The rush of money into the OT security market continues to accelerate. Later and larger rounds have poured into the OT Visibility and Detection market leading to some companies being valued at over $1 billion. Early round money is coming into the OT SBOM / software and firmware analysis space, with a likely minimum of 5 – 10 vendors with an OT focus. There’s also a sprinkling of funding in other less competitive OT security market segments.
Venture capital and other investments are bets on the future. The most direct valuation method is discounted cash flows which are almost impossible to provide with any credibility in the OT security space at this point. Early markets estimates on the total available market (TAM), market share, gross margin, and other key numbers can be used to value a company. Quite frankly a lot of the venture bets are as much about belief and wanting to make a bet in the space in the event of massive upside as they are about detailed financial analysis.
Occasionally I’m hired by a VC to analyze a market or company they are considering investing in. I believe, with my sizable ego, that my analysis is quite good on competition, product, marketing and sales, team and most other areas except one … market size. Its gotten to the point where I tell the VC up front that it’s not a number I’ll provide. They have to believe in the market segment, and then I can help them pick likely winners or what the possible winners will need to win.
Why are my market size estimates, based on looking at the lifetime value (LTV) of a customer, total customers, and taking an additive approach, so much lower than others? I could crow that I’ve been right much more often than the industry studies that have shown massive and fast growing numbers in this space since 2010. There is no ignoring though how my numbers are way out of step with actual company valuations in the last two years, such as the $1B+ valuations of the leading OT security pure plays.
Profit does not appear to be an issue in OT security as it hasn’t been in much of IT security. For example Jim Cramer of CNBC said last week:
“Fast-growing and profitable are very different things. … Get rid of the fast growers that don’t have profitability … I love CrowdStrike. That is an incredibly fast-growing company. It won’t cut it … because it doesn’t make money.”
CrowdStrike has a market cap of over $45B, so a lack of profits isn’t a concern to many, yet. Will the same be true for OT security companies and for how long?
A more important question I’m pondering: Is there a criticality premium adding to OT security company valuations?
An analogy. Tesla currently is worth more than the top 10 car companies combined. Scott Galloway has a riff on Tesla’s valuation and how the virtually impossible number of cars it would need to sell to warrant that valuation even with optimistic profit numbers. The valuation makes no sense as a vehicle manufacturer. He then posits that Tesla is valued as a solution to climate change, which is a much larger market given it is viewed as an existential issue. (I’ve heard him say this on Pivot and his show, but can’t find a link. Put one in the comments if you find one.)
Are OT security company valuations, through investment or eventually public company market cap, going to take a similar path? The power, water, transportation, oil & gas, and other sectors rely on the availability and integrity of ICS. Society and our normal way of life breaks down quickly if the product or service they produce is unavailable. Are the valuations based on the incredibly large numbers if these systems go down due to a cyber attack rather than a financial analysis of product sales?
VCs may be investing in some abstract view of the market size to provide a reliable supply of critical infrastructure not in a specific OT security product or service segment. Much like the valuation of Tesla could be based on the value of solving or ameliorating the climate change problem.