Alert: Cyber-shark sighting

Robert Herjavec, star of ABC’s Emmy Award-winning hit show Shark Tank also stars as CEO of a Canadian startup who became the world’s largest independent pure-play cybersecurity services company. This isn’t a new TV show, it’s real-world and Herjavec has been playing the role since 2003. “Herjavec Group” is a break-out success and a much bigger audience is starting to watch.

If you’re a corporate CSO who hasn’t tuned in yet, here’s the story:

REUTERS/Danny Moloshok

Toronto, a thriving metropolis with skyscrapers looking out at Lake Ontario, is North America’s third largest technology hub, with the most fiber optic cable of any North American city. Herjavec’s namesake firm – Herjavec Group, is headquartered there.

The firm plays in the global cybersecurity market, defined by market sizing estimates that range from $71 billion in 2014 to a whopping $155+ billion by 2019.

“When Blackstone moves into your neighborhood, you know it’s a good neighborhood” says Herjavec, referring to the cybersecurity industry. Blackstone Group, the world’s largest private equity firm has been making notable investments in to cybersecurity companies over the past couple of years.

Herjavec Group started out in 2003 with three people selling CheckPoint firewalls to Canadian corporations, then quietly built up over the years to become Canada’s largest information security services provider. Along the way they expanded into the U.S., and recently made a push into Europe. The firm has annual revenues of $150 million, and it has grown by 100% over the past year (from June 2014 to June 2015).

Private company cybersecurity exit valuation multiples have a median of about 5x revenues. Using that multiplier, Herjavec’s company would be worth $750 million – if it was selling. If you want to factor in the CEO’s star power and move the valuation multiple needle to the high end at 10x, then Herjavec Group would be worth $1.5 billion.

Before you start thinking merger or acquisition possibilities, Herjavec says he isn’t selling the company… now. But he is planning on selling a lot of cybersecurity to Global 2000 corporations over the next few years as part of an ambitious plan to double his company’s revenues, do more business in the U.S., and further expand internationally.

Can the business scale, and how much? That’s the main storyline. Scale is shark vernacular and VC napkin scratch for growing a company around a turnkey digital platform, or cookie-cutter business model. Herjavec Group is a ‘services’ business – the hardest type to scale because the need for more people grows along with revenues. But the firm does almost half its business as an MSSP (managed security services provider) – a productized outsourced security service offering – that can scale.

The plot thickens

Robert Herjavec is the underdog going head-to-head with Mark Cuban to become the #1 Tech Shark. Neither one of them has publicly said so. But if you watch Shark Tank, then you know the competitive drive these two have – and the jabs they throw at each other.

Cuban’s big score was the $5.7 billion sale of his internet company Broadcast.com to Yahoo! in 1999. Broadcast.com’s revenues were just $22.4 million when it was acquired.

Herjavec says he plans to double his firm’s revenue in the next few years. If he does, then a 10x multiplier on revenues at that time would put the value at $3 billion. Herjavec Group is already generating seven times the revenue that Cuban’s Broadcast.com did when it sold.

Cuban is the high-profile owner of the Dallas Mavericks which is worth $1.15 billion, according to Forbes’ January 2015 Report on NBA Team Valuations. The Mavs revenues at that time were reported at $168 million… not much more than Herjavec’s business.

When Herjavec Group entered the U.S. market last year, they coincidentally opened an office in Dallas. Or was that really a skybox for Cuban to watch the cyber action?

Another way to measure these Sharks is by their net worths. According to Forbes and other sources, Cuban has a net worth of around $3 billion. Herjavec has a net worth of around $200 million.

Both men are invested into other business ventures and industries. But this matchup is for bragging rights in tech.

If Herjavec can double his revenues as a pure-play cybersecurity company and expand globally, then the rare air of a 20x or higher multiple is possible – and he could be looking at a $6 billion valuation… a number that exceeds what Yahoo! paid for Cuban’s Broadcast.com.

Flashback

Herjavec Group moved from selling firewalls in its first few years to an expanded product portfolio when it acquired MetaComm in 2006, McAfee’s (now part of Intel’s Security business) largest partner in Canada and one its largest in North America.

By 2007, the firm’s revenues had climbed to $16 million – and in 2008 the company opened offices in Quebec City and Calgary.

In 2010 Herjavec Group acquired Cyberklix, a leading managed security services provider. On the heels of that acquisition, it announced a state-of-the-art, PCI-compliant, federally cleared SOC operating 24/7/365 and supported by certified technical experts. That SOC, and the firm’s ability to expand it and replicate it in other locations, became the cornerstone of its growth strategy.

Revenues soared to $120 million by 2012, and the firm had six offices throughout Canada.

In between the cyber acquisitions, Herjavec Group acquired a few IT services companies and dabbled in storage before locking down on cybersecurity as its sole focus. They cross-trained the technical people from those acquisitions into cybersecurity.

In 2014, the firm announced a three-year $250 million expansion plan, and it acquired Sentry Metrics, another MSSP out of Toronto. The firm also opened its first U.S. offices in New York and Dallas.

In February of 2015, Herjavec Group announced its acquisition of Reading, UK-based Sysec, pushing into the European market. Sysec has 50 professionals specializing in information, identity and infrastructure security, offering managed, consulting and professional services to more than 200 enterprise clients across the UK and Europe.

