‘There’s no silver bullet’ – Investors take on the multi-headed cybercrime beast

With cybercriminals constantly innovating, tech investors are assuming the worst and are looking beyond prevention to detection and rapid response.

The hack of SolarWinds, the full extent of which came into the public awareness in April, revealed that not even the highest levels of the US government are safe from cyber intrusions.t

SolarWinds, which provides network security software to US government agencies and large corporations, was eye-opening not only for the government but also for private equity. Cybersecurity has become one of the top focuses of private equity tech investors over the past decade. But cybersecurity investing presents an evolving set of challenges.

SolarWinds was backed by Silver Lake and Thoma Bravo. The two firms cashed out of their interests in the companies one day before the hack was publicly revealed, selling a 5 percent stake to Canada Pension Plan Investment Board. Now investors are trying to bring a class action suit against the company and its PE backers for allegedly misleading investors about the efficacy of its security program.

(The private equity firms and SolarWinds’ CEO Kevin Thompson separately moved to dismiss the claims. In a motion filed on August 2, the investors argued that their partial ownership of the company does not make them “control persons” under US securities law.)

Cybersecurity will be one of the biggest recipients of private equity and venture capital investment, but GPs and LPs have to come to grips with just how much risk is acceptable.

These include risks not just for new investments, but also for existing portfolio companies that might perform well for years during a firm’s hold period, and then suddenly erupt into a cyber scandal that could sink a firm’s plans.

Hugh Thompson, Crosspoint Capital

“SolarWinds drew much wider attention to a problem that really has been an epidemic for quite a while,” Hugh Thompson, managing partner at Crosspoint Capital, tells Buyouts. “This trend of, ‘How do we ensure the integrity of the platform that we’re working on,’ is such a critical one,” he says.

Capital pouring in

The digital transformation of the economy, including increasing reliance on remote work and education, is driving demand for better security in services and data. Private equity firms have seen in that evolution ways to tap into emerging opportunities.

Since 2016, private equity firms committed more than $135 billion in cybersecurity-related deals, including both buyouts and growth equity investments, according to data compiled by PitchBook.

The last two years saw the biggest increase as the health crisis closed the economy. In 2020, private equity committed $18.2 billion across 169 cyber deals, up from roughly $8 billion across 147 deals in 2019. Inflows for the first half of 2021 reached more than $9 billion across 121 cybersecurity investments, outpacing the value of all cyber deals in all of 2019, Pitchbook found.

“Because everybody was remote, because workforces were disparate, and people were no longer gathering in central locations to work, there were so many more failure points in access points into an organization that provided security risks,” says Seth Boro, managing partner at Thoma Bravo.

Seth Boro, Thoma Bravo

“Security, as a result of that, is a market that has almost benefited from this remote, disparate workforce that has been created and will continue to exist, because the world is likely to continue to operate in a remote or hybrid workforce environment.”

The startup world is no different, and it has also seen tremendous capital inflows into early-stage cybersecurity companies. Only halfway through the year, 2021 already has surpassed the record-breaking $7.8 billion raised by security companies last year, according to Crunchbase. The cybersecurity sector saw an inflow of $9 billion across 309 venture deals in the first half of 2021, accounting for more than double the $4.4 billion in the first six months of 2020.

This spike in cybersecurity investing is understandable given the demand, says Sean Curran, senior partner at cybersecurity consultancy practice at West Monroe. “There’s definitely a lot of organizations that are looking at cybersecurity products, and there’s a lot of cybersecurity products that are looking for additional funding to be able to grow and expand their capabilities,” he says. “It’s a really good marriage right now between the two parties.”

In fact, some market observers believe private equity interest in cyber has become so pervasive that many shops now look to public markets for sourcing opportunities. Frequently, they do so through carve-outs, Paul Lennick, senior vice-president of M&A at ContinuServe, says.

“Private equity firms that weren’t focused on carve-outs are starting to do it because they can’t find deals and they have to create internal capabilities to handle those carve-outs, find operators,” Lennick says.

Even mid-tier private equity firms that usually acted as minority investors are exploring carve-outs because of the difficulty of sourcing opportunities, he adds.

“SolarWinds drew much wider attention to a problem that really has been an epidemic for quite a while. This trend of, ‘How do we ensure the integrity of the platform that we’re working on,’ is such a critical one”

Hugh Thompson
Crosspoint Capital

From a macro perspective, investors are not expecting this pace to slow down. They are predicting quite the opposite, and believe the security industry will continue to experience hyper growth, Thoma Bravo’s Boro says: “Public cloud infrastructure and cloud infrastructure, in general, has made it more complex and has created more avenues, more threats, and it also provided our companies with the ability to deliver incremental products.”

