VCs still hot on security

Due to increasingly sophisticated attacks and stringent compliance demands, companies are boosting spending on IT security, making the segment attractive to VCs

Venture capitalists continue to pour money into the IT security segment as emerging attacks and compliance demands pave the road for future spending among customers.

Market watchers, including the Computing Technology Industry Association (CompTIA), have predicted significant growth in corporate IT security budgets for 2008.

In a recent survey of just over 1,000 companies conducted by the industry group, more than 50 percent of respondents said they plan to spend an average of roughly 20 percent more on security technologies and services in 2008 than they did in 2007.

Based on that opportunity and the wealth of new security companies coming into the market backed by strong technologies and qualified management teams, VC experts say that they will channel more funds into the sector this year in the hopes of getting behind the industry's next big thing.

Among the leading areas for investment, they say, are companies building technologies aimed at addressing issues of data protection and applications security.

"We believe that companies looking at protecting applications and data is a fertile area, there are a lot of VC-backed companies that have been funded that have attacked different elements of the problem, but there's still a huge corporate need and plenty of room for innovative companies to succeed," said Justin Perreault, a general partner with Commonwealth Capital Ventures.

"I think we'll continue to see consolidation in the space because ultimately, companies don't want to deal with 20 different vendors, but there are still a lot of opportunities for companies to get to market with IPO or acquisition exits available to them long-term," he said.

One of the companies that Commonwealth has put its money behind to that end is Ounce Labs, a maker of applications source code analysis tools. Perreault said that his firm believes that customers are already buying into the concept of using code-scanning technologies to address the issue of data leakage and that companies such as Ounce that can automate the process without placing an additional burden on software developers stand to benefit from the trend.

At the same time, areas of the security market such as the NAC (network access control) and DLP (data leakage prevention) segments may have already worn out their chances to garner new investment from the VC community. "The truth is that so many security sectors are already wildly overfunded with too many companies, they may even have great ideas and technologies, but there are just too many," Perreault said. "With NAC and DLP, there are probably more people than the market can support or than there are large companies to buy them all up."

At the same time, VCs need to remain mindful of the idea that there are always opportunities for companies to enter an already crowded space and revolutionize things in some way. The most common example of that scenario is the rise of a company such as Google in the search market, but issues, such as managing spam, that have been addressed by vendors for years clearly still have a chance for innovation, said Paul Maeder, co-founder at VC firm Highland Capital Partners.

"When a space like DLP gets overinvested, obviously that's bad for investment, but you have to make sure that you don't get caught up in overcompensation as sometimes when people think a space is overdone, like search, along comes a Google," Maeder said. "VC is very much an industry of gossip, and that helps keep things from getting overinvested, but you also have to remember that you don't need to be the first company into a market, you just want to be the first that crosses the finish line."

Among the security startups that Highland is backing these days are Bit9, a vendor that specializes in applications and device control tools for Windows environments, and Imprivata, a maker of SSO (single sign-on) authentication applications. In both cases, the expert contends, the companies his firm has invested in have the chance to address issues of serious concern to business customers in new ways, around data leakage and network access, respectively.

How VCs gauge the market
Most VCs agree that the key to finding the right companies to invest is based on staying in close contact with IT buyers to gauge their pain points and better understand their spending habits.

Some security startups may have terrific ideas and strong people behind them, but if there isn't a market for the technology being pitched or a chance to create a new opportunity with something truly unique, the investors take a far more cautious approach.

"Our best source for information is customers -- that is the first place startups go to prove their ideas," said Maeder. "We have a cadre of CIOs who we are constantly talking with; we ask them if they're looking for something new, run business plans by them, ask if there are already too many solutions to a problem that is being addressed, and if something is an attractive value proposition."

In some cases, VCs backed by specific sets of customers are emerging to help funnel money into areas of the market where customers feel there is a significant need but perhaps too few viable alternatives. One such firm is FTVentures, which is bankrolled by 40 different investors from the financial services sector. Among the businesses funding the VC are huge names, including Bank of America, Citigroup, and Wells Fargo.

Having such a focused group of backers helps the VC isolate security markets that truly have the potential to meet emerging demands, said Mark Lotke, a partner leading the Software Investment Team at FTVentures.

In many cases the firm's backers are looking for products that can help them move away from technologies they have developed internally and continue to maintain at great expense, he said.

"We talk to IT and operations executives in these companies and ask where their pain points are, and in many cases they've already built homegrown tools that they're looking to replace with packaged solutions," Lotke said. "Besides addressing some problem, the companies we're invested in have had a first-mover advantage in terms of coming to market; the companies we want to invest in have to serve real-life problems today."

FTVentures specializes in so-called expansion-stage investment, handing out money to companies that have already been in business for several years that are looking for additional capital to help them continue to grow.

One vendor that the VC firm recently awarded millions in series-b expansion funding to is Aveksa, a maker of access control governance software. "That's a perfect example of the kind of company we're looking for, where we surveyed the market to find innovative suppliers and invested because the technology was purpose-built to solve a problem, and already had great customer traction," Lotke said. "Despite spending, it is a scary world out there right now for vendors as it can be tough to pull dollars from customers and sales cycles are being extended. But we feel that by finding these types of companies that are already proving their value, we get a much simpler road map than trying to guess what the next big thing is going to be."