A deep look at investing in cybersecurity services for VCs: why, why not, and how to
Looking at the reasons why VCs would traditionally stay away from investing in services, as well as what’s changing, and why adding MSSPs to a venture capital firm’s portfolio may be a good idea.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
While the conventional wisdom says that “VCs do not invest in services”, cybersecurity services were one of the most active areas in terms of M&A activity in 2022. In this article, I am looking at the reasons why VCs would traditionally stay away from investing in services, as well as what’s changing and why adding MSSPs to a venture capital firm’s portfolio may be a good idea.
Making sense of security service provider’s business model
Security service providers typically have three lines of business: reselling products, project-based services, and managed services.
Reseller revenue comes from establishing agreements with vendors to act as their channel partner. A typical gross margin for this income stream is 15-20%. As I discussed previously, “It used to be that security service providers would come in with their own technology, implement tools from the shortlist of vendors they had direct relationships with & manage these tools on an ongoing basis - monitor alerts, adjust configurations, and reach out when anything alarming was discovered. Today, more and more customers already have a set of solutions and are looking to own vendor and product selection in general. Managed service providers they hire are there to integrate technologies the customer has already acquired, and add value on top of that.” I anticipate that in the coming years, the proportion of revenue coming from reselling technology will continue to decline.
The second category of the revenue is from project-based services, which typically include consulting such as security assessment, meeting various compliance standards, as well as security audits, penetration testing, and the like. Typically, gross margins in this category are around 30-35%. It is common for specialized, technical, and not frequently needed services such as incident response to have higher (sometimes - substantially higher) margins.
Managed services typically include continuous security monitoring, a security operation center (SOC), and the like. There are three main ways to provide security services:
onboard the customer on the platform owned by the provider. This approach enables MSSPs to extract higher margins.
use the tooling the customer already has with minimal intervention and monitor the alerts. This path is becoming more and more common, and the margins service providers can extract under this model can typically be lower compared to using the “one size fits all” approach.
use the tooling the customer already has and add value by providing tailored configurations, building customized detection logic, setting up automation, and so on. Optiv calls this a “fusion center model”, while I have previously referred to it as a “technical consultancy” model. Semantics aside, the service provider taking this approach is building bespoke solutions for their clients and managing them in a customized manner. Because of the uniqueness of the model, the managed security services provider can charge higher premiums; they are often, however, offset by the fact that security engineers and architects capable of performing this work are more expensive.
The typical margins an MSSP can extract from managed services is around 40-60% (most often 45-55%).
Reasons VCs do not invest in services
The conventional wisdom says that “VCs do not invest in services”. There are several reasons why investments in security services are not considered to be attractive.
Conflict between the services business model and the VC business model
There is a lot more to it, but fundamentally the VC model works as follows: VC firms raise capital from high-net-worth individuals and institutional investors (a “fund”), and invest it in high-risk companies that have the potential to yield high rewards. The exact reward multiples and risk appetite depend on multiple factors such as company stage, industry, etc. The lifespan of a fund is ten years, meaning the VC should be able to exit all the investments via IPOs or acquisitions within that time frame.
VC funds will typically invest in 20 to 30 companies, and end up losing a high share of their bets. The hope is that a small percentage of outliers can yield outsized returns (10X, 100X, 1000X, and higher) which would offset the losses and generate substantial returns. This is especially relevant for early-stage investing where the risks are much higher, and subsequently, the mindset is that every single company should have the potential of returning the whole fund; every bet has to be big.
Service providers do not fit this model: they typically see linear growth, lower valuation multiples on exits, and rarely become unicorns. The “risk-return” equation holds: services generate a steady cash flow, which makes them relatively low risk, but on the other hand - they do not scale as quickly and have low chances of becoming billion-dollar companies, making them also low-return (from the perspective of VCs that need outsized return multiples, not founders of MSSPs who can build fantastic businesses).
