Cyber security: a lot of hype, low turnover (FD, December 5, 2017)
Who wants to go to a congress about cybersecurity every day. Media is full of stories about cybercrime and analysts outline beautiful growth expectations for the sector. The sector is also being hyped considerably in the Netherlands. But anyone who thinks that money is being massively earned in cybersecurity is disappointed.
The number of Dutch companies that benefit from the hype is small, say different experts in the sector. ‘There is more talk about cybersecurity than there is real volume’, observes Mark van Beusekom of IT specialist corporate finance consultant Hogenhouck. ‘Many companies that advertise themselves as cyber security providers still earn their money mainly from other IT services.’
A large part of the market is dominated by large American players such as Cisco or Palo Alto. There are only a handful of larger Dutch cyber security companies, of which the largest, SecureLink and FoxIT, do not exceed the level of a medium-sized SME. With some acquisitions of Dutch companies, KPN is building a cybersecurity component, but one big one is not yet.
These parties are followed by a horde of start ups. ‘There are no big Dutch companies in cybersecurity,’ says Sebastiaan Kors, who set up and sold a cyber security device himself (WeSecure), and now supports start-ups in the sector. ‘A few hundred people work for the biggest ones, then you’ve had it. An average construction company is bigger. ‘
Reliable figures about the size of the sector are difficult to find. Cyber security is a very broad concept – it goes from consultancy, to the production of software and hardware. But according to The Hague Security Delta, a joint venture of companies and institutions in the field of cybersecurity in the region of The Hague, the market in the Netherlands grows annually by 5% to 8%.
How can the market still be so immature? Part of the problem is the high cost of the products, says Kors. ‘Security is quickly too expensive for a large number of SMEs. If they weigh the costs against the benefits, they quickly come to the conclusion that they take a little more risk. The market must now mainly have a smaller number of large companies that invest. This makes new Dutch cyber security providers extra vulnerable. ‘
Michiel Martin, partner at BarentsKrans lawyers and notary’s office, shares this observation. “We are still at the level of raising the awareness of the need for good cybersecurity,” he says. “In the end, we have to go to the point that companies are going to invest a lot of money and we are not there yet.” That point is imminent, Martin thinks.
‘If SMEs weigh the costs against the benefits, they quickly come to the conclusion that they take a little more risk.’
Sebastiaan Kors from WeSecure
In May next year, European privacy legislation (GDPR) will take effect, requiring all companies to store and process personal data in a demonstrably secure manner, on pain of hefty fines. That will force companies to take action. ‘Without these regulations many companies would still not do much about cybersecurity’, Jos Bourgonje thinks. He works at Value Creation Capital, an investor that has a small fund especially for cyber security. “At the most they would get back into action after a major incident. But now it will have to be structurally on the agenda for everyone, and then the investments will come naturally. ‘
In anticipation of this development, investments are being made in cybersecurity and recently there have been several acquisitions. KPN, which sees cyber security as a potential conglomerate of its loss of revenue in the business market, quickly took over two cybersecretors, DearBytes at the end of 2016 and recently QSight.
‘Without the newer European privacy legislation, many companies would still not do much about cybersecurity.’
Jos Bourgonje from Value Creation Capital
‘If you want to maximize the sales price now, it is wise to emphasize cybersecurity, even though that may be only a limited part of the total service provision’, says Van Beusekom. ‘But it is still not a mature market for a long time to see the valuations of the companies. That is still much based on the promise that a company has and hardly any results, because they do not have that. ‘
The lack of cybersecurity personnel also plays a role in the wave of takeovers, Kors thinks. ‘People are difficult to obtain. Setting up a company in services in the field of cybersecurity is very capital and knowledge intensive. Then it is easier to do an acquisition than to build it up from scratch. “