As cyberattacks surge, security startups reap the rewards
By Erin Woo
As cyberattacks proliferated this year, Sanjay Beri, CEO of Netskope, a cloud security startup, got a phone call. Then an email. Then more messages.
All were from venture capitalists who wanted to invest in his company. Given the ransomware attacks and nation-state hacks that were making headlines, they told him, companies that made security products had a bigger market and mission than before.
“We weren’t looking for capital,” said Beri, who founded Netskope in 2012, but the cyberattacks “definitely increased their interest.”
After bids from seven investors, Netskope raised $300 million this month at a valuation of $7.5 billion, up from a $2.8 billion valuation last year. It was one of the year’s largest cybersecurity funding rounds, but not the maximum that Netskope could have attained.
“We could have raised $1 billion in capital,” Beri said.
Recent cyberattacks around the world have taken down operations at gasoline pipelines, hospitals and grocery chains and potentially compromised some intelligence agencies. But they have been a bonanza for one group: cybersecurity startups.
Investors have poured more than $12.2 billion into startups that sell products and services such as cloud security, identify verification and privacy protection so far this year. That exceeds the $10.4 billion that cybersecurity companies raised in all of 2020 and is more than double the $4.8 billion raised in 2016, according to the research firm PitchBook, which tracks funding. Since 2019, the rise in cybersecurity funding has outpaced the increase in overall venture funding.
The surge follows a slew of high-profile ransomware attacks, including against Colonial Pipeline, software maker Kaseya and meat processor JBS. When President Joe Biden met with Russian President Vladimir Putin last month, cyberattacks perpetrated by Russians were high on the diplomatic agenda. This month, the Biden administration and its allies also formally accused China of conducting hacks.
The breaches have fueled concerns among companies and governments, leading to increased spending on security products. Worldwide spending on information security and related services is expected to reach $150 billion this year, up 12% from a year ago, according to the research company Gartner.
“Before we got to this point, we as security teams were having to go and fight for every penny we could get, and now it’s the exact opposite,” said John Turner, an information security manager at LendingTree, an online-lending marketplace. Executives, he said, are asking: “Are we protected? What do you need?”
All of this is set to drive business for cybersecurity companies, creating a potential windfall that has excited investors. The average valuation of cybersecurity companies raising funds this year has more than doubled to $524.1 million from $221.8 million in 2020, according to PitchBook.
“In close to two decades as a VC, I’ve never seen valuations so escalated,” said Asheem Chandna, a venture capitalist at Greylock Partners, who has invested in security companies such as Palo Alto Networks.
The funding frenzy has built for months. The pandemic provided momentum when companies shifted to remote work, which required securing those remote-access systems, investors and executives said.
On a Friday evening in October, Chandna introduced the CEO of Abnormal Security, an email-security company in which he had invested, to another investor, he said. That investor, Venky Ganesan of Menlo Ventures, who had been pursuing a meeting with the CEO, Evan Reiser, for months, immediately emailed Reiser to invite him to dinner that night.
Reiser drove, he said, from San Francisco to Ganesan’s home in Atherton, California, about 30 miles away. By the end of the weekend, Abnormal had signed a deal to raise $50 million at a $600 million valuation, putting its total funding at $74 million. Menlo’s $40 million check was the firm’s largest investment ever.
“As shotgun weddings go, it’s as shotgun as you can get,” Ganesan said.
Since then, the ransomware attacks have given the funding wave a further boost.
In January, Lacework, a cloud security startup in San Jose, California, garnered $525 million in funding. Investors reached out because of Lacework’s products, which use artificial intelligence to identify threats, said Andy Byron, the company’s chief resource officer. In total, Lacework has raised $625 million since it was founded in 2015.
Mike Speiser, a venture capitalist at Sutter Hill Ventures, which led Lacework’s January financing, had no problem getting other investors to participate, he said.
“I called the five people that I thought were the best investors and asked them if they were interested. They were all interested, and within 48 hours we had a deal,” Speiser said. “One hundred percent of the people I called said they wanted in. We could have raised well over $1 billion.”
Netskope’s Beri said that with cybersecurity threats mounting, the funding boom was likely to continue.
“Many investors are not security savvy,” he said. “But when your next-door neighbors go, ‘Hey, what’s up with this ransomware stuff,’ then you know that it’s reached public consciousness. From an investor’s perspective, when something hits the average person’s mind, they realize: ‘Wow. This is here to stay.’”