Want to maximise your sale price? Build a product

April 23, 2013

When you run a cyber-security consulting firm, servicing hundreds of clients, and delivering thousands of projects over the course of many years, you get a pretty good idea of the problems that organisations are experiencing, as well as the problems you are experiencing, and would like to have solved. From that position, invariably a discussion occurs within the leadership of the company, about whether or not to stay 'pure' as a consulting firm - and do what you know well, recruiting, delivering, and tracking utilisation - or reallocate some of the brainpower in your consulting team towards research & development and more specifically towards the development of some kind of 'product' that will solve the problems you have identified.

The obvious attraction is that products are (often) scalable. People are not.

Part of the consideration in deciding whether to make this investment, is the expected return at the point of 'exit', particularly, the likely valuation differential that could be commanded at the point of a trade sale. Having analysed the data for over 600 cyber-security industry transactions completed in the last decade, this is what that premium looks like:

Comparative valuation multiples - software, hardware & consulting led cyber-security businesses, 2004-2013

So what does the data tell us?

Breaking the organisations into consulting-led, software-led, and hardware-led categories (noting that not enough managed services company data is available for this category to stand alone), and comparing valuation multiples for revenue and profit, with consulting-led firms normalised for each category to '100%', we get the following differentials:

Compared to consulting-led firms, hardware-led firms have sold for revenue multiples between 3%-45% higher.
Compared to consulting-led firms, software-led firms have sold for revenue multiples between 101%-177% higher.
Compared to consulting-led firms, software-led firms have sold for profit multiples between 69%-109% higher.
(Insufficient comparative profit multiple data is available for the hardware firms so isn't included)

To put those figures in perspective, if your consulting-led cyber-security business is expected to sell for a revenue multiple of about 2 or a profit multiple of 6, a software-led cyber-security business next door will likely sell for a revenue multiple of between 3 and 5.4, or a profit multiple of between 10.1 and 12.5. That is a significant difference.

In other words, if you have both consulting and software parts to your business, when valuing the business, it is likely that $1 of profit from your in-house developed software, is worth twice as much as $1 of profit from your consulting business.

Of course, this isn't without its exceptions. Just looking at listed companies, it's easy enough to find cases of services-driven firms being valued more highly than product-driven firms. As an example:

(Of course, I do acknowledge the significant growth of Checkpoint and Symantec in the services area of their businesses, and particularly Symantec with regard to managed services. But I would be pretty confident that investors see them significantly as product companies first.)

But then those are all very mature businesses and realistically are well past the point of 'explosive growth'. When you look at the younger crop of cyber-security product companies, you get some pretty crazy numbers:

To give some perspective on what a P/E of 319 means... Sourcefire's income (profit) for the last 12 month reporting period was a tad over $5 million. Their current market capitalisation is $1.57 Billion.

But these companies have massive growth potential (Sourcefire has been growing revenue at 25-35% a year), and are also obvious acquisition targets for the more established firms in the market. The enormous market capitalisations reflect this growth profile and the fact that investors are comfortable the companies will find a way to provide a return to shareholders.

It is also important to recognise, however, that building a successful product business is significantly more difficult than building a consulting practice, and the likelihood of a 'moderate' success is much lower. In other words, building a consulting practice, it is reasonably easy to run a small team, build up a client base, and operate at a healthy level of profitability for as long as you are willing to continue driving the business. Building a product business, this type of viability-without-being-the-market-leader is harder to come by, and success is much more likely to be all or nothing. So while the payoff may be higher, the likelihood of getting a payoff at all is most likely lower.

Also of importance to consider is that the 'buyer universe' changes significantly when your consulting firm starts building a product-led business unit. Companies that previously may have been interested suitors, may not want the R&D or support and maintenance expenditure necessary for an ongoing product-led operation.

Ultimately, there are many ways to build a valuable company that will appeal to a sufficient number of potential buyers to achieve a healthy exit for the founders. What is important, is understanding where the value is within your business, and how to stitch it together into a coherent story to maximise value during the sale process.

Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

March 21, 2013

At Delling Advisory, we believe that we can provide the best advisory services to our IT security industry clients, through having an unsurpassed understanding of the market, both from first-hand experience having started, built and run IT security companies, as well as from access to unique data and analytics.

