SCVX: Cybersecurity industry needs consolidation

SCVX is on a mission to consolidate the vast cybersecurity vendor ecosystem overwhelming today's CISOs.

Last month, Strategic Cyber Ventures, a Washington, D.C.-based investment firm, launched the initial public offering (IPO) of SCVX, raising $230 million. SCVX is a special purpose acquisition company (SPAC) that was formed with the goal of acquiring cybersecurity vendors to build a comprehensive platform that can reduce the number of vendors and point products that enterprises have to juggle.

Hank Thomas, CTO of SCVX and co-founder of Strategic Cyber Ventures, believes the cybersecurity industry has reached a "breaking point" and needs consolidation. He and Mike Doniger, CEO and chairman of SCVX, talked with SearchSecurity about why they chose to launch a SPAC, what they're looking for in ideal "cornerstone" acquisition target and why vendor consolidation will be a good thing for the industry.  

Editor's note: This interview has been edited for clarity and length.

Can you explain what a SPAC is?

Mike Doniger

Mike Doniger: A special purpose acquisition company is essentially a blind pool of capital raised in an IPO with the purpose of acquiring an asset. You can buy really anything you want and there's lots of SPACs out there that will buy all sorts of things. Some have defined target areas; some are pretty broad. We have taken the approach of being very targeted at what we're buying and in that, we were able to build a team together to specifically tackle that project. SPACs have been around for a long time, over 10 years. And traditionally, they're kind of a four-letter word. They're known as buying cyclical assets that are kind of lost, have a lot of leverage on them, and a SPAC is an opportunity for them to fit the public markets when they might not have another vehicle. But in the last year or two, particularly, a kind of SPAC 2.0 is starting to get created where really blue-chip companies like Virgin Galactic and DraftKings and some other examples [are] coming out in this form. I think the reason is, if you start to do a SPAC in that big kind of billion-dollar range, all the sudden the characteristics of the dilution start to look just exactly like an IPO, but you have the added benefit of doing it very quickly, which is a really important thing because the IPO process can be arduous. You also have a nuance where you can make forward projections, which you can't do with an IPO. And in our case, you could say, 'Oh, I might buy another company or two and even attach an LOI [letter of intent] down the road to get the market more excited,' which you couldn't do in a traditional IPO.

Why did you choose this route versus the way some other private equity firms or security vendors have acquired companies?

Doniger: If we look at the landscape of the scale of the company we are looking at, that has already raised venture money with maybe a Series C, and has a multihundred-million-dollar valuation, has grown a lot since then, they're trying to find the next path or the next access to the capital markets. They want to grow. They want to acquire things. And so, they have a couple options at hand. Private equity for high-growth companies is traditionally not the route they don't like a lot of leverage, and private equity tends to implore that. Venture capital works well along the path in Series A, Series B, Series C and even Series D [funding], but as you get into the billion-dollar range ... venture capital doesn't tend to want to deploy that level of valuation. Then you're really left with hitting the public markets for that money. And you can go a traditional IPO route, or this new alternative route, and we're the first ones to do this in cybersecurity land.

And obviously, the other option is to sell yourself to another company. But with that option, you lose control. And even in venture capital, you start to lose control as you get diluted. This opportunity allows you to maintain control as the CEO. Our structure will be a small owner of the pro forma company; the founders and the venture capital firms and whoever the equity holders are in that company will be in charge of the new public company. I will not be CEO anymore; I will hand that title over. Our board members have not committed to being on the new board, but they've obviously expressed interest in it. Hank and I don't need to be there, but if they need our help, we'll be there. So, at its core, it's a very flexible structure that we think can solve this problem [in the cybersecurity industry].

What's the problem in your view?

Hank Thomas

Hank Thomas: With SPACs, I saw a financial tool that could possibly allow us to achieve the things in cybersecurity that everyone was talking about that couldn't be done at the venture capital level -- namely, begin to use a vehicle to consolidate some really cool technologies into one platform and to sort of roll up things into a cornerstone capability that doesn't really exist yet. Our thesis is essentially that at least within the average Fortune 1000, the average CISO still has around 75 vendors in their ecosystem. This cabal of top CISOs are saying we don't have time to use all these vendors anymore, let alone deal with the compliance issues. There's a conversation about the additional fog of war this ecosystem of vendors is creating. It's evolved this way because new vendors have popped up that address one or two different new threat vectors, and when we move on, the bad guys come up with new ways of attacking us, and then new vendors pop up for those.

