience. “Our advice to these entrepreneurs, especially when we have conviction around these companies, is to go play the long ball,” Mr. Weiss said. “If you can get to be a platform, there’s a multibillion-dollar opportunity there.”
An article on Wednesday about online security start-ups misstated the business of one such company, Bromium. It creates secure spaces on computers, not in the cloud, making it less likely that hackers can expand their reach within a laptop or PC, not on a network.