Plenty More Phish: Opportunities for Private Equity in Cyber Security

There are two types of company, so the saying goes: those that have been hacked and those that don’t know they’ve been hacked. The epigram has been attributed to various pioneers of cyber security1, and while there may have been a degree of self-interest in its origination, survey results suggest there is some truth in the statement. In the UK, for example, 43% of SMEs and 64% of enterprises reported a breach or attack in 20212. Nation state attacks on enterprises that manage critical national infrastructure are becoming more frequent and AI is being used to rapidly increase the speed and agility of agents on both sides of the firewall. Add to this a global pandemic which has increased the vulnerability and complexity of many IT estates by encouraging (and sometimes forcing) businesses to accelerate cloud adoption programmes to support an increasingly remote and peripatetic workforce, and it’s no wonder that the UK now has a cyber security industry worth almost £9bn, growing at 7%-10% per annum. However, the sheer scale of the industry means growth rates can vary significantly by vendor, product, service or end-market, requiring investors to select their targets carefully. In this article, we consider some of the cyber security opportunities and trends that separate the gold phish from the red herring.

Figure 1: Organisations That Have An Outsourced Cyber Security Provider, 2020

Chart by Visualizer

Zero Trust is a Good Thing

In the old days, perhaps as far back as six or seven years, cyber security was all about erecting a perimeter around your organisation and then guarding it to prevent intrusion by unauthorised agents. Now, the game has changed and no one is trusted: not even those already on the inside. In a world of zero trust, employees are increasingly asked to validate their identity before they can access data and services. This places greater emphasis and value on Identity and Access Management (IAM) solutions, which create and enable permission structures. IAM is perceived to be a specialist service, which sits outside the ‘standard’ stack of services offered by cyber security consultancies and managed security services providers (MSSPs). Where there is specialism, there is often value.

Mobile Security is Not Just for Consumers

We are all familiar with Identity and Access Management solutions through our online banking apps and countless other consumer services, where authentication codes are sent to our smartphones, enabling us to log-in or check-out. But we are now increasingly using our smartphones to access (or at least authenticate access to) business services such as accounting packages, CRM systems, and productivity applications, including the Microsoft Office 365 suite. Irrespective of whether the smartphone has been provided by the employer or the employee, the employer has an increasingly vested interest in ensuring it is a secure device. Research indicates that the smaller screen size of a phone (versus a tablet or laptop) means we are less patient, less accurate and less vigilant when vetting and clicking on links, opening attachments or visiting sites, which might turn out to be malicious3. With the majority of malware and ransomware attacks being nested in emails4, and almost 50% of emails now being opened on smartphones5, the smartphone is an Achilles’ heel for many organisations. Consequently, we anticipate mobile security will become a significant growth area over the next few years.

Human Firewalls & Awareness of Awareness Training

The discussion on mobile security leads us to a cyber security truism, namely that the most vulnerable part of any organisation is its people. Research by Proofpoint in the US indicates 85% of cyber security breaches begin with human error while only 16% of cyber security industry spend is on methods to prevent human error. We estimate cyber security training or Security Awareness Training (SAT) is a $1.3bn market, growing at a staggering 40% per annum, and believe this is another attractive sub-segment of the cyber security industry. KnowBe4’s listing and $3.5bn valuation on its first day of trading on NASDAQ in April last year, has helped raise awareness of awareness training. Closer to home, perennially-astute investors, Tenzing, invested in Metacompliance in January 2021, while the high-growth Livingbridge portfolio company, TitanHQ, has recently bolted on Cyber Risk Aware (both transactions supported by Fairgrove). Engaging, localised (language and culture) content is key, while superior platforms, such as Cyber Risk Aware’s, allow organisations to deliver real-time, adaptive training, based on the individual responses of their staff to specific phishing campaigns. Clever stuff.

Figure 2: Unprompted Actions Taken To Prevent Further Breaches or Attack, 2021

Chart by Visualizer

Figure 3: Types of Breaches or Attacks Reported in the Last 12 Months, 2021

Chart by Visualizer

Don’t Bet Against Microsoft 

5 years ago, Microsoft’s security products were considered by many to be inadequate, and unfit for enterprise security. However that is a far cry from the picture today. Indeed, in January 2021, Microsoft disclosed that its annual cyber security revenues topped $10 billion, with YoY growth of more than 40%. Microsoft continues to invest heavily in the security space, pledging to quadruple its already significant R&D investment to $4 billion p.a. over the next 5 years, and is expected to continue to take share across product categories. Service providers with strong Microsoft capability will be positioned to take advantage of this, a fact understood by the various organisations that have begun to build a Sentinel based MDR offering over the last 12-18 months.  

