Wall Street's torrid love affair with cybersecurity companies is mid-way through its sixth year. And like all romances that endure, the initial feverish flush of endearment has begun to morph into something that requires patience and understanding.
Cybersecurity has been a white-hot arena for venture capital investment over the past five years, peaking at 332 venture deals, totaling $3.8 billion in 2015, a 235 percent leap from the investment activity in 2011, according to CB Insights.
2016 is a different story, however. To be sure, the global market for cybersecurity products and services remains huge and continues growing. Research firm Markets and Markets recently put out an estimate that corporate spending on cybersecurity products and services will top $170 billion by 2020, up from $106 billion in 2015.
And yet despite a projected double digit growth rate, VC betting on tech innovation has waned. Sean Cunningham, managing director of Trident Capital Cybersecurity, tells me that it now takes six to eight months to close deals, double the amount of time from two years ago.
Cunningham point outs that we are in the midst of a consolidation wave among cybersecurity companies of all sizes, most recently highlighted by Symantec announcing its intent to acquire Blue Coat for $4.7 billion.
According to 451 Research, there were 133 cybersecurity merger and acquisition deals in 2015, up from 105 in 2014.
"Many new cybersecurity companies have had difficulty standing out from the crowd and providing customers with highly differentiated solutions that match increasingly advanced cyber attacks," Cunningham observes.
Too many tech security vendors are out of sync with customer needs, Cunningham says. All you need to do is visit the exhibition floor at events like the RSA conference, held in San Francisco in the spring, or the Black Hat conference, in Las Vegas later this summer, and you can see how highly fragmented the industry is, with an overabundance of companies making niche products.
This surplus is in no small part due to latecomer investors jumping on the cybersecurity bandwagon, says Venky Ganesan, managing director of Menlo Ventures.
Who can blame them? The global market for cybersecurity products and services remains huge and continues growing. Research firm Markets and Markets recently put out an estimate that corporate spending on cybersecurity products and services will top $170 billion by 2020, up from $106 billion in 2015.
The bumpercrop of startups has put CISOs in the position of wondering why so many vendors' powerpoint presentations have the same look and feel.
"This has slowed down sales cycles for everyone," Ganesan says. "Eventually we will see some separation between the companies but it will take time."
All of that said, Ganesan and Cunningham agree that the long term investment outlook remains robust.
"This is one area of investing that is not dependent on macro conditions because there are organized groups of hackers working everyday to create demand for security products," Ganesan observes.
Put another way, smart money has a way of gravitating to the brightest innovators. And those investors eventually will be handsomely rewarded.
"Cybersecurity very much remains a high-growth sector," Cunningham says.
So where is the smart money flowing?
With help from Cunningham and Ganesan, I've compiled this list of the five hottest areas of cybersecurity investment:
- Securing the IoT. Smart cars, wireless baby monitors and even Wi-Fi-enabled light bulbs are here - with scant security features. The Internet of Things also encompasses the world's critical infrastructure, which remains largely unprotected Innovators who bake security into IoT are attracting investors.
- Protecting the cloud. Companies and consumers have come to rely on cloud-based tools like Salesforce, Microsoft Office 365 or Google Apps, as well as social media, like LinkedIn, Twitter and Facebook. Non-intrusive ways to control cloud computing's vast attack surfaces will make it big.
- Moving to proactive defense. The shift from reactive to proactive strategies to protect company networks is accelerating. Threat intelligence, automated behavioral analysis and automated remediation are arenas of innovation that hold much promise for slowing down the bad guys -- and making investors rich in the process.
- Respecting individual privacy. Why do so many companies and government agencies so intensively profile the online behaviors of every U.S. citizen? And do they really need to store that sensitive personal data in ways that are susceptible to data breaches? Security innovators who address these questions should prosper.
- Securing mobile computing. The exponential rise in our reliance on mobile devices will continue. Don't expect Apple, Google, Microsoft or Samsung, nor Verizon, AT&T or Sprint, to address the myriad of attack vectors this has created. Cutting-edge mobile computing security tools and services are destined to become part of the solution.