Should you sell your cybersecurity startup?

By Kareem Aly, Investor, Thomvest Ventures

Kareem Aly, Investor, Thomvest Ventures

As an entrepreneur, you need a lot of things to go right. You need a novel idea, an effective go-to-market strategy, a robust team, funding — the list goes on.

The rationale behind becoming an entrepreneur, pursuing a path where you are statistically more likely to fail, varies from individual to individual.

Perhaps the basic premise of your startup is altruistic, with financial incentives bearing no influence. Perhaps you’d like to develop a lifestyle business, accumulating a steady, predictable income stream. Maybe the idea of taking your company public and ringing the opening bell on Wall Street consumes you. Or perhaps you dream of selling your startup for millions.

In Silicon Valley, these latter two reign supreme, and this is especially true in cybersecurity.

So which do you target — M&A or IPO? Ultimately, no one can answer that except you, the founder. But there are a few things to consider along the way.

Allow me to elaborate.

Let’s assume you take the plunge and become the founder of a hot cloud security startup. You get a knock on the door. It’s a $50 million acquisition offer from Palo Alto Networks. $50 million? You scoff. It’s too low for you, you say. Your company is going to the moon.

A year later, as your customer logos continue to multiply, you receive a $100 million offer to sell your company to McAfee. Again, it’s too low for you. Top-line growth has been remarkable. You decline.

Shift time forward a couple years.

You’ve just raised a sizable Series D, you have a large booth at all the major conferences (RSA, Black Hat, etc.), you’re interacting with customers and research analysts — you’re gaining meaningful traction.

Not only that, but people are genuinely beginning to recognize your brand. One of these people happens to be the CISO of a large Fortune 500 — let’s call it Boeing.

Several emails back and forth with Boeing’s CISO, and you find yourself in the midst of a cloud security bake-off against two other vendors. One of these vendors is smaller than you, having only just raised a Series A. The other vendor is larger than you, significantly larger in fact and a publicly traded entity.

Boeing runs a rigorous POC bake-off and decides to grant you their business.

Incredible win! The team is pumped. And you’ve effectively plugged a hole that Boeing’s legacy security suite was not protecting. This is known in the industry as a best-of-breed solution.

CISOs like plugging holes with best-of-breed offerings.

For many CISOs, it’s a simple, three-step approach:

1. Purchase and deploy a platform suite from one of the major vendors.
2. Fill in gaps with best-of-breed point solutions.
3. Protect the enterprise.

And your company fits in this formula well, firmly positioned as a best-of-breed offering. You lack the presence of an incumbent platform, yet you maintain more scale and stronger tech than your younger competitors.

A week later, you find yourself in another bake-off against the same two competitors. The outcome? You and the Series A startup lose; the incumbent wins.

CISOs like sticking with brand name incumbents.

You notice over the next few months that this appears to be a recurring theme. Your POC win-rate has begun to decline, and the large incumbent continues to take market share.

Remember now, you decisively chose (not once, but twice) to pass on being acquired early on. However, as you made this decision, Palo Alto, McAfee and the rest of the 800-pound security gorillas were busy gobbling up your smaller competitors.

So the adage goes…

If they don’t buy you, they’ll buy your competitor.

And it makes sense.

Because these incumbents are so slow-moving, they are coerced to be acquisitive. They simply don’t have the agility necessary to be innovative, so they instead focus on their bread and butter, while utilizing M&A to diversify their offerings.

Since these security incumbents brandish proven go-to-market engines and an abundant number of channel partners through which to sell their offerings, they don’t need to buy the winner in a category.

They only need to buy a player.

This is critical.

When a customer has already purchased a network firewall, SWG, and DLP solution from the same vendor, it remains easier for that customer to stay with the brand they know and trust for upcoming security purchases.

This is known in the industry as bundling out, and it works because:

1. CISOs don’t like switching / integration costs, which are expensive from a time and resource perspective.
2. Legacy vendors can acquire practically any player in a nascent space and bundle this into their offering for little to no additional cost.

We witnessed this to a tee in the CASB (Cloud Access Security Broker) space. Startups emerged. Rampant M&A occurred. Standalone vendors were bundled out.

Microsoft acquired Adallom, Palo Alto Networks acquired CirroSecure, Cisco acquired CloudLock, Oracle acquired Palerra, Blue Coat acquired Elastica and Perspecsys, Symantec acquired Blue Coat, and McAfee acquired Skyhigh.

Suffice it to say — if you’re part of a CASB startup that still hasn’t been acquired, the above are some big names to compete against on a daily basis.

And thus there exists a tension between platforms and point solutions in that:

1. Although many CISOs would prefer the ease of having their entire infrastructure protected by one vendor, large platform vendors can’t offer the best solution in every category. This forces CISOs to purchase best-of-breed solutions.
2. Although many CISOs romanticize deploying best-of-breed solutions to fill all their vulnerability gaps, managing some 30+ vendors is incredibly difficult. This forces CISOs to stick with bundles offered through their existing platform vendor.

So back to our question — should you sell your cybersecurity startup? How do you make that decision with so many angles to consider?

First, remove emotion. As an entrepreneur, you must be honest with yourself in assessing if your security startup is truly a platform company or a point solution with a few differentiating features. This can be a difficult pill to swallow, but it will help dictate your decision to build to an IPO or sell earlier.

Second, be aware of your environment. Keeping track of how many potential acquirers remain and how likely they are to purchase is pertinent. If there aren’t many acquirers left, it may make sense to sell sooner rather than later.

Third, be malleable. If many of your competitors are getting acquired, you’ll need to determine 1) if you can withstand the new competition from legacy vendors who have entered your space through acquisition, and 2) how CISOs will view the inevitable difference in price vs. sophistication.

With all the various things that can change daily, from customer wins and partnership engagements to employee attrition and product setbacks, there’s simply no way to know where exactly your startup will be in 5-10 years. However, if you remove emotion from important decisions, stay apprised of the landscape, and maintain malleability throughout your startup’s lifecycle, you’ll undoubtedly put yourself in the best position for success.