Cybersecurity is Going Public
2021 was a banner year for cybersecurity IPOs. Despite continued economic uncertainty and market volatility, five companies directly or partially included in the cybersecurity ecosystem have gone public so far this year. Among the five was the largest cybersecurity IPO in history. That's a big year by any standard.
The number and size of public cybersecurity companies is a factor in the legitimization of cybersecurity as a standalone industry. The same was true of tech as a whole two decades ago. The next evolution is for segments of the tech industry to establish themselves as viable cohorts of public companies. Cybersecurity is one of those segments.
Thinking about cybersecurity as a relevant set of public companies is a relatively new concept for most of us. Just ten years ago, there were twelve public cybersecurity companies. The traditional paradigm was for cybersecurity companies to either be part of a larger tech company's portfolio or a startup. Standalone cybersecurity companies in public markets were relatively rare.
Not anymore. Today, there are 33 public cybersecurity companies listed on U.S. public stock exchanges. Cybersecurity companies aren't just going public — several of them are thriving and drive significant growth in the tech sector overall.
There are two objectives for this article. First, I wanted to take a broad look at the current market and recent trends for public cybersecurity companies. Second, I wanted to kick off a longer-term data project to gather and monitor meaningful data points about public cybersecurity companies over time.
Market Segmentation
An important nuance about the set of public companies within the cybersecurity ecosystem is this: not all of them are exclusively cybersecurity companies. There are (generally) three different paradigms. The distinction is important for several reasons, one being how we classify companies that are truly "cybersecurity companies."
Pure Cybersecurity Companies
Pure cybersecurity companies offer exclusively cybersecurity products and/or services. This type of company is indisputably part of the cohort of public cybersecurity companies.
A few examples are CrowdStrike, Okta, and SentinelOne. The products and services offered by this type of company are fully within the scope of cybersecurity. They are also independent companies and products with their own listings on public stock exchanges. None are currently part of a larger tech company or owned by a private equity firm.
Hybrid Companies
Some companies are "hybrids" — a combination of two or more traditional industries. This type of company is debatably part of the cohort of public cybersecurity companies. Opinions vary, sometimes based on financial data, and sometimes based on perception and beliefs.
A few examples are Cloudflare, Sumo Logic, and Splunk. Cloudflare is a combination of networking and cybersecurity. Sumo Logic and Splunk are a combination of application monitoring and security operations. Significant parts of their product portfolio and revenue come from cybersecurity, and part comes from other industries.
Large Tech Companies
Several large, diversified tech companies have significant cybersecurity product portfolios and revenue. This type of company is not directly part of the cohort of public cybersecurity companies. However, they generate significant revenue and impact the cybersecurity ecosystem in significant ways due to their size and scale.
The examples are what you'd expect: Microsoft, Oracle, Google, Amazon, and Cisco. Earlier this year, Microsoft announced it had crossed $10 billion in cybersecurity revenue with 40% year-over-year growth. Cisco is primarily known for its networking business, but the company's security segment has generated $3.4 billion of revenue in 2021. Oracle, Google (both Google Cloud and standalone security bets), and Amazon all have large sets of cybersecurity products and revenue.
Large, publicly-traded professional services firms like Accenture and Booz Allen Hamilton could also be considered part of this set of large companies for different reasons. Both primarily offer consulting services with significant revenue both inside and outside of cybersecurity.
Current Trends
Several trends are occurring within the set of public cybersecurity companies that exist today. The trends highlighted here are beyond any individual company — they're macro-level observations about the market itself. Most are positive with a few cautionary notes.
This analysis makes heavy use of data and research Momentum Cyber's canonical Cybersecurity Market Review series, including the visuals. The firm's intel is a go-to resource for anyone wanting to take a deep dive into cybersecurity business data and trends.
Growth in Number and Size of IPOs
Growth in the number and size of cybersecurity IPOs has increased significantly in the past decade. From Momentum Cyber:
There were twelve public cybersecurity companies in 2011. The count currently stands at 33, including the companies listed on the slide and other activity since the report was produced in Q2 2021. This list now includes ForgeRock, who IPO'ed in September. Mandiant has also replaced FireEye as part of their divestiture and re-focusing on professional services.
CrowdStrike currently holds the highest valuation among companies focused purely on cybersecurity. The company is valued at roughly $60 billion. Cloudflare has a relatively equal valuation and could also be considered the leader depending on your classification of this "hybrid" company.
SentinelOne became the largest cybersecurity IPO in history earlier in 2021. The company went public at a valuation of nearly $11 billion. A notable trend is that SentinalOne's IPO nearly doubled the previous mark — CrowdStrike set the previous record for largest cybersecurity IPO at a $6.7 billion valuation in 2019.
