Cybersecurity Investing In Israel By The Numbers

With the cybersecurity market growing to a gigantic size, it is well established that Israel is a hotbed of innovation and startups in the space. The end of then year is a good time for summaries and wrapping things up, so I took a look at statistics as gleaned from the database of IVC to put some quantitative observations behind this major wave.

The theory behind the rise of Israel as a cybersecurity super-power is straightforward: Israel has long-established expertise in the space, given the major activity surrounding cyber and security in the army. Many young folks get trained early on in their careers with the most sophisticated systems and operational challenges, both defensive and offensive.

Out of this army expertise came the founding team of Check Point. Created in 1993, the company went public in 1996 and today is one of the major global security companies. With a market cap of $15 billion, many engineers and executives who cut their teeth at Check Point went on to establish successful security companies in Israel and the U.S.

This extensive foundation of expertise, the rising awareness of security threats over the past few years and accelerated IT spend on the topic caught the attention of entrepreneurs and investors in Israel and abroad. The mega-exit of Trusteer to IBM in 2013 and the successful IPO of CyberArk in 2014 added fuel to the fire, and in recent years there has been an explosion of investment activity in the category.

This in turn caught the attention of the corporate development departments of all the major players. With the heightened focus by IT buyers on security, established companies increased their M&A activities to complete their offerings or establish new business units. Israeli startups are prime targets.

So, let’s look at the numbers. Digging into the last 12 years and breaking them into buckets of three years, the following emerges for the number of companies founded and the number of companies that received VC backing in the “Security” category of IVC (numbers represent a snapshot on December 20, 2015):

*A few more companies that started between 2013-2015 will most likely get funded.

229 companies were started in the past six years compared to 148 in the previous six years. Out of these companies, 67 got VC funding in the past six years versus just 26 in the previous six years, that’s a 2.5X increase.

There is a clear increase in companies started in the last few years and there is even a stronger increase in companies that are getting VC funding. This is not surprising given the excitement with the space. When translated to the percentage of companies getting VC funding, the following shows in an interesting way:

*A few more companies that started between 2013-2015 will most likely get VC-funded. The percentage is likely to settle at 35 percent.

The percentage of companies getting VC funding out of all security companies roughly doubled, to 30 percent. This means that many more companies are getting a runway to execute on their vision. It also means that some companies with a less exciting vision are also getting funded, extending the time and expense it will take them to figure this out. This is not surprising, of course, given the overall investing mood in recent years.

Let’s turn our attention to the “exit” side of the equation. The last 30 months have seen 20+ acquisitions, with a notable acceleration of pace in 2015. This productive period was kicked-off by the large acquisition of Trusteer by IBM (reported to be in the $600-800 million range) in the summer of 2013. The price tag is not surprising, given that Trusteer had significant revenue and a proven business model when acquired.

The acquisitions that followed, however, were mostly small acquisitions of companies in the R&D or very early revenue phase. Only five transactions were reported to be at more than $100 million, and only one of them, Adallom (sold to Microsoft), was reported to be at the $300 million range.

Two IPOs took place in the same period — Varonis and CyberArk. CyberArk specifically was named top IPO of 2014 and further increased the investor excitement with the category in Israel. Building an independent valuable company takes time, resources and patience: Varonis was 10 years old when it went public; CyberArk was 15.

Looking for other up-and-coming sizable companies with an established business model, the IVC database counts 13 companies that are in a “Revenue Growth” phase; among them are: ForeScout, Tufin, AlgoSec, Checkmarx and ObserveIT, all established before 2007, and the relative new-comers, CloudLock and Cybereason. These are the companies that, according to IVC, are at revenue levels or on a trajectory that will yield more significant M&A values or possibly IPOs.

This leaves us with a sizable funnel of roughly 230 other active companies that were established in the 2004-2015 timeframe, half of them being less than three years old (!). Many, of course, will not survive. A growing number will be picked up for their technology by the established players scouting Israel extensively for M&A opportunities (Microsoft being the most aggressive), and a handful will establish a business model and a scalable revenue trajectory that will make them the next independent cybersecurity companies following the footsteps of Check Point, Imperva, Varonis and CyberArk.