Frank, non-flattering admission … I am terrible at determining how much an ICS security company is worth, it’s valuation. While I believe that I can analyze the market, identify the product and service trends, evaluate company strategies, and identify the winners and losers, determining the future market cap or valuation, is something I’ve failed so often at that I rarely even try anymore.

Last week in talks with an investment firm looking at this market, I said this out loud. It made me wonder, why? I believe in my ability to take in all sorts of hard and soft data, analyze it, and come up with the best answer. So why do I fail at ICS security company valuation, and in fact the overall cybersecurity space?

The answer is I approach it as a value investor, and the market has worshipped growth rather than value for over a decade. My wrong approach goes back all the way to 2006 when I tried to estimate the company value of Eric Byre’s Tofino based on future sales, price and net profit estimates.

Let’s assume 50 units as an average sale size. This breaks down to 67 sales annually or a little over 5 per month. A conversion rate of 25% means we have to approach 288 potential customers this year.

Tofino was acquired by Belden in 2011 for a still unknown price. It’s likely that Belden did not acquire Tofino for future profit, discounted cash flows, from the product line. It was a strategic move to fill a perceived void in their offerings and perhaps for Tofino’s presence in large oil & gas. Whatever the reason, Tofino has languished at Belden.

The most grounded case for high ICS security company valuations is the technology and mindshare are worth more than the discounted future cash flows. For example, security vendors Tenable acquiring Indegy and ForeScout acquiring SecurityMatters adds ICS expertise to their offering. Many of the world’s largest companies produce products or services with ICS, and this capability could be the tail that wags the dog in winning those customers. The IT sales will dwarf the OT sales, but the OT capabilities may be required to win the customer.

Or there are straight technology acquisitions such as Microsoft acquiring CyberX for Azure and Cisco acquiring Sentryo to get the technology into their switches. The acceleration of their solution enhancements is worth a premium over a value calculation. There may also be a similar case for a large ICS vendor, Schneider Electric, Siemens, Rockwell Automation, etc., to acquire a security vendor to jump start their security services offering.

The challenge is this technology / mindshare premium is harder to justify as the companies get larger, and it appears we are entering the $100M round era.

Two weeks ago Armis announced a $125M Series D funding round at a post round valuation of $2B. In Q4, Dragos raised $110M at an unknown valuation. Despite my earlier admitted failings, I estimated the post round valuation to be in the broad range of $500M – $1B. Bob Ackerman’s prediction that there will be a few multi-billion dollar companies in the OT security space appears to be on track.

It’s common for early stage companies to have hockey stick financial projections and even to achieve them in early years when starting from a small base. The problem is when you look at the average sales price (which will likely go down for most product sectors), gross margin, number of products/services delivered to meet the projections, sales force and channels required, and the serviceable available market (SAM) the hockey stick is often impractical. Even more troubling is even if the hockey stick projections are met, it is hard to justify the company’s valuation/market cap by any value investing methodology, P/E, P/B, Free Cash Flow, etc.

Some markets segments are not too difficult to create forecast models, if you want to. For example, the North American bulk electric market are documented as NERC registered entities. The large petro-chemical market is also easily identified and scoped.

A value-based analysis is likely not worthwhile given market realities. The market cap growth of FireEye ($5B) and Crowdstrike ($53B) despite continued losses show a disconnect between market cap and value. The ICS security companies are much younger and are correctly given more latitude in financial storytelling.

This is not to say that value investing principles are the right way to value a company. The value of a company, or anything, is what someone is willing to pay for it. Today it is hard to argue with the more optimistic view of the size of the OT security market as measured by market cap. There is no sign that growth investing will fade and value investing make a comeback. There rarely is, until it happens and hard numbers rule the day.

Let me know in the comments how many $2B+ OT / ICS security focused companies you believe will exist in 2025.

Image Credit: Alan Greenspan.​ Wind and Fly LTD, 2021. 21 February 2021.