I think, personally, and my team thinks that we've got to a breaking point. I saw in a SPAC a tool that we could use to start to bring some order to this highly fragmented industry. We're going to walk into RSA Conference with a billion dollars in buying power, but we also have the flexibility to wait a bit and find the absolute critical cornerstone technology that we're looking for that that will allow both CISOs and the company that merges into our SPAC to integrate other critical security controls into our platform and begin to reduce the average vendor ecosystem from 75 vendors down to something more manageable like 30. I don't think it's ever going to go down to one or two like you have with phone providers, but I think we could start to build a platform that's multidimensional, multicapable, and start to reduce that ecosystem. We are focused on finding one cornerstone vendor right now. One company of the right critical mass and then injecting it with the capital that we raised in the public markets. And then they will either leverage our team and develop the strategy to integrate other things down the line, or they'll be smart enough to figure out how to do that on their own. But we want to identify the right technology that is at least capable of doing that and give them the resources to move over the horizon to start to build what I just described.

How far along are you in the process of identifying what you think you want and what you think is in the roadmap here for that company?

Thomas: We've assembled this like 'Super Friends' team of a board that I think gives us enough voices at the strategic, operational and tactical level of cybersecurity -- Dan Coats [former U.S. Director of National Intelligence] being at the strategic level, Jeff Lunglhofer [CISO at The Bank of New York Mellon] being at the operational and Sounil Yu [former chief security scientist at Bank of America] being at the super technical level. We have enough different voices that I think we have started to norm around exactly what we think technically a platform should look like that's going to integrate and scale like we want it to do. And we know financially what critical mass means for our target company to be of interest to the public markets once we acquire it. When we buy this company, or it reverse merges into our SPAC, it instantly goes public, and instantly the stock ticker train changes from SCVX to whatever it is we decided that company will be. So, the company has to be ready for that. And we have the right team to help them with that. We've already done the hard work here to fast track the IPO process.

We've narrowed that list down. The SEC has some very specific rules for what we can talk about in terms of targets, so let's call it a cyberdefense platform. We think the cornerstone ingredients of a cyberdefense platform would have to include something that's a 'next-generation' technology. We know that's an overused term, and we get a lot of questions about why legacy technology companies can't do this. Well, because they're built on legacy technology. They might have a ton of smart people and a ton of revenue, but their technology hasn't changed all that much. It gives them the flexibility to integrate and build a course on the platforms we're talking about building. We have the advantage of finding a company that's sort of in between a startup and a giant legacy technology company. A company that's reached critical mass because of its next-generation technology and has a footprint in the Fortune 1000, but it's not the biggest company in the world. It gives us the flexibility to bolt things on to it because it's built that way. Those companies exist right now; artificial intelligence is finally intelligent enough, that we think we can find a platform based on AI/machine learning that searches for anomalous behavior and is scalable, as opposed to a whitelisting-based security technology. And then we build from there. The combination of ingredients could be an artificial intelligence machine learning-based cyberdefense platform with a threat intelligence company bolted on to it, a third-party vendor risk management bolted on and an identity and access management company bolted on to it. Those ingredients would be the right the ones. Those four ingredients, if done properly, would take a CISO's vendor ecosystem from 75 down to 30 at some point in time.

Doniger: I think we want to find the right company with the right CEO, and he or she has a vision where they're saying, 'If I could just have companies x, y and z, I would get more of the CISOs' wallet and I know the CISOs are telling me that they need that help because their security stack is weak in these places.' But they can't take on another company -- a company that may or may not even exist in six months -- because they're not well capitalized and can't risk putting them on their platform. But if they can do that, then the revenue synergies would be enormous. We're trying to empower a company that is cornerstone or a keystone of our platform and then build that platform around. It doesn't even really matter where we start in that matrix that Hank described, because we'll just add on to the right places after it. The key is that we have a company that has critical mass and has a great CEO and that has a great sales force and reputation.

There's been a lot of talk about vendor consolidation in the cybersecurity industry lately. Do you think that it's a buyer's market out there?

Thomas: We haven't had enough conversations with companies yet to know exactly where their heads are at because we just had the handcuffs taken off for conversations like that when went public on the New York Stock Exchange. So, we haven't even had our first meeting yet. But I've been in this game for a while, and I know that many of the companies that have taken their Series C or Series D venture capital funding are saying, 'What's next?' and are considering their options. I think it's going to depend on whether the founders and the management of these companies, as well as their venture-backed boards, want to go long or not. Do they share the same vision that we have? I don't think it matters whether it's a buyer's market or not because companies will look at this vehicle for growth and see that we're partnering with them and we're in this together. And if their head isn't in that space, then this isn't the option for them.

What is the landscape out there? Does it feel like there is a lot of activity out there and how much of that is going to compete with what you guys want to do?

Doniger: I think, for the right company, there's not much competition out there. And what I mean by that is, there's plenty of capital buying all sorts of startups through Series D. I don't think we've much big M&A besides the Carbon Black deal. The type of company we're talking to really doesn't have that many options. Maybe there are some really big companies that will buy them, but they're really left with this IPO route. And then there's some venture capital that will spend a billion dollars on a deal, but you can go through and maybe count those types of deals on one and a half hands or something like that. So yes, there's capital. But I think for the right company that's looking for a public currency that wants to partake in a roll up and partake in consolidating the space, there's not that many options for them.