When you run a cyber-security consulting firm, servicing hundreds of clients, and delivering thousands of projects over the course of many years, you get a pretty good idea of the problems that organisations are experiencing, as well as the problems you are experiencing, and would like to have solved. From that position, invariably a discussion occurs within the leadership of the company, about whether or not to stay 'pure' as a consulting firm - and do what you know well, recruiting, delivering, and tracking utilisation - or reallocate some of the brainpower in your consulting team towards research & development and more specifically towards the development of some kind of 'product' that will solve the problems you have identified.
The obvious attraction is that products are (often) scalable. People are not.
Part of the consideration in deciding whether to make this investment, is the expected return at the point of 'exit', particularly, the likely valuation differential that could be commanded at the point of a trade sale. Having analysed the data for over 600 cyber-security industry transactions completed in the last decade, this is what that premium looks like:
Comparative valuation multiples - software, hardware & consulting led cyber-security businesses, 2004-2013
So what does the data tell us?
Breaking the organisations into consulting-led, software-led, and hardware-led categories (noting that not enough managed services company data is available for this category to stand alone), and comparing valuation multiples for revenue and profit, with consulting-led firms normalised for each category to '100%', we get the following differentials:
- Compared to consulting-led firms, hardware-led firms have sold for revenue multiples between 3%-45% higher.
- Compared to consulting-led firms, software-led firms have sold for revenue multiples between 101%-177% higher.
- Compared to consulting-led firms, software-led firms have sold for profit multiples between 69%-109% higher.
- (Insufficient comparative profit multiple data is available for the hardware firms so isn't included)
To put those figures in perspective, if your consulting-led cyber-security business is expected to sell for a revenue multiple of about 2 or a profit multiple of 6, a software-led cyber-security business next door will likely sell for a revenue multiple of between 3 and 5.4, or a profit multiple of between 10.1 and 12.5. That is a significant difference.
In other words, if you have both consulting and software parts to your business, when valuing the business, it is likely that $1 of profit from your in-house developed software, is worth twice as much as $1 of profit from your consulting business.
Of course, this isn't without its exceptions. Just looking at listed companies, it's easy enough to find cases of services-driven firms being valued more highly than product-driven firms. As an example:
(Of course, I do acknowledge the significant growth of Checkpoint and Symantec in the services area of their businesses, and particularly Symantec with regard to managed services. But I would be pretty confident that investors see them significantly as product companies first.)
But then those are all very mature businesses and realistically are well past the point of 'explosive growth'. When you look at the younger crop of cyber-security product companies, you get some pretty crazy numbers:
To give some perspective on what a P/E of 319 means... Sourcefire's income (profit) for the last 12 month reporting period was a tad over $5 million. Their current market capitalisation is $1.57 Billion.
But these companies have massive growth potential (Sourcefire has been growing revenue at 25-35% a year), and are also obvious acquisition targets for the more established firms in the market. The enormous market capitalisations reflect this growth profile and the fact that investors are comfortable the companies will find a way to provide a return to shareholders.
It is also important to recognise, however, that building a successful product business is significantly more difficult than building a consulting practice, and the likelihood of a 'moderate' success is much lower. In other words, building a consulting practice, it is reasonably easy to run a small team, build up a client base, and operate at a healthy level of profitability for as long as you are willing to continue driving the business. Building a product business, this type of viability-without-being-the-market-leader is harder to come by, and success is much more likely to be all or nothing. So while the payoff may be higher, the likelihood of getting a payoff at all is most likely lower.
Also of importance to consider is that the 'buyer universe' changes significantly when your consulting firm starts building a product-led business unit. Companies that previously may have been interested suitors, may not want the R&D or support and maintenance expenditure necessary for an ongoing product-led operation.
Ultimately, there are many ways to build a valuable company that will appeal to a sufficient number of potential buyers to achieve a healthy exit for the founders. What is important, is understanding where the value is within your business, and how to stitch it together into a coherent story to maximise value during the sale process.