Vulnerabilities

According to Thompson, who spent his entire career in cybersecurity and previously held positions as chief technology officer at Symantec and chairman of the RSA Conference, the cause of this epidemic is the lack of integrity in software coding.

When writing new software, developers borrow bits and pieces of already created code from different sources, including open-source and closed-source libraries, and only then add value by writing their own code on top, Thompson explains.

“At the end, you have code that you wrote that could be compromised, but you also have code that you don’t even know who wrote [it] and much of it is open-source software,” he says. “So we see a huge opportunity in this space to go after that platform integrity topic, which is understanding what went into the software that you’re selling someone.”

To combat these practices and in response to recent attacks on Colonial Pipeline and SolarWinds, President Biden signed an executive order on May 12 to improve the nation’s cybersecurity and protect federal government networks. Those recent cyber incidents share commonalities, the order says, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.

According to Thompson, the order is a major step forward to keep both buyers and sellers of software aware and accountable. “If you’re a buyer of software, the natural question to ask is, ‘Show me the equivalent of the food nutrition label on that software,’” he says. “When I buy Coca-Cola, where unfortunately the biggest ingredient is high fructose corn syrup, at least I know what’s in it.”

Crosspoint Capital, founded by Thompson and Greg Clark, former CEO of Symantec, is focused on solving cybersecurity issues like this one by investing behind best-in-class software providers. The firm recently collected $1.3 billion for its inaugural fund, through which it is pursuing companies in the sector, carefully vetting targets using its industry expertise.

Greg Clark, Crosspoint Capital

“It is a difficult space for an investor that is a sector tourist,” Clark says. “If you’re opportunistically investing in a cyber company – be careful because you can get companies that are solving a piece of tradecraft and as soon as it’s solved and people start getting caught, bad actors stop doing it, and so those cyber companies stop growing.”

According to Clark, it’s important to invest in themes for long-term value creation, such as IOT security, data protection, data privacy or incident response.

In the past few years, high-profile ransomware attacks, including private equity backed SolarWinds, PulseSecure and Kaseya, created a pivotal moment for private equity, throwing into stark relief what may be the biggest challenge faced by the industry around tech investments.

While much smaller, Kaseya, backed by Insight Partners and TPG, and PulseSecure – owned by Clearlake Capital and TA Associates-backed platform Ivanti – also became targets in notable ransomware incidents as they underscored the vulnerability of IT management and security providers in exposing their end-customers when being attacked.

In fact, it may have even changed the focus of some private equity investors from pure prevention of cyber incidents to fast detection and response of such.

According to Max de Groen, partner at Bain Capital, the cybersecurity industry operates in what’s called a zero-trust paradigm, where the assumption is that someone, somewhere has already found a way into the enterprise network and there has probably been some sort of a breach.

Max de Groen, Bain Capital

“We’re seeing in all types of security, especially with these advanced breaches, the focus is more around identifying and completely containing threats before they have a chance to do any significant damage,” de Groen says.

“That’s where we’ve been looking to spend our time in cybersecurity, which is looking for next-gen cloud native cybersecurity approaches that hunts these kinds of threats real time.”

In June, Crosspoint Capital and Bain Capital co-invested in ExtraHop, which does just that – provides network detection and response (NDR) software.

ExtraHop monitors traffic on a network and uses machine learning and artificial intelligence to look at network patterns, examine and inspect traffic as it’s occurring and flag anomalous traffic. “ExtraHop is differentiated in that it doesn’t monitor [to] just try to block only one type of attack,” de Groen says.

“It is watching the entire network and flagging to block anything that looks like an anomaly – anything that signals an early threat or potential breach. Whether that threat comes through a compromised identity, firewall breach, or through email, ExtraHop can locate the intruder.”

But enhanced and evolved security services are no guarantee of safety, experts and investors admit. In cybersecurity, there always will be need for multiple cyber-safety solutions, each focused on neutralizing a certain kind of a threat.

Sean Curran, West Monroe

“When you look at [an] attack, the attack follows certain patterns, those patterns are visible in different technology,” says West Monroe’s Curran. “I can’t see that pattern just with one technology product, so there’s no silver bullet out there to stop every attack,” he adds.

Two years ago, ransomware was coming in through user clicking, links or opening Word documents, as a more typical phishing attack, Curran says.

But post-covid, West Monroe saw a huge impact on the remote access side, he explains: “You can’t rely on one technology device to be the silver bullet to solve the world, and that’s the problem.”

Scale under PE

According to Curran, who provides diligence on many high-profile cybersecurity deals, including on Blackstone and ClearSky’s investment in FireEye, many investors have been focused on rolling up regional managed security service providers (MSSPs) into larger platforms.