Lastly, the VC model requires that the firm exits (liquidates its stake) the companies it invested in within five-to-eight years. The services model typically does not meet this expectation as IPOs are rare, and acquisitions have not been as common prior to recent years. The most prevalent successful outcome of building security service providers is a sustainable, steadily growing business - a result great for the founders but not VCs.
Economics of scaling
At its core, a service business is a business of selling people hours. With project-based services in particular, the more revenue the company gets, the more people it needs to hire to deliver the projects, meaning the growth of both revenues and cost of goods sold (COGS) is linear and correlated. With managed services, people are still a constraint but the GOGS growth is seen in stages: a certain capacity enables the company to serve a set number of customers; expanding the team opens opportunities to acquire more customers up to a limit, and so on. The need to continuously invest in hiring, training, and new employee onboarding, increases operating costs even more.
The linear relationship between revenue and the number of people the company needs to hire slows growth and limits profit margins, while the reliance of the sales process on personal relationships, contract negotiations, and human interaction adds to the complexity (it is rare to see a “self-serve” service experience). Traditional product companies are capable of achieving economies of scale: once they cover fixed costs (infrastructure, engineering team, etc.), the marginal cost of adding new customers is near zero. This enables software providers to have fat gross margins (70-90% and in some cases even higher) and scale the business fast - something service providers, dependent on people capacity, are unable to do.
Low barriers to entry
Services, especially those in cybersecurity, have low barriers to entry. As demand for security professionals is growing, more and more experienced practitioners are starting to offer security services as a side business, often before or instead transitioning into it full-time. The level of competition in the services space is therefore much higher than that in the product space. This makes it harder for MSSPs and consultancies to differentiate themselves and build a loyal customer base, especially if we are talking about project-based offerings such as penetration testing, compliance certifications, and the like.
Whenever we see higher barriers to entry in the cybersecurity services industry, these are typically a result of the need for highly specialized talent. For instance, it can be very hard to find experienced threat detection engineers or incident responders with a deep understanding of marine or aerospace industries. Companies that differentiate by building their service offerings in niche areas commonly struggle to grow past a certain size because of the lack and the cost of talent, even though they can charge much higher premiums.
Source: Top 250 MSSPs, the 2022 list
Reasons for cybersecurity-focused VCs to invest in security services
While there is a multitude of reasons for VCs to stay away from investing in services, there are also reasons for them to consider investing in MSSPs and security consultancies.
MSSPs help VC better understand the market needs
Having security service providers in the firm’s portfolio helps VCs to build deep expertise in the constantly evolving, technologically complex field of cybersecurity. Service providers are a unique source of insights as they get to see the needs and pain points of many customers, often representing different industries, company types, and sizes of organizations. By getting privileged insights that customers are sharing with MSSPs, investors can better understand the problem space, spot emerging trends before they become known to the broader market, and identify areas of technological innovation worth looking at.
MSSPs can provide a great perspective during the due diligence process. In cybersecurity, many ideas sound impressive but have a hard time getting buy-in from companies and service providers. Service providers can both help validate the go-to-market strategy of startups looking for funding, and assess their technical capabilities - something VCs are typically not able to do well.
Lastly, it is easy for VCs to get into echo chambers where startups they pick and other investors they work with amplify their already-held assumptions and beliefs about the market. By going closer to the source - the customer - venture capitalists ensure that their sense of reality does not get distorted.
A broad portfolio support
While there are many ways a VC can add value to its portfolio companies beyond providing capital, most come down to helping with problem validation and enabling growth. There are several ways to accomplish this - by connecting startups with industry leaders, making introductions to potential customers, and establishing connections with resellers and technical partners, to name a few.
Investing in an MSSP enables investors to help its other portfolio companies in two important ways:
Security service providers are a great source for customer insights, product feedback, and advice, all of which can help startups shorten the learning cycles and iterate quicker.