Information Security Transactions 2004-2013Q1.jpg

This year, we have collated the data on about 650 cyber-security related transactions around the world, dating back to 2004. A significant amount of work has been completed to categorise each transaction based on the 'company type' of the acquiring firm, as well as the security-related services that the acquiring firm previously provided and that the target firm provided (professional services / hardware / software / managed services), the country of origin of the acquirer and target, as well as the financial details of the transaction where that information is available (either publicly or via our industry contacts). An early version of this data set is graphically represented in the map at the start of this post - blue being the acquirer and yellow being the target of the acquisition.

Over the next few weeks, we will start presenting snapshots of this information, to provide a high-level picture of the trends and directions that have taken shape over the last decade, with respect to the cyber-security market. Obviously there is a significant amount of proprietary data that we have compiled through this process, and we use this information in our advisory roles to better understand and communicate the state of the market, as well as valuation trends and trends in the 'buyer universe'.

To get started, a couple of initial data sets.

Q. Who is buying all these cyber-security companies?

In short, many different companies (and 'company types') are acquiring cyber-security companies. The defence industry has been in the media for the last few years as one of the most significant buying groups, but back to 2004 they only account for about 12% of all transactions. Just taking the years 2010 to 2012, when transaction volume was highest in the defence sector, those firms still only accounted for about 18% of transactions (since although their transaction volume went up significantly, so did everyone else's).

The most prevalent acquirers of cyber-security companies are now (and have been every year since 2004), other cyber-security companies, and other IT companies seeking to expand their security-related offerings.

(As an aside, I'm sure people will wonder what 'other' contains. 'Other' contains a mix of companies buying capability to build into their own products, or for diversification. Some example transactions in the 'other' bucket:

The heavy acquirers - as can be seen from the transaction map at the start of this post, have tended to be companies such as Cisco, McAfee, Oracle, CA Technologies, Symantec, IBM, Microsoft, EMC Corporation and Dell - although the defence primes Raytheon and BAE Systems have also made a dent.

Q. Are transaction volumes sky-rocketing?

Not really. There are certainly many more cyber-security related transactions now than there were in 2004... but there are many more cyber-security businesses now than there were in 2004. In broad terms, from 2009 onwards, transaction volume has been about 50% higher than in the period 2006 to 2008.

Cyber-security has become very important to a lot of companies, very quickly. As a result, and given the difficulties in recruiting cyber-security professionals, adding this capability by acquisition continues to be very attractive.

Being an Entrepreneur: The Best Advice I Received

February 14, 2013

Back in the Spring of 2000, I was finishing University and figuring out what to do next. Two main paths lay before me: Follow many of my peers into the strategy consulting world (McKinsey, BCG, Booz Allen & Hamilton, Bain, AT Kearney and others), or venture out into the great unknown of starting a business. I interviewed with the majority of the consulting firms, and received a couple of offers (although not the ones I really wanted). Weighing up my options, it seemed that it was as good a time as any to try my hand at starting a business, and in the worst case scenario, I'd go back to that consulting pool in a year or two's time.

I started the company which became "SIFT" with a good friend from University, who had similar aspirations to set our own agenda and prove that we could do it. We were very fortunate with SIFT that almost every early recruitment decision we made, worked out better than we could possibly have imagined, with that core team sticking with the company for many years, allowing us to build the company in their image, and believing passionately about the importance of doing things well - a passion that we could never have intended to 'teach', but that arose from a group of like minded people, seeking to make their mark on the world.

We grew slowly at first, then picked up pace in about 2005 once we had been in the market for a while, and started to be quite well known. By this point I was already a regular presenting on the conference circuit, and for five years had attended virtually every industry event I could get into without paying. Conferences, product launches, vendor drinks, breakfast forums, I was there, telling people who we were and what we did.

In 2007, the opportunity presented itself to complete our first corporate transaction, the acquisition of Safecoms Secure IT. As with so much of the business, this arose primarily through the relationship between the founder of Safecoms Secure IT, and myself. I have always believed that the market in Australia is too small to treat 'competitors' badly. Your competitor today could easily be your client or partner tomorrow.

We acquired Safecoms Secure IT, some staff and some clients, and set about making 2007 the strongest year we had yet recorded.

