Why CVC Investment in Cybersecurity Startups Seems Low


Since 2010, the number of US corporate venture capital investments in cybersecurity—more specifically, those that contain at least one minority investor that is either a corporation or corporate venture arm—has more than tripled, according to PitchBook data. That multiple seems surprisingly low, especially when you consider that it resulted in just 53 venture investments last year, and only 90 corporations have made an investment since the beginning of the decade. The low bar set for corporate investment is surprising for many reasons, not the least of which is that, as the largest targets of increasingly frequent and sophisticated cyberattacks, these corporations should be at the forefront of innovation within the sector.

Some estimates put corporate spending on cybersecurity measures at around $75 billion in 2015, with projections of the market growing by nearly $100 billion over the next several years. With so much at stake and so much money being spent, why haven’t more corporations made investments in startups (or unicorns, for that matter) needing capital to develop the next generation of cybersecurity technologies? To some extent, the answer could lie in the fact that cybersecurity investment falls outside the traditional CVC wheelhouse.

If a CVC investor’s goal is to make an investment in a technology that should help the sale of its own product line, cybersecurity probably only fits into that category abstractly–it may not directly affect the sale of a product, though one outcome of preventing an attack may be higher sales, at least temporarily. However, keeping sales high for a short period shouldn’t be the main directive for cybersecurity investment.

Similarly, a financial investment in a new cybersecurity technology that looks solely for a capital return on the investment may make sense for many venture capitalists, but it also misses the point of corporate cybersecurity to some degree. That is, corporate investment in cybersecurity is as good a bet as any VC investment, but if keeping data and clients safe from attacks is more important to the welfare of the business, a return-focused investment doesn’t fit the bill.

Cybersecurity knowledge also falls outside the realm of what many CVCs are able to provide along with capital investments. While these corporations spend a lot on protecting their data and securing their sites, cybersecurity is not their specialty, and it is likely unrelated to the products and services that much of their businesses are built on. For example, a corporation focused on manufacturing semiconductors can make an investment in a company developing a new chip and provide far more knowledge about the industry than a regular venture capitalist could be able to. The problem with cybersecurity is that the fractured nature of disparate attacks and difficulty in tracking breaches makes it challenging for non-pure-play companies to become expert enough to provide that knowledge along with an investment.

Deciphering digital security from the onset is difficult for anyone, especially a major corporation. Malware, phishing and DDoS attacks are among the many techniques used to look for vulnerabilities within a corporation’s digital infrastructure, and no technology is able to prevent them all. But as the targets for some of the most advanced attacks, corporations may turn out to be the most important investors in the next wave of technologies. As startups look to develop the software to protect corporations, having those same corporations more invested during development may create a mutually beneficial partnership that can bring more effective cybersecurity technologies to market.

Cybersecurity is one threat that all organizations face, especially as the world becomes even more digitally integrated. From making payments to storing private records and proprietary data, every aspect of corporate business is now at risk. While corporate venture investment in the space is growing, it doesn’t seem to be growing fast enough. Just ask any one of the thousands of companies each year that are breached, or any of the customers that have had their personal data stolen.