Because MSSPs rely on technology to provide security services, they regularly refresh their tech stack. Most importantly, security service providers have an ever-evolving portfolio of technologies they sell to their customers, which makes them potential resellers for the tools and infrastructure VC’s portfolio companies build.
To summarize, while MSSPs tend to have lower return multiples, they can act as force multipliers for the product companies in the VC’s portfolio, helping them to move faster and establish new channels for growth.
Evaluating security service providers for VCs
To evaluate security services providers, investors cannot limit themselves to using the metrics they do for product companies, such as annual recurring revenue (ARR), monthly active users (MAU), and the like. The following are some of the factors VCs should consider when evaluating MSSPs.
Revenue mix of the service provider
While knowing the total revenue size is important, it is also critical to understand the share of revenue per each of the three sources (reseller revenue, project-based services, and managed services). The channel the revenue comes from is directly linked to the gross margins it can enable, as well as the company’s growth potential. Having 90% of the revenue come from reseller activities is very different compared to having 20% from the reseller line of business, 40% from project-based services, and 40% from managed services.
Revenue breakdown by customer
Another parameter the understanding of which is critical is the percentage of revenue by customer.
It is not uncommon for service providers to have a handful of customers be responsible for over 50% of their income. While security products are typically standardized, and a product cannot quickly and opportunistically start solving problems in different market segments, the same cannot be said about services. The ability of a service provider to “land and expand” is incredibly high as it primarily relies on access to talent. After proving its value when delivering one type of service, it is common for MSSPs and consultancies to start offering more services to the same customer, which, along with increasing revenue also increases risks.
The ability to manage talent
A security service business is a talent machine: while product companies need great talent to build the product which can then be scaled with little effort, MSSPs rely on talent for growth. The most critical areas security service providers have to tackle are talent attraction, development, and retention. Investors evaluating MSSPs should understand who the key people in the business are, what the company’s reputation in the community is, what the hiring machine looks like, and what the attrition rates are, as all these parameters will impact the service provider’s ability to survive the competition, and grow.
Escaping the limitation of services for MSSPs
Because people are the main asset of a security service provider, it’s typically easier to start an MSSP compared to starting a product company. On the other hand, it is harder to scale a service provider because people are also its scaling factor.
To escape the limitations imposed by the services model, successful providers invest in technology first. This means an emphasis on repeatability, seamless and automated customer onboarding, rapid integration of data sources, buying or developing tools to automate labor-intensive and repetitive parts of service offerings, and the like. In other words, to escape the limitations of the services model companies can productize their service offerings. Investing in this upfront helps alleviate the future pressure build-up and build a more competitive offering. If a service provider needs a large number of security engineers and architects, the price point of their services will be much higher. This will force clients into the “build VS buy” decisions: if they stand to save 10-20% by outsourcing their security to a third party, it starts to make sense to do it internally instead.
If a founder is looking to build a steady, sustainable business capable of bringing $5-25 million in ARR, then investing in technology may not be as critical. However, for those with ambitions to become a $100 million and bigger service provider, they must establish a solid tech platform for their offerings. Examples of companies that did this well include Mandiant, Critical Start, and Cyderes; by investing in technology early, and by using it as a differentiator to scale services and achieve operational efficiency, these service providers were able to achieve levels of growth not commonly seen in the MSSP/MDR/IR space. In project-based services such as consulting, investing in technology may play some role, but it is still heavily reliant on the “the more business they get, the more people they need” formula.
Some cybersecurity founders start a service provider to turn it into a product company. While not impossible, it is not an easy task. Once they get started down the path of building a services company, they realize that building a product requires a different model and a very different investment thesis. One can’t effectively pull the smartest people off of delivering the service for paying clients so that they can build a platform in a part-time capacity. A company attempting to chase both rabbits at once, will constantly be faced with a conundrum: “Do we invest in building a new product or in scaling the existing service?”. It will always be tempting to double down on what’s already working well and focus on growing the services revenue, instead of investing in building a new product that may not see the light of the day for a few months or over a year.
