Before we proceed further, we wish to clarify and distinguish the various sectors within the definition of cybersecurity. For most people, their understanding of cybersecurity businesses are IT guys who writes software to help organisations to defend or prevent them from being hacked or attacked. Very few are aware that in cybersecurity, we also have professionals whose scope is to offer a range of non-proprietary solutions related to the protection of computer systems within an organisation. These professionals does not write and create software but uses 3rd party software. This is the business that we will be discussing in subsequent paragraphs of this article - cybersecurity services.
In Asia, we rarely hear of any significant investments by investors - be it private equity or angel investors - into cybersecurity services. But in the west, it is a fast growing market for PE firms with equity investment rising to nearly USD5 billion in the last 2 years. Investing into a cybersecurity services set up is a high stakes game where the future is uncertain. AirAsia announced recently that they have set up a venture capital in the United States called RedBeat Capital to invest in startups seeking to enter or expand in Southeast Asia focusing on post-seed stage startups engaged in cybersecurity, amongst other technologies.
Another notable development during the same period was the announcement by ATT, the American telecom giant, joining the Global Telco Security Alliance (GTSA). GTSA was launched in 2018 with Etisalat, Singtel, SoftBank and Telefónica as the founding members.
Collectively through its members, GTSA now covers more than 1.2 billion customers in more than 60 countries across Asia Pacific, Europe, Middle East and the Americas and can harness the expertise of more than 6,000 security experts and a global network of more than 22 Security Operations Centres.
Softbank's participation and inclusion in GTSA where the other members are all telcos is significant as it implies that one of the biggest venture fund in the world subscribes and is investing in the future of cybersecurity services.
Investing in cybersecurity services is not much different than investing into any start ups. The companies are young, private companies and thus have little transparency, minimal governance and a lot of risks. But are investments into cybersecurity services a riskier option as compared to other start ups as made out in online comments sighted?
As with other type of start ups, majority of which were driven by technological innovation, the success rate of cybersecurity services is no different. It is a fast growing market with many success stories and an equally if not more casualties on the side. There will be hundreds or thousands of such set ups giving potential investors lots of options but only few will emerge and attract the minimal interests of PE firms or investors.
The lack of interests by PE firms or investors in cybersecurity services in the local environment is obviously a worrying thought let alone a trend. What hope is there for the local cybersecurity services then? There is not a single merger & acquisition deal for cybersecurity services announced to-date and it is not foreseeable that an IPO of a cybersecurity services firm will happen in Malaysia any soon.
It is true that a lot of cybersecurity services in Malaysia are pretty new with probably a fair number on a limited financial runway and clients. Some could have limited experience in managing a start up and have high expectations on their valuations largely fuelled by the thoughts that their business will go nuclear soon with the spate of news of cyber attacks happening more frequently across various organisations in the past 2 years that will drive organisations in Malaysia to ramp up their investments into cybersecurity.
As with any business that has such huge and promising potential, it has created and spawned a lot of similar type of cybersecurity services. Thus, it created a 'dog eat dog' type of environment where competition and ability to secure clients boils down to pricing - an unhealthy practice that could lead to a 'the dog eat the dog food' situation for the unfit.
Or is it a situation the investors or PE firms in Malaysia not fully grasping and understanding the life cycle, the financial, execution and technical risks and prospects of a cybersecurity services firm? Or they do not wish to fall into the FFF (family, friends and fools) investor category and left with holding the 'bag' and rather wait out for the unfit to be culled first and explore those left behind, who should in theory, be the healthier ones?