VC Action

Core Security announced a $4.5-million Series B investment from venture capitalists at Morgan Stanley on Monday as VCs continued to infuse cash into the red-hot security sector.

VCs plowed $333.4 million into 22 security companies during the first quarter. Monday’s investment puts the sector on track to beat last year’s $1 billion in venture backing, according to estimates by PriceWaterhouseCoopers. And last year’s number was up from $637 million in 2003. Investment in security companies is at about 5 percent of total VC commitments.

Core Security’s software tools help corporate IT experts probe their networks for vulnerabilities by simulating hacker attacks. The Boston-based company has garnered interest from some 150 companies and is cash-flow positive. The new money raises the total investment in Core Security to $10 million.

The company attributes its customer traction to Sarbanes-Oxley regulations. CEO Paul Paget said testing the corporate network for holes has become a necessary component of regulatory compliance. Core Security’s software prints out a report on the health of corporate digital defenses. “It’s exactly what the auditors want to see,” said Mr. Paget. “We can’t wait to crank up the volume.”

Venture Capitalists have no trouble seeing the potential in companies peddling different flavors of digital security, as Core Security does.

“In security there’s not a lot of room for error,” said Ted Schlein, a partner with Kleiner Perkins. “People want to buy the best of breed. This is why it’s been possible to start so many new, innovative software companies and continue to build things of high value for the bigger companies. No one cuts corners in security.”

Webroot has raised the biggest VC investment round so far this year. The company’s $108-million Series A will help accelerate marketing of its anti-spyware product. Webroot took the round, in part, out of fear that its market would evaporate after Microsoft’s entry into the space in January (see VC Action: Webroot Gets $108-Million Series A for Anti-Spyware).

Webroot, which sells directly to home-PC users, is an oddity. Most security startups begin by selling a product targeted at large corporations. “Getting to the consumer is an expensive proposition,” said Mr. Schlein. “As a result, McAfee and Symantec have a very big advantage over a startup. They already have the real estate, they already have mind-share, and they already have a brand.”

A slight improvement in security can translate into real value for big companies that stand to lose millions at the hands of attacking hackers. An hour-long outage of a bank’s ATM service can cost $14,500 just in service fees. If UPS’ computers go down for an hour, more than 500,000 packages don’t get delivered. America Online loses $1.4 million in revenue for each hour its systems fail to process transactions, according to data compiled by network hosting company 365 Main.

Less Downtime
Reducing the risk of downtime has been one of the driving forces behind IT spending on security. “Customers used to be guys with ponytails who played too much Dungeons & Dragons and wanted to show how smart they were by asking how many bits were in a product’s encryption key,” said David Cowan, a VC at Bessemer Venture Partners. “Now, security is critical for availability. The VP of operations looks at security as a way to increase uptime, and has a big budget to spend.” (See The Security Shift.)

But uptime isn’t the only corporate concern. Security firms are increasingly offering their products as “compliance solutions.” Take Vontu, for example. The company raised a $10-million Series C on March 21 from backers like Venrock Associates, U.S. Venture Partners, and Benchmark Capital. The firm, based in San Francisco, has raised $25 million to date. Vontu makes software designed to prevent proprietary information from flowing outside of corporate networks. The company markets the software to large corporations that store customer data like credit-card and social security numbers. Big companies have a lot to lose when private customer data slips out (see SEC probes Choicepoint).

Compliance and uptime concerns may be driving IT security spending, but lucrative buyouts are driving VC investment. Several high-profile security companies have recently sold out to larger software and networking companies.

Altiris spent $65 million last month to buy out Pedestal Software, a startup that makes software to reduce the time and cost of implementing security policy across large corporate networks. The acquisition represented a five-fold return for VCs.

Last December, 3Com bought TippingPoint for $430 million, and Cisco picked up Protego for $65 million. Microsoft has been on a security buying spree, snapping up Giant, GeCad, and Sybari—all for undisclosed amounts.

Hungry VCs

VCs are salivating for security companies, but some startups, including NT Objectives, decide not to take VC cash. “We’ve focused on making money instead of raising money,” said NTO vice president Erik Caso. The company, founded in 2002, scans Internet applications for flaws. Its software will test web-based programs for weaknesses that hackers could exploit (see “Next Wave: Security Hole Offers a Way In”).

“The VCs told us to come back when we had customers,” said Mr. Caso. “I remember thinking ‘If we had customers, why would we need you?’” NTO just turned its first quarter of profitability.

Although some startups can successfully go it alone, don’t expect VCs to quit investing. “Security is a battle that doesn’t end,” said Mr. Schlein of Kleiner Perkins. “I think it’s more evolutionary than revolutionary. First we had encryption, then we had antivirus, then we had firewalls, then we had intrusion detection, then intrusion prevention. We added new layer onto new layer of security.”

For VCs looking for lucrative exits, each new layer of security has its own set of buyouts and IPOs. But for investors backing companies like Core Security, return on investment may still be years away.

Venture capital returns for 2004 more than doubled those from the Nasdaq Composite Index and the S&P 500 in the U.S., according to a study released Monday by an industry group.

VCs saw returns of 19.3 percent on average last year. The Nasdaq returned 8.6 percent and the S&P 500 garnered 9 percent. Early-stage investors got the biggest bang for their buck, pulling in 38.9 percent on their investments, according to a study by the National Venture Capital Association.

“Favorable valuations and healthier activity in the exit markets translated into higher returns for venture capital funds at year end,” said Mark Heesen, the president of the NVCA.

Generally, VC investments should compensate backers for the additional risk they take on shaky startups and often-unproven technology. VCs have returned 15.7 percent to their backers over the last 20 years. The Nasdaq has offered 12.4 percent returns over the same time period.

However, venture returns over the last three years have underperformed both the Nasdaq and the S&P, despite the recent improvement. The return on venture investments was down 2.9 percent, while the Nasdaq was up 3.7 percent and the S&P returned 1.8 percent.

Last year found venture-backed buyouts and IPOs at their highest levels since 2000. Ninety-three companies went public, raising $11 billion, and 333 startups got acquired for a total value of $15.1 billion.

The early figures for 2005 don’t look as promising. Only 10 venture-backed companies went public in the first quarter. They raised a total of $720.7 million, a 74 percent drop from the same quarter in 2004 (see Fewest IPOs Since 2003).

VC firms have continued to raise funds, despite lackluster returns. Menlo Ventures, for example, raised a $1.2 billion fund last week. Its last two IPOs raised less than $180 million combined (see Menlo Raises $1.2 Billion).