Seeking funding for product innovation in a services company would look different depending on the company size, and the level of influence the product champion has. In a large organization, the board would typically need to approve the investment, which means it needs to be comfortable that the new initiative may not break even until year three or sometimes later. In a smaller organization, it might be easier to get the buy-in, but nothing can ease the execution. Say, someone with control of the company decides to set aside 40% of the profits to fund the development work, hire a separate team with a talented product leader, and let them build the product. While that would require a lot of discipline, it may work well when times are good. However, when times turn bad, and the services business takes a hit - leaders may be forced to make hard decisions.
Rising investment and acquisition activity & the changing nature of the cybersecurity services space
Until relatively recently, most VCs stood away from the services space because of lower multiples and other factors discussed before. Now, however, that seems to be changing. For instance, Forgepoint has recently invested in Bishop Fox and SolCyber, Gula Tech Adventures invested in BEMO, Cyberangels, raised a seed round from Startup Wise Guys, and Ten Eleven Ventures invested in Optiv and several startups with service components. Many of these are hybrid businesses combining a tech platform with service offerings as discussed in the previous paragraph. On the other hand, companies that have previously focused on products, are adding service layers on top with CrowdStrike’s Falcon Complete illustrating it really well. The lines between products and services are starting to blur as both founders and VC understand that clients want the outcome, and they don’t care how it is delivered. As I mentioned before, “Managed security services are one of the largest growing parts of the market, and rightfully so: while more and more companies realize the need for strong security, it is also becoming apparent that building cybersecurity practice in-house is expensive, time-consuming, and for many - simply not feasible. Managed security services are growing as they address many concerns at once: the cost, the access to talent, the knowledge of best practices, and so on.”
In 2022, we saw over $100B in M&A activity (as of the end of Q3), and one of the largest categories that has been seeing consolidation is security services. Of all the driving forces for MSSP consolidation, the talent shortage and the resulting struggle for large security providers to expand their capacity are arguably the biggest. The talent shortage has been pushing security service providers to take sometimes radical measures. A case in point is the acquisition of Swiss companies SCRT and Telsys by Orange Cyberdefense in 2022. These two sister companies employ around 100 employees - a drop in the ocean compared to 2100+ cybersecurity professionals at Orange Cyberdefense and the overall 21,000+ employees at its parent company Orange. When we consider the number of people a giant like Orange needs to involve in due diligence and closing the transaction, it is clear that an operation of under 100 people is likely well below the threshold that would make business sense if not for the acute talent shortage.
VCs have a fiduciary responsibility to ensure investment returns for their limited partners. To do this, they invest in high-risk companies with the potential to bring high returns. Cybersecurity service providers are highly unlikely to meet the investment criteria the VC model relies on, including high gross margins, rapid growth, and a clear path to exit within five to eight years. However, cybersecurity VCs have plenty of reasons to add at least one security service provider to their portfolio. Even if the MSSP itself won’t become a unicorn, the value it can add to the VC’s ability to identify and support winning product companies is immense.
For service providers that won’t be able to secure venture funding, it is worth reminding that while VC is an important component of the tech ecosystem - it is just one of many vehicles available to founders looking for capital. Less than 2% of all startups receive money from VCs - a number disproportionately small to the amount of time we hear about venture capital. Other types of investors include high-net-worth individuals, family offices, traditional financial institutions, and so on. Not every company is built to grow fast and provide an exit to investors within under a decade, but cybersecurity service providers that stand out from the crowd, offer a compelling business opportunity and a clear path to returns, should be able to get the business funded.
This piece would not have been possible without generous help from Carlos Alberto Silva, a co-founder and Managing Partner of 33N Ventures, and Greg Baker, CEO of Balance Theory and a former managing partner at Optiv. As always, all opinions and conclusions are my own.