Figure 4: Annual Microsoft Cyber Security Investment

USD Billions; SOURCE: Microsoft Press Releases

Importantly, Microsoft E5 license penetration is high in the UK, with many enterprises and an increasing number of SMEs having chosen to follow Microsoft-first strategies. The power of Microsoft license ubiquity, and under-utilised tools embedded within them, was shown when Microsoft Teams burst onto the scene as the default video conferencing app for many during the pandemic. We believe organisations will continue to look to extract more value from these expensive licenses, and make use of the now well-respected tools, such as Defender, that they are already paying for. In addition to potential Total Cost of Ownership (TCO) benefits, the ease of turning on monitoring feeds in Sentinel is ‘flick of a switch’, which can be particularly powerful in a crisis. Furthermore, Microsoft’s vast market share in productivity and cloud computing means that integrating third-party specialist tools is invariably easy as they have been designed to be Microsoft-compatible from the get-go. It is not necessarily too late for service providers to add Microsoft security capability, however, organisations must make the decision of whether they develop this internally or via acquisition, as those starting ‘from scratch’ will be in catch-up mode for some time. Also, Microsoft’s quickly expanding cyber sales team can be hard to penetrate for new entrants, particularly as the organisation looks to go deeper with a smaller number of preferred suppliers. A strong strategy to develop this relationship must be in place and has the potential to pay significant dividends if nurtured. For examples of recent transactions which look set to deliver attractive returns, see GCP’s investment in Bridewell, TiG’s merger with Third Space and Livingbridge’s investment in Quorum Cyber (all three transactions supported by Fairgrove). 

Figure 5: Microsoft Teams Daily Active Users

Chart by Visualizer

Transition to Managed Services Creates Value for Investors  

MSP and MSSP multiples have been creeping up over recent years, as private equity’s appetite for recurring revenue models has outstripped available investment opportunities in the space. However, the growth of managed security services may still represent attractive opportunities for investors6. Increasingly, businesses are seeing the value in 24/7 monitoring and there remains considerable green space for managed security providers in unprotected medium and large organisations. It is often too expensive and time-consuming for businesses to build their own team, with the requisite scale and breadth of skills, to provide 24/7 monitoring – a challenge which is driving demand for outsourced SOC services. Managed detection and response (MDR) is expected to grow particularly quickly, at between 15%–20% p.a. globally7. Importantly, the breadth and quality of managed security services vary considerably; assessing this should be an important consideration for potential investors. At one end of the scale, an outsourced SOC may include only basic monitoring of a handful of logs through a SIEM tool; at the other, rich data is collected from across the estate, advanced analytics incorporate adversarial simulation and threat intelligence, and highly automated response and mitigation are delivered through a platform (which provides high customer visibility). Investors in UK providers should, however, keep an eye on the threat from a handful of innovative and well-funded overseas players such as BlueVoyant and Arctic Wolf. 

Figure 6: Global Market for MDR Services

Chart by Visualizer

So, can you go all the way and have a business that is 100% recurring managed services? We don’t think so. While reference sites are vital, nothing is more powerful for the customer than a provider which can carry out complex professional services or urgent incident response work, and these services remain essential ‘stage-gates’ to pass through before the right to provide significant long-term MSS contracts is earned. 

The Pen-Test Is Dead. Long-Live The Pen-Test 

Pen-testing has long been one of the first services that cyber security companies offer in order to cross-sell longer, more profitable engagements with customers8. The logic is irresistible – we’ve breached your system far too easily; now we can help you secure it properly – but so too is the subsequent maturation and commoditisation of a service which is so fundamental to the industry. Fortunately, innovation and disruption are on-hand. Founded by the vendors and leadership team of cyber security consultancy CNS Group (acquired by Six Degrees in 2018), Risk Revelation (formerly Planet Pen-Test) is an exciting start-up that provides gamified remediation orchestration so that companies can contextualize pen-test findings against vulnerability and threat intelligence data, ensuring the right fixes are applied quickly and cost-effectively. It’s a small business today but it’s going like a train and is a good example of how innovation is reinventing some of the more mature parts of the cyber security industry. 

Cyber Security Is Still A People Business 

For all its technology, acronyms and complexity, we believe cyber security is still a people business at heart. Even as companies try to reduce the share of professional services and consultancy in their revenue mix (in favour of more recurring managed services), customers are still highly sensitive to the softer side of the relationship. It begins with trust in the competence and knowledge of the vendor’s leadership team and continues with the agility and speed-of-response of its support team. We have carried out hundreds of customer interviews in cyber security, and proactive account management is always highly valued. In an industry with a global shortage of cyber security professionals, attracting and retaining talent is crucial to delivering successful outcomes for customers. Cyber security staff with 2-3 years’ experience become very valuable and there is considerable fluidity at this level of the job market. The DCMS found that 47% of cyber firms had problems filling roles due to technical cyber security skills gaps. Overpaying for staff is a symptom of this shortage, which can lead to the erosion of margins, especially in professional services where senior or fixed contract resources are brought in at short notice on a job-specific basis. Staff churn, utilisation, availability, and project work backlogs are all important metrics that must be assessed. Do not underestimate the importance of culture. 

Figure 7: Hard to Fill Vacancies by Experience (Cyber Businesses)

Chart by Visualizer

Our Experience

If you would like to discuss this article or if you are considering investing in the cyber security industry, please contact Patrick Woodrow or Adam Lee


Footnotes and Sources

1 But was probably first coined by Dmitri Alperovitch of McAfee in his 2011 report on Operation Shady RAT. 

2 DCMS Cyber Security Breaches Survey 2021 

3 AIG Human Cyber Risk Report 2020 

4 HP Wolf Security Threat Insights Report 2021 

5 Litmus Email Market Statistics 2021 

6 True recurring contracted revenue is of course quite different from admittedly often highly repeatable, rolling annual managed security services (MSS) contracts, and will be a key consideration for potential investors. 

7 Frost & Sullivan; Gartner 

8 It should be noted that some organisations (particularly those with a more mature cyber posture) believe that pen testers should be independent to avoid providers ‘marking their own homework’. 

Photo: Markus Spiske / Unsplash.com