Heading into RSA 2019, we pulled the cash and short-term investment balances of more than 30 publicly-traded cybersecurity companies over a five-year period. As you can see, this aggregate balance has nearly doubled over this period of time and is on a steep upward trajectory. Of course, not all of this cash will be used for acquisition purposes, but a significant portion may.
Furthermore, keep in mind that this does not include large security businesses that are divisions of major firms such as Microsoft, Cisco, IBM, EMC (RSA), HP, Intel (McAfee). Additionally, this does not include private equity firms that have invested significantly in cybersecurity companies of late. This trend is great news for cybersecurity start-ups and investors alike, as it is potentially indicative of many more acquisitions in the future.
With this data, and the strong cybersecurity M&A market in mind, we formed the hypothesis that more and more innovation was being acquired, as opposed to developed in-house through Research and Development (R&D). That perhaps cybersecurity would begin to go in the direction of many pharmaceuticals, gobbling up small, nimble, and innovative start-ups that are at the forefront of new technologies.
To answer this question, we calculated R&D spend as a percentage of revenue for 30 publicly-traded companies over a 10-year period. Surprisingly, we found that R&D as a percentage of revenue increased over this period, demonstrating that some of the largest cybersecurity companies are actually spending more on R&D over time.
Additionally, we took a look at the companies that spent the largest percentage of revenue on R&D. Interestingly, some of these companies are top performers in public markets such as Okta and Rapid7, while others, such as Carbon Black, are considered the next generation of cybersecurity companies by industry experts.
Alternatively, we looked at the companies that spent the least on R&D as a percentage of revenue. This was almost as little as half of what the top companies spend on R&D. Generally, the “bottom five” appear to be larger publicly-traded cybersecurity companies that thrived in previous generations of cybersecurity products such as firewall, intrusion detection systems, and anti-virus.
After reviewing the data, it appears, and now makes sense, that these strategies are not mutually exclusive. In a constantly evolving and competitive space, these companies have opted to take a dual-pronged approach, both acquiring innovation as well as developing new technologies in-house. However, I still believe that start-ups are more scrappy, nimble, and will be responsible for the truly game-changing technologies in this space and will be plucked up by larger cybersecurity companies.