Thursday, October 11, 2007

SaaSy Security Suits SMB

In 2006, even as overall venture investing in the U.S. expanded 12% over 2005, venture investment in security startups that year plummeted more than 50% (Venture Source). It’s no secret that too many "best-of-breed" startups are chasing the ever more elusive enterprise IT security budget. And while hackers have shifted their sights to the juicier consumer segment--selling private credentials to ID thieves and renting bots to spammers--IT departments have resolved that their checklist of must-have security products is long enough. They no longer crave super-duper startup technology, turning instead to the large vendors (Symantec, McAfee, Cisco...) for integration, vendor viability, and security that's, well, good enough. A few pioneers like Arcsight and Tripwire have reached critical mass in the large enterprise market, but the majority of security startups today struggle to sustain field sales reps with less than a million dollars a month in sales. Now that the VCs have turned off the fuel tap, these babies just won't make it off the runway.

So why did my partners at Bessemer just last month let me cut the biggest check of my career ($24 million) in another business IT security company?

According to surveys conducted by the Computer Security Instiutute (CSI), employees of large corporations naturally enjoy far more extensive levels of information security than in businesses with fewer than 1,000 employees. Not only are the corporate PCs more rigorously updated with anti-spyware signatures, but IT locks them down inside a fortress of intrusion prevention systems, application firewalls, policy compliance agents, encrypted SANs, vulnerability scanners, VPNs, etc. Obviously, it takes a large IT shop to assess, integrate, deploy and manage that kind of infrastructure--the kind you don't find in a 200-person medical clinic.

And yet small and medium sized businesses (SMB's) own the majority of business PCs, inviting computer parasites that thrive in vulnerable hosts, armed with admin privileges! Doesn't it bother the SMB owners that they spoil internet hygiene for everyone?

Perhaps not, but contrary to what many believe, SMBs understand full well that they face the same risks and regulations as large corporations. In fact, the CSI survey included a surprising result: even though small businesses lack the IT resources to deploy most security technologies, they spend as much as 8 times what the Fortune 5000 spend for security per capita! I suppose it's because their product choices are limited by their VARs, and each invoice they pay represents a tiny fraction of the vendor's revenue, so SMBs enjoy no pricing leverage at all. Furthermore, the "scalable" appliances they buy (designed for 10,000 Citibank employees) don't amortize well over a law
firm's 300 PCs.

This unmet market need represents an enormous opportunity for the new generation of security companies developing on-demand solutions, or Software-as-a-Service (SaaS). Instead of deploying their own servers and infrastructure, SMBs can now subscribe to security solutions priced by the drink (so we can buy a quart of milk instead of the cow). The simpler deployment alllows SaaS vendors to replace their field reps with web and telephone sales, so now they can afford to sell smaller accounts.

Indeed, the first generation of security SaaS has fared remarkably well, and I've been fortunate to participate as an investor: Verisign's SSL business trounced Entrust, and Postini (now Google, as of yesterday) thrived in the densely crowded spam filter market. Qualys leads the market for vulnerability assessment, and Cyota quickly dominated the banking security sector (before RSA bought it). Counterpane pioneered security monitoring, but performed only moderately well because we focused on high end security instead of easy and affordable deployment. Meanwhile, several security SaaS winners I didn't fund, like Websense and Riptech, now populate my anti-portfolio of lost opportunities.

Unfortunately, I don't think we'll see too many more winners, because consolidation will come and go faster this time around. Even more than large corporations, SMBs will gravitate toward suites, rather than hire IT resources to buy subscriptions and manage portals from multiple vendors (Who Has Time For This?). They won't be easily sold on whiz-bang novelty.

That's why the vendor(s) who can integrate security services from soup to nuts will ultimately dominate the SMB security market. The winner(s) will pay once to acquire a customer but sell multiple services, pushing down sales costs as well as prices. Meanwhile, the incumbents (Symantec, Cisco...) are stuck in the licensed software world, and they can't patiently invest in building recurring revenue streams when Wall Street values them at normal software multiples (In his most recent earnings call Larry Ellison proclaimed that he can't justify investment in a SaaS business given the lower up-front margins.) So the field is open for new entrants to integrate on-demand services for SMBs who want a single portal to manage their security.

Of course, no single company can develop a winning product in every category, and so the winner(s) will have to grow through acquisition, following in Symantec's footsteps. The early favorite in this race is my latest investment, Perimeter eSecurity. Slowly and surely, Perimeter has acquired and integrated nine SaaS companies, fully integrating a portfolio of over 50 services that the Company supplies to several thousand businesses. Their portal manages AV, anti-spyware, spam filters, content filters, VPNs, firewalls, application firewalls, IDS, IPS, remote backup, email archiving, Exchange hosting with encrypted web access, vulnerability assessment, monitoring, and many other services. Nothing else out there comes close, and customers like it. Perimeter's own organic growth has financed the acquisitions--all except the last one, USA.Net, creating the opportunity for Bessemer and Goldman Sachs to invest.

Whether or not this particular bet pays off, SaaS promises a major disruption for the industry and its investors. Starting new companies to develop more and more advanced technology will never solve the security problems of our local accountants, banks and realtors. The internet remains woefully insecure--not because our technology is insufficiently advanced, but because it's insufficiently deployed.

Blogged with Flock

Blogged with Flock


  1. A Salesforce for security. It makes some sense, though it seems more likely that the market will decline in proportion to the growth of online application/productivity services. If you are an SMB and will entrust your precious sales pipeline data to an online provider, you will also increasingly see online email, office apps and even legal discovery/medical office/MLS/etc. as viable and with less integration, setup and maintenance costs than enterprise equivalents.

    Under those circumstances, security is part of the service guarantee.

  2. Anonymous10:26 AM

    Companies with deep pockets will acquire SaaS companies when these have the potential to become Billion dollar businesses.

    currently, no SaaS based company has proved the model other than and Webex.

    Larry, does have a interest in SaaS. All he is saying is there is more $$ to chase in Enterprise now than putting all the apples in the SaaS basket. When time comes he will scale up Oracle CRM on Demand, acquire NetSuite or other players.

    my 2c.

  3. Makes sound business sense...

    Except when a company comes out with an intrusion network system that renders the firewalls, security software, etc etc. and renders all those services as useless.