At the end of 2008, I met the Stratsec founders in Melbourne, and immediately felt I was with friends. Within hours of meeting we had started putting together the framework for how SIFT and Stratsec could come together to form the largest information security consulting firm in Australia; and in May 2009, that's exactly what happened. Our 'exit strategy' at that point - loose as it was - was that we expected within a 3 year timeframe, to be at a point where we could look at being acquired. Within 18 months, we were sold.

After approaches by a number of potential acquirers in early 2010, we decided that a piecemeal approach responding to our suitors was both inefficient and likely to result in a sale on someone else's terms rather than our own. I put together our Information Memorandum, and we took it both to companies who had already expressed interest, as well as others who we felt would be a good fit.

BAE Systems Australia was the last company into the process; but ultimately were the successful acquirer. The strategic fit was unquestionable, and their integrity, approach, and growth ambitions, were all a fit for how we did business. When Stratsec was acquired at the end of 2010, we had about 60 staff. By December 2012, that had doubled to about 120 and was continuing to grow rapidly, providing some great opportunities for our young leadership team and creating a genuine 'Tier 1' information security firm in the Australian market.

In December 2012, I finished at BAE Systems Detica (as we had rebranded Stratsec in the weeks before my departure), bringing to a close an adventure which ran for 12 years, 3 months, 2 weeks and a few days. It is something I am very proud of, to have started, acquired, merged, and ultimately sold the company successfully. Very few entrepreneurs get such a 'neat' end-to-end start/build/sell experience.

As time closed in on my departure date, a colleague in the industry, upon hearing that I was moving on, said “That’s a shame, Nick… you were always one of the guys who gave a shit.” It was meant sincerely, and I took it that way. And as I explained at my farewell party, I am more than happy for that to be my main contribution to the culture of Stratsec. These aren’t just projects, it is real life. At Stratsec, that meant that testing a system to ensure a malicious hacker couldn't break into your bank account or your health records, was more than just a 'testing project' - after all, it could just as easily be my, or your, account or record that could be compromised. And now at Delling Advisory, I see the same thing, when I look at how enmeshed many founders are with the businesses they have started and run. These are not just companies to be sold; they are years, if not decades, of long days and nights, and trying to make the business a little bit better every day.

A number of people have asked me what my greatest 'lessons learnt' were, or greatest inspirations, to help make their entrepreneurial journey shorter and easier. The best advice I received was from Bob Metcalfe (inventor of Ethernet and founder of 3Com). Of course, the advice wasn't directly from Bob to me, it was in the form of his 1999 article "Invention is a Flower, Innovation is a Weed" (still online at http://www.technologyreview.com/featuredstory/400489/invention-is-a-flower-innovation-is-a-weed/).

A snippet from the article:

I have a six-story townhouse in Boston overlooking MIT on the Charles River. I often invite young engineers and would-be entrepreneurs over to schmooze. Many of them tell me my townhouse is beautiful and they hope to invent something like Ethernet that will get them such a house.

The picture they have in their heads is of me lounging around on the beanbag chairs in a conference room at Xerox PARC in 1973. They see me having this idea for a computer network and submitting it as an invention proposal to Xerox. Then they envision me putting my feet up and letting the royalties roll in until I have enough to come up with the down payment on the townhouse with the river view.

My picture - the actual picture - is different. It’s the picture of innovation rather than invention, the weed instead of the flower. In my picture it’s the dead of winter and I am in the dark in a Ramada Inn in Schenectady, New York. A telephone is ringing with my wake-up call at 6 a.m., which is 3 a.m. in California, where I flew in from last night. I don’t know yet where I am, or where that damn ringing is coming from, but within the hour I’ll be in front of hostile strangers selling them on me, my company, and its strange products, which they have no idea they need.

If I persist, selling like this for 10 years, and I do it better and better each time, and I build a team to do everything else better and better each time, then I get the townhouse. Not because of any flowery flash of genius in some academic hothouse.

And that is exactly my experience of building Australia's largest information security consulting firm from the ground up. That's Bob's lesson number 1 - "Selling Matters."

"Don't Hire - Recruit", and "Be an Entrepreneur, Not a Visionary" are two others that have resonated with my journey; but they're all great lessons. I cannot recommend highly enough that you read it, think about it, and put it into action.

Want to maximise your sale price? Build a product

Comparative valuation multiples - software, hardware & consulting led cyber-security businesses, 2004-2013

Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

Being an Entrepreneur: The Best Advice I Received

Categories

Authors

Tags

Dates