Do you remember playing musical chairs as a kid? I do. It's one of the most vivid memories I have of my childhood.
Close your eyes and think about the music playing. You're circling the chairs with your friends, full of anticipation about when the music is going to stop.
You're the only one without a chair.
Do you remember the sinking feeling in your stomach? I haven't played musical chairs for over 30 years, and I still feel exactly how I felt when I was five.
We're playing a big, complex game of musical chairs right now in the cybersecurity industry. There are 82 unicorns and 36 other billion-dollar acquisitions¹ by private equity firms who are all just trying to find a chair when the music stops.
The chairs are exits. Except in this game, we don't know how many chairs there are. I know there aren't enough for all 118 companies.
The implications of this are going to create major changes in the industry. We're moving from fun and games towards a more balanced, fundamentally sound way of building companies.
Some of the changes will feel bad, just like the sinking feeling you had in your stomach when you were a kid. But a few careful, strategic changes can set us on a trajectory higher than ever before.
What happened: optimism gone wild
I started Strategy of Security in August 2021. Everything in the cybersecurity was looking good at the time — especially venture capital investing:
It's easy to be optimistic when we're sitting on top of an unprecedented bull run across the board: record venture capital financing, M&A, and public company valuations. Ahh, the good ol' days...
I used a chart with current data for a reason. August 2021 was peak optimism for people in the cybersecurity industry. We were raging. The party was turnt. Our childhood game of musical chairs turned into Lollapalooza (or a DEF CON after party — whatever you're in to). Everyone was having a blast. Nobody was worried about finding a chair when the music stopped.
Until things started looking worse as every quarter ticked by. Was the party ending?
No way! Things will go back to normal, right? Right?! Oh...
Slowly and quietly, people started to wake up. Andrew Morris broke the spell for me. He's a positive, playful, and entertaining person. A thought like this was out of character for him, so I took it seriously:
The timing and severity might vary, but his point stands. The music is going to stop soon. It's time to start looking for our chairs.
Back to reality: our situation by the numbers
Cybersecurity has 82 unicorns — companies valued by investors at $1 billion or higher. There are more unicorns in cybersecurity today than the industry's entire history of IPOs and billion-dollar strategic acquisitions combined.
The unicorns include nine companies valued at $5 billion or higher. Two of them (Wiz and Kaseya) are decacorns with valuations over $10 billion.
If a company is above a $5 billion valuation, there aren't very many ways to exit. And boy does it help to know that. There have been 10 total cybersecurity acquisitions above $5 billion by strategic buyers. Ten. Ever.
Our two decacorns ($10B+ valuation) are in completely uncharted territory. The only two strategic acquisitions in cybersecurity over $10 billion were public companies. In all of tech, there have only been 33 strategic acquisitions over $10 billion.
The only chair available for these nine companies is the exquisite luxury of a royal throne. It's basically IPO or bust for them.
If the situation with our unicorns wasn't overwhelming enough, there are also 36 more cybersecurity companies owned by private equity firms that were acquired for $1 billion or more.
Private equity acquisitions are often viewed as exits. They're not. All of these companies need to exit eventually, too. They're in a similar situation as the unicorns.
When we put everything together, the exit math doesn't add up:
We've had 64 companies achieve billion-dollar exits. We're expecting 118 more companies to do the same. And we're expecting those exits to happen soon.
It sure seems like there aren't going to be enough chairs when the music stops.
What changed: fewer IPOs, more value acquisitions, and a total reset of expectations
We’re past the point of "the market will come back" or "this will all blow over." There are too many cybersecurity companies with high valuations to exit under current (and near-term) market conditions. I know, what a party foul.
IPOs and acquisitions by strategic buyers (larger tech companies, not private equity firms) are the two "good" ways for a company to exit. We've seen major changes in both during the past year.
IPOs are like the buffet of exits — an all-you-can-eat feast for everyone involved. The buffet at our party ran out...bummer.
Since then, only two smaller companies (ZeroFox and Yubico) have joined the ranks of public cybersecurity companies. Meanwhile, eight public cybersecurity companies have been taken private. IronNet went out of business. The party is starting to clear out.
The other important change is the focus on value acquisitions instead of mega-acquisitions by strategic buyers. Rather than pigging out at the buffet, they started bringing Sweetgreen salads to the party instead. Less fun, but probably a better decision.
There have been five total acquisitions over $1 billion by strategic buyers since the beginning of 2022. We've had a couple headliners: Google acquired Mandiant. Cisco acquired Splunk. Otherwise, strategic buyers are mostly consuming a healthy diet of value acquisitions far below the billion-dollar threshold our 118 companies need for a good exit.
The decline of both IPOs and large strategic acquisitions brings along an inevitable reset of expectations about valuations and exit paths. There's no way out for a lot of later-stage cybersecurity companies. It's a serious downer for an industry that couldn't lose just a couple years ago.
A reset is necessary for the long-term success of the industry. We're going to be better off because of this. But right now, it hurts in the pit of your stomach — the adult version of missing out on a chair and feeling humiliated in front of everyone.
Where we're heading: boring is the new fun
Will we get back to our 2021 level of fun? Yes…eventually. The problem is none of us know when "eventually" will come.
"Eventually" isn’t a good strategy. Dealing with reality is a good strategy. Right now, the reality is we’re in a tough spot.
Unlike the luck of our childhood game of musical chairs, there is strategy involved in winning the adult game. We can determine whether we get a seat or not, both as individual companies and collectively as an industry.
The music isn't actually going to stop. The idea there will be one major event where all the unicorns sell for peanuts or go out of business is an irrational fear. 118 companies aren't going to spontaneously combust and burst into flames.
The music isn't going to keep playing forever, either. Everything will play out in a parallel set of smaller events. Every company has their own timeline, circumstances, and decisions to make. Real strategy — the kind where we have to deal with pesky constraints, incentives, and trade-offs — will be more important than ever.
Some bad outcomes are inevitable. Valuations will decrease. M&A activity will go up. Investors will lose money. Layoffs will keep happening. Options won't pan out. Companies will go out of business. You've heard all of this.
What you haven't heard is how the right moves will make both companies and our industry better off. We're already starting to see some examples:
Strategic acquisitions: Perimeter 81 is probably better off with Check Point. SASE is a brutally competitive market. It cost them a billion-dollar exit, but $490 million and an important strategic role in Check Point's future is better than getting flattened by some of the biggest and best companies in cybersecurity.
Mergers: ForgeRock and Ping Identity are probably better off together. Combining their respectable customer identity market shares makes them a much scarier competitor for Okta.
Metrics: Growth is always going to matter, but it's not going to be the only metric anymore. Company performance and valuations are being evaluated against a balanced set of metrics. Gravity didn't used to apply to tech. Now, it does. We're probably better off with companies who are durable businesses, not just growth machines.
Boring? Maybe. But it's a lot more fun than playing make-believe and pretending everyone can get a gold medal.
Good strategic choices like these are like redefining the rules of musical chairs. People are sharing chairs, using benches, playing their own music, and finding all kinds of other ways to bend the rules in their favor.
If we're smart — even intentional — about the long-term changes we make at an industry level, we're all going to be better off in the future.
Thank you to Andrew Smyth for discussing and sharing thoughts on this article.
¹Publicly disclosed investments and acquisitions, that is. Larger deals typically get disclosed, so this count is probably accurate. The overall point still stands if the count is off by a few.