MSSPs offer outsourced monitoring and management of security devices and systems, including virus and spam blocking, intrusion detection, firewalls and virtual private network (VPN) management.

“We’re definitely seeing a roll up in that space, where a number of private equity firms are testing the market or asking us for advice on the market, specifically,” Curran says.

While local MSSP providers are doing well in their region, have solid technology stacks and a couple of core clients, many struggle to achieve scale and penetrate other markets, he adds.

“That’s the two things that private equity brings to the table really well,” Curran says. “They help those companies to grow on the sales and marketing side, and they can help on the scaling of the business side.”

“We’re seeing in all types of security, especially with these advanced breaches, the focus is more around identifying and completely containing threats before they have a chance to do any significant damage”

Max de Groen
Bain Capital

Private equity also helps MSSPs broaden their offering from focusing on just network space monitoring, logging or endpoint detection and response (EDR), to performing all three as a cross-platform cybersecurity company, also known as XDR.

“XDR is basically where you bring all of the three capabilities: network, log, and endpoint, together into a single platform,” Curran explains.

“Most of the organizations today are coming together and saying, ‘I need all visibility from all those different angles and all of those different sensors, and if I bring all of those sensor data together into a single platform I should know when a threat actor is in there irrespective of the method of attack or the method of lateral movement.’”

While technologies like XDR provide a more holistic view of the security environment, one vendor still will never be able to do it all, Boro believes.

“It’s just way too complex, it changes too quickly and our view is that specialists are very valuable, especially in the enterprise,” he says. “In the small- and mid-size segment there are platforms that can be delivered, but I don’t think you’ll ever find one cybersecurity company owning the entire security budget of any company.”

According to Boro, Thoma Bravo has invested in every aspect of cybersecurity. Over the course of its history, the firm backed cybersecurity companies including Sonicwall, Blue Coat, Tripwire, Sailpoint, Sophos, Venafi and most recently announced its $12.3 billion take-private of Proofpoint, which is pending closure.

Proofpoint is focused on providing human-centric security and compliance software to mitigate people’s risks across email, the cloud, social media and the web. And, according to Boro, unlike B2B cybersecurity, the subsector of human-centric security can be dominated by a market leader.

“As it relates to human-centric security, our view is that there can be a platform in and around that, that enterprises will absorb,” Boro says.

Many threats that come into an organization exist because somebody clicks on the wrong link in an email or somebody is phished, he explains.

“The idea that humans are massive access points for breaches unknowingly is a really interesting area and the big theme behind human-centric security is what Proofpoint is focused on,” Boro says.

Consumer safety

Consumer safety is a massive problem, but at the same time, is one that hasn’t been well covered, experts and investors say.

“This is a crisis that isn’t well covered, is not well reported on, because people don’t want to talk about it,” Clark says. “When you’re a corporate person you buy from your brain, as in, ‘This is going to solve my crypto-locker problem.’ When you’re consumer, you buy from the heart.”

While there are many cyber companies that operate in the direct-to-consumer segment, it’s not nearly as popular for private equity investments, according to Clark. “Buyout firms and sponsors don’t really understand it, because it’s a different deal,” he says.

“There’s a lot of great companies in the space that are just not well known, but they have massive user bases and have great annual revenue per user numbers.”

There is a great benefit to society to solve this problem through cyber-safety technologies for consumers, Clark says, and, those companies that get it right will have strong growth and good profit margins: “Multiples are a little less than in some enterprise stuff, but the margins and the cashflows are great.”

Ever-evolving threat

But can the best-in-class cybersecurity players and their investors eventually outsmart and defeat bad actors? Can we bring this cyber-crisis under control? The answers are enormously complex, experts say.

The attacker community is being run like any other company: it is innovating by applying the latest technologies, it is automating some processes wherever possible and /it is reaching scale by recruiting and training new members.

In a way, the attacker community is using technology to get scale the same way that manufacturing, or software companies use technology to grow, Crosspoint’s Thompson says.

“They are employing AI, they’re employing every technique that a well-run company is using to get scale,” Thompson explains. “So, the marginal cost for them to go after one more consumer is approaching $0.00.”

In a crime where no one can reveal your personal identity or prosecute you, and, in the end, you get to keep the money – the upside for malfeasance is clearly much greater than the downside, Curran says.

“The threat actors are smart, and they are financially motivated,” he says. “And financially motivated individuals without a risk of prosecution are going to continue to find ways to stir the impact.”

Correction: A previous version of this report incorrectly stated Max de Groen’s title as partner, he is a managing director. It also incorrectly stated that TPG is an investor in Ivanti; it is not, but Clearlake and TA back the business, while TPG backs Kaseya. The article has been updated.