Valuation and Hype
The entire public cybersecurity market is hyped. It's hard to quantify "hype" precisely. Generally speaking, it's a combination of growth, revenue, and momentum.
One tangible indicator of hype is revenue multiples — the relationship between a company's actual revenue and valuation:
In general, public cybersecurity companies have high revenue multiples. Their revenue multiples increased significantly in the past year — 22.3% at the median and 65.5% among the leaders.
There are four clear outliers (highlights above are mine). You could interpret the data this way: in an already hyped market, there are four very hyped public cybersecurity companies — Cloudflare, CrowdStrike, Zscaler, and Okta.
Hype is mostly a good thing, so take this data as a positive indicator overall for cybersecurity companies. Markets and hype cycles are fickle, though. If the market leaders start to miss their (admittedly high) expectations consistently, it could impact perception of the entire market. For now, all is well, especially for companies who are growing at a high rate.
Growth and Value
The Momentum Cyber team couldn't have put it better: "Public markets today are focused on growth." This chart shows the correlation between revenue growth and stock price for public cybersecurity companies:
Companies on or above the line saw their stock price and overall company valuations go up higher than the industry average in proportion to the revenue they earned. Companies below the line were lower than the industry average. In other words, the market punished them for lower growth.
Taking a step back: why is growth so important for cybersecurity companies? Because nearly all of them operate at a loss — that is, they spend more than they earn to build their products and invest in the sales and marketing required for growth. They do this to reach a scale where revenue is large and sustainable, then maintain or reduce operating expenses to become profitable.
Problems arise if companies are investing heavily in product, sales, and marketing without seeing revenue growth in return. This is a tenuous position to be in because it typically means (a) issuing more stock, (b) taking on more debt from loans, or (c) going out of business, a.k.a. being labeled a "going concern." For the majority of pure cybersecurity companies, growth means survival.
High Growth vs. Low Growth
There is a significant distinction between the fortunes of "high growth" and "low growth" cybersecurity companies. A quick glance at this visual gets the point across clearly:
The classification of high vs. low growth is somewhat imprecise. It doesn't really matter for the strategic point that we need to observe here. Understand that public markets invest heavily in companies growing at a fast rate, and less in companies who aren't growing as much.
What does this mean for a person working in cybersecurity? Companies with revenue growth at or below the median have greater potential to be acquired or change their strategic direction.
Among the "low growth" companies, there are already examples of strategic changes in 2021:
-
Proofpoint was acquired and taken private by Thoma Bravo, a private equity firm.
-
Mandiant's decision to divest FireEye and focus on professional services.
-
McAfee's sale of the company's enterprise business to Symphony Technology Group (STG).
Expect this trend to continue, particularly the acquisition and consolidation of "low growth" companies by private equity firms.
Value In the Future
In this analysis, we've been looking at ten year trends for public cybersecurity companies. Ten years is a long time, but it's not that long from the perspective of public markets. A quick comparison can give some perspective on the size and stage of public cybersecurity companies relative to other public markets.
As of Q2 2021, the valuation of the public cybersecurity companies included in Momentum Cyber's data was $425.8 billion. Last week, Tesla hit a valuation of $1 trillion after 11 years as a public company. In other words, Tesla's company valuation is over two times higher than every public cybersecurity company combined.
The comparison is admittedly unfair (Tesla is an extremely hyped company) and certainly wasn't meant to diminish the importance of public cybersecurity companies. It's just interesting to see the variance and compounding in valuations among companies within a relatively similar time scale.
The hope and promise for public cybersecurity companies is in the value they will create in the future. Peter Thiel described this phenomenon in Zero to One:
You’ve probably heard about “first mover advantage”: if you’re the first entrant into a market, you can capture significant market share while competitors scramble to get started. That can work, but moving first is a tactic, not a goal. What really matters is generating cash flows in the future, so being the first mover doesn’t do you any good if someone else comes along and unseats you. It’s much better to be the last mover – that is, to make the last great development in a specific market and enjoy years or even decades of monopoly profits.
This is what happens in early markets. It's important to understand that for many of the current public cybersecurity companies, most of the value they create will be in the future. Their current revenue, growth, and metrics matter to some extent. It's more important to look at the market from a long-term view. Identifying the last movers — the companies who will be enduring financial successes for decades to come — is the perspective we want to have.
Public Cybersecurity Company Data
This is the beginning of a project to gather and track relevant information about public cybersecurity companies over time. My goal is to give you some data and tools to understand and follow these companies as they grow and expand. You can find the initial set of data here: