Computer security startups catch venture capitalists’ eyes

Nicole Perlroth and Evelyn M. Rusli / New York Times News Service /


Published Aug 7, 2012 at 05:00AM / Updated Nov 19, 2013 at 12:31AM

MENLO PARK, Calif. — The question is no longer who have hackers hit. It is who has not been hit.

The list of organizations attacked by pranksters, criminal syndicates or foreign governments includes Google, LinkedIn and the Central Intelligence Agency.

Big companies are expected to spend $32.8 billion on computer security this year, up 9 percent from last year. Small and medium-size businesses will spend more on security than other information technology purchases in the next three years, according to the International Data Corp., the research firm.

Yet in Silicon Valley, with all the feverish talk of innovation and billion-dollar startups, few entrepreneurs and venture capitalists have been eager to take on the security juggernauts Symantec and McAfee — and in many cases cybercriminals — for a piece of that action.

That has started to change.

In the last 12 months, the initial public offerings of once-obscure security startups have outperformed the offerings from household names like Facebook and Zynga. Imperva, a data security company that went public last year, finished 2011 as the year’s top performing stock offering. Its shares jumped 93 percent on their first day of trading, and remain 8 percent above the offering price. Zynga stock, by comparison, has plunged 68 percent since its offering last December.

Shares of Splunk, a data security company, jumped 70 percent from its offering in April. It raised $331 million in a secondary offering. Most recently, shares of Palo Alto Networks, a security startup, climbed 26 percent when they started trading in July.

The reason for the enthusiasm? “People are starting to realize that the billions of dollars that have been invested into traditional network security is not working for them anymore,” said Ted Schlein, a partner at Kleiner Perkins Caufield & Byers, the venture capital firm. Security startups have also become red-hot takeover targets. Apple, which has avoided big-ticket deals, agreed to acquire AuthenTec for $356 million in its second-largest acquisition to date. And last year, EMC Corp., which already owns RSA, acquired NetWitness. The price was not disclosed but people close to the acquisition talks say NetWitness sold for $400 million, more than 10 times its 12-month trailing revenue.

Venture capitalists have taken notice.

Last year, they collectively poured $935 million into tech security companies, nearly double the $498 million they invested during 2010, according to a MoneyTree report compiled by Pricewaterhouse-Coopers, the National Venture Capital Association and Thomson Reuters.

“We’re seeing a flow of new entrepreneurs interested in the space,” said Asheem Chandna, a venture capitalist at Greylock who invested in Imperva and Palo Alto Networks.

The rise of security startups is the product of a confluence of new technology, fear and people with a lot of money to invest. Major technological shifts, like the move to mobile devices and cloud storage, have redirected and increased the flow of information — for both employees and hackers.

Hackers are getting more sophisticated, too. Last year was the year of the “Advanced Persistent Threat,” or APT, a computer attack in which hackers spend time researching a target and its intellectual property, figuring out who has access to it, and deploying any means necessary to steal it.

RSA was the victim of such an attack last year. So were the military contractors Lockheed Martin and Northrop Grumman. Speaking at a security conference last year, Timothy McKnight, Northrop Grumman’s chief security officer, said the company was fending off several such attacks a day.

“The vast majority of companies have already been breached,” Shawn Henry, the FBI’s former top computer security official, said in a recent interview.

Patrick Morley, chief executive of Bit9, a startup that blocks malware, says the steady stream of “bad news” has been a boon for business. Bit9 was founded a decade ago but was largely unknown until 2010, when Google’s password system was breached and top-level executives started to pay attention. “In boardrooms, executives lifted their heads and asked, ‘Are we OK?’ ” Morley said.

Investing in security can entail unusual challenges. In some cases, venture capitalists have received death threats from online criminals. In others, criminals have shut down their sites altogether.

Ray Rothrock, an investment partner at Venrock, said he had received threatening emails from such people. On occasion, his firm has hired security guards to protect its offices.

“The thing about security investments is that sometimes you don’t know where you’re going to land in terms of attracting attention from the bad guys,” Rothrock said. But, he said, the risks are still worth the rewards. “Security is a growing market and it will grow forever.”