When seeking potential new investments, investors may look to cybersecurity and software companies as potential platforms for continued growth. While these companies typically appear attractive, they come with numerous areas for consideration, including valuation multiples, time horizon, strategy, and path to exit. In this paper, we will explore some of these considerations, which have been gathered from the insights and experiences of the AlixPartners team.

Digitally native (i.e. software) companies can have subtly or even fundamentally different business models compared to traditional non-digital organizations, which changes how they should be valued and managed. Less digitally native organizations seeking to invest in software companies should leverage the insights and experience of those who already invested and experienced ROI challenges, such as those who invested in the cybersecurity market.

Today the cybersecurity market is characterized by a myriad of niche companies, each focused within a given area of the market, and relatively few large and diverse dominant solution providers. Where consolidation has occurred, it is typically within a solution area such as ‘identity & access management’ or ‘web security’ rather than across multiple areas.

Speed to product-market-fit

The success of the niche vs broad approach can be explained by the speed of evolution in both the threat landscape and the underlying technology. New styles of attacks and a growing attack surface present opportunities for new entrants to address an increasing need faster and more efficiently than an existing company. New entrants find it easy to achieve product-market-fit due to at least 5 factors:

  • Low barriers to entry – Anyone can develop software with generally no selling restrictions, so anyone with an idea and a computer can create a viable product
  • Zero-margin operations – Software has zero-marginal costs in manufacturing and distribution, enabling a small business to serve a large customer base very efficiently
  • Scalable CAPEX as OPEX – Cloud computing business models make it possible to scale business in line with customers, shifting the investment allocations from areas that trap capital and have slow rates of return (e.g. data centers, infrastructure) to a more OPEX driven model with higher ROIs (e.g. development labor)
  • Open-source foundation – There is a significant amount of foundational capability readily available to leverage within the open-source community. This enables developers to quickly boot-strap product development and allows for more effort to go into product differentiation and meeting niche market needs, reducing time to market.
  • Distributed development – Software can be collaboratively developed by labor around the world, decreasing costs through off- or near-shoring and benefiting from diverse specializations in development teams.

These factors also benefit existing companies, yet they still find it harder to pivot. To explain why, it is worth looking at the level of R&D investments cyber companies make. From our analysis, smaller cyber product companies (e.g. <£500m in revenue) on average invest ~11% more in R&D than larger ones (30% vs 19% of revenue). This level of investment is also directed at one or two products rather than supporting a broad product base that many larger companies sustain, resulting in greater total yearly investments per product.

This allows smaller, focused companies to compete with larger, more generalist ones on both features and price – and with lower cost bases, agility, and ability to efficiently scale – to ultimately out-compete them. They create virtuous cycles of feature development, which in turn attracts new customers and leads to increased investments. This fuels further feature development and more customers. Good examples of this include Crowdstrike, Zscaler and Okta all of which are now larger than traditional security integrators such as Leonardo and Atos, and even challenging Cap Gemini and Thales in valuation despite only offering a handful of products.

Valuing potential acquisitions

However, these R&D investment rates can create challenges for M&A business cases. Market growth rates and investor perceptions have resulted in high multiples for cyber companies (based on revenues) – stressing acquirers to continue deliver out-sized returns. A standard approach to return that investment is by focusing on reducing costs and increasing synergies (e.g. reducing investment levels in product development & marketing - two of the largest costs by nature). Margin growth would likely result in lost market share and opening themselves to competition/disruption by a new startup.

Despite these challenges, the continuous rise of cybersecurity (11% CAGR market growth) fuels demand for cybersecurity companies, as investors believe they can ride the demand wave of a strong product through a holding period and resell at a higher price. However, top line growth is only half the story. Investors should also consider longer term profitability as EBIT/EBITDA figures for software/cybersecurity companies are largely different from typical companies. 

While most cybersecurity margins achieve gross margins of 80%+, 35% of companies we evaluated generated negative EBITDA, and only 11% generated >25% EBITDA. The smaller & younger the company, the worse the EBITDA figure, which is to be expected for startups, but even when the company passes the 25-year mark, they average only 15% EBITDA while maintaining an average of 18% revenue in R&D. 

Note: the age given is for the parent company’s founding, not necessarily the years they have been active in the cyber sector. 

Therein lies the challenge. Cyber companies require constant product investments to stay relevant and grow their customer bases. Stopping product evolution to reap profits risks reducing revenue growth and diminishing business value. Impacts to EBITDA and cash flow performance (impacting future valuation) would also need to be considered due to the need to amortize software development over 5 years in many cases. 

Identifying when, where, and how to extract value and continue to grow the underlying asset is where the challenge and opportunity lies. Stop too early and you risk never achieving scale, stop too late and you risk never extracting your investment. And investors should remember that there is always money on the sidelines ready to invest in the next generation of startups with low cost-bases and high potential. A good example of this is Palantir, who after passing 20 years of age and £1b in revenue, have only recently cut R&D investments from over 50% to 18%, enabling their EBITDA to grow from less than -100% to 7% in 2023. 

If you have any questions about evaluating a cybersecurity or software services organization, consider using AlixPartners in your next assessment. We can support in reviewing your potential investment, between strategy, maturity, and implementation.