So why did my partners at Bessemer just last month let me cut the biggest check of my career ($24 million) in another business IT security company?
According to surveys conducted by the Computer Security Instiutute (CSI), employees of large corporations naturally enjoy far more extensive levels of information security than in businesses with fewer than 1,000 employees. Not only are the corporate PCs more rigorously updated with anti-spyware signatures, but IT locks them down inside a fortress of intrusion prevention systems, application firewalls, policy compliance agents, encrypted SANs, vulnerability scanners, VPNs, etc. Obviously, it takes a large IT shop to assess, integrate, deploy and manage that kind of infrastructure--the kind you don't find in a 200-person medical clinic.
And yet small and medium sized businesses (SMB's) own the majority of business PCs, inviting computer parasites that thrive in vulnerable hosts, armed with admin privileges! Doesn't it bother the SMB owners that they spoil internet hygiene for everyone?
Perhaps not, but contrary to what many believe, SMBs understand full well that they face the same risks and regulations as large corporations. In fact, the CSI survey included a surprising result: even though small businesses lack the IT resources to deploy most security technologies, they spend as much as 8 times what the Fortune 5000 spend for security per capita! I suppose it's because their product choices are limited by their VARs, and each invoice they pay represents a tiny fraction of the vendor's revenue, so SMBs enjoy no pricing leverage at all. Furthermore, the "scalable" appliances they buy (designed for 10,000 Citibank employees) don't amortize well over a law
firm's 300 PCs.
This unmet market need represents an enormous opportunity for the new generation of security companies developing on-demand solutions, or Software-as-a-Service (SaaS). Instead of deploying their own servers and infrastructure, SMBs can now subscribe to security solutions priced by the drink (so we can buy a quart of milk instead of the cow). The simpler deployment alllows SaaS vendors to replace their field reps with web and telephone sales, so now they can afford to sell smaller accounts.
Indeed, the first generation of security SaaS has fared remarkably well, and I've been fortunate to participate as an investor: Verisign's SSL business trounced Entrust, and Postini (now Google, as of yesterday) thrived in the densely crowded spam filter market. Qualys leads the market for vulnerability assessment, and Cyota quickly dominated the banking security sector (before RSA bought it). Counterpane pioneered security monitoring, but performed only moderately well because we focused on high end security instead of easy and affordable deployment. Meanwhile, several security SaaS winners I didn't fund, like Websense and Riptech, now populate my anti-portfolio of lost opportunities.
Unfortunately, I don't think we'll see too many more winners, because consolidation will come and go faster this time around. Even more than large corporations, SMBs will gravitate toward suites, rather than hire IT resources to buy subscriptions and manage portals from multiple vendors (Who Has Time For This?). They won't be easily sold on whiz-bang novelty.
That's why the vendor(s) who can integrate security services from soup to nuts will ultimately dominate the SMB security market. The winner(s) will pay once to acquire a customer but sell multiple services, pushing down sales costs as well as prices. Meanwhile, the incumbents (Symantec, Cisco...) are stuck in the licensed software world, and they can't patiently invest in building recurring revenue streams when Wall Street values them at normal software multiples (In his most recent earnings call Larry Ellison proclaimed that he can't justify investment in a SaaS business given the lower up-front margins.) So the field is open for new entrants to integrate on-demand services for SMBs who want a single portal to manage their security.
Of course, no single company can develop a winning product in every category, and so the winner(s) will have to grow through acquisition, following in Symantec's footsteps. The early favorite in this race is my latest investment, Perimeter eSecurity. Slowly and surely, Perimeter has acquired and integrated nine SaaS companies, fully integrating a portfolio of over 50 services that the Company supplies to several thousand businesses. Their portal manages AV, anti-spyware, spam filters, content filters, VPNs, firewalls, application firewalls, IDS, IPS, remote backup, email archiving, Exchange hosting with encrypted web access, vulnerability assessment, monitoring, and many other services. Nothing else out there comes close, and customers like it. Perimeter's own organic growth has financed the acquisitions--all except the last one, USA.Net, creating the opportunity for Bessemer and Goldman Sachs to invest.
Whether or not this particular bet pays off, SaaS promises a major disruption for the industry and its investors. Starting new companies to develop more and more advanced technology will never solve the security problems of our local accountants, banks and realtors. The internet remains woefully insecure--not because our technology is insufficiently advanced, but because it's insufficiently deployed.
Blogged with Flock
Blogged with Flock