Leading man

Herjavec, 51, points out that Shark Tank only requires 17 days a year of filming… and even during breaks between watching entrepreneurs pitch the Sharks – he’s talking to his business staff and customers, and closing deals.

Herjavec says he was caught off guard by the time demands of his Dancing with the Stars appearance. The TV show has professional dancers pair with celebrities to train and compete in ballroom dancing. Herjavec says he never expected it would take 79 days of filming.

Despite celebrity status, Herjavec insists he is squarely focused on his cybersecurity firm, and being CEO is his full-time passion. He says there are staff in place to help with his Shark Tank investments so it doesn’t become a time drain.

Herjavec doesn’t view himself as a bloodthirsty money-hungry predatory shark, and he certainly doesn’t come off that way. He notes that CSOs need sharks like him who can help defend their corporations from cyber-attackers.

Herjavec sees himself as a shark who defends his customers. He says that corporations need a shark mentality to help protect them from cybercriminals.

Cast of characters

The school of cyber-sharks swimming alongside Herjavec since he founded his firm include co-founders George Frempong, senior vice president of sales, and Sean Higgins, CTO. Working together for 15 years – and having known and worked with each other for years prior to that – the three of them and a couple of other corporate managers reflect a management style that is fiercely loyal to its people and their career goals.

The most valuable people are Herjavec Group’s corps of cybersecurity professionals. The company employs expert cybersecurity advisers, consultants, incident responders, engineers and SOC (security operations center) staff.

Herjavec’s partners deserve credit too – and he singles out Splunk and Exabeam as two who provide key technologies that are integrated in to Herjavec Group’s proprietary SOC platform. They use Splunk for logging and analytics, and Exabeam for identity management.

Recruiting

Herjavec Group will need to recruit new cyber-talent, and retain its current staff in order to meet its ambitious growth plans. That’s no easy task, especially in the U.S.

There’s a labor shortage in the cybersecurity field. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years, according to a Peninsula Press (a project of the Stanford University Journalism Program) analysis of numbers from the Bureau of Labor Statistics.

[ ALSO ON CSO: 10 common misconceptions about security professionals ]

The firm has some distinct advantages to meet this challenge. They offer an opportunity to work for a celebrity, and that is definitely a calling-card whether the company intends it to be or not. Herjavec says the biggest benefit is working for a company on the cutting-edge of cybersecurity. As a large pure-play cybersecurity services firm, they are constantly on the most exciting projects that teach and challenge their technical experts.

Competitors

There’s a formidable list of competitors that Herjavec Group is going up against, including large cybersecurity professional services divisions within major tech companies.

IBM Security, the cybersecurity arm of tech giant IBM Corp., would be a $1 billion plus business if it were spun out on its own. IBM’s Managed Security Services is an industry leading MSSP.

BT Group plc, trading as BT, is a British multinational telecommunications services company with head offices in London (UK) with operations in around 170 countries. BT’s Managed Security Services business is a major player in the MSSP space.

NTT, headquartered in Tokyo Japan, is the world’s largest global IT and telecommunications services company. They acquired the leading pure-play MSSP company Solutionary, headquartered in Omaha, Neb., two years ago in June 2013, and they’ve been gaining traction in the market ever since. The MSSP is run as its own brand – Solutionary, an NTT Group Security Company.

That’s just to name a few of the bigger tech outfits who play in security.

On the opposite end of the spectrum there’s dozens of smaller MSSPs that are attempting to build up as regional players in local markets, and in industry verticals. Herjavec Group has a distinct edge over these companies with its own world-class SOC. Many smaller MSSPs rely on third-party technology platforms to deliver some or all of their services.

There’s also the cybersecurity product vendors who provide services around their own technology. Market leader FireEye offers its FireEye-as-a-Service, which resembles a Managed Security Service and Managed Security Services Provider (MSSP) arrangement.

Herjavec Group is an inch wide and a mile deep in cybersecurity services and its MSSP offering, and well-equipped to compete against the bigger tech brands and the smaller up-and-comers.

Herjavec points out that while IBM’s security business is big, it might only make up 1 percent of IBM Corp.’s total revenues – and he wonders how important security is to them in the context of everything else they do. IBM did grow their security business by an impressive 20 percent in 2014, but Herjavec Group grew five times faster during that same time period.

IBM reported Q1 2015 revenue of $19.6 billion for the quarter, $100 million less than analysts had predicted and down 12 percent year to year, according to Forbes. IBM’s cloud business saw growth of 60 percent, and Cloud-as-a-Service took in $3.8 billion in revenue. IBM’s business analytics was up 12 percent.

It appears IBM’s future success is tied to next-generation technologies. Considering IBM missed on revenue in Q1 2015 for its eighth of nine quarters in a row – even with its cloud and analytics businesses trending up, we expect to hear a lot more about IBM’s security business in the latter part of this year and in 2016.

Customers

Herjavec says Global 2000 corporations are his firm’s primary target.

While the largest corporations do not typically outsource their entire cybersecurity stack and are not the top candidates for MSSP services, there’s still a big opportunity with them. Herjavec Group has deep expertise in logging, analyzing, reporting, and responding to security alerts. Log analysis isn’t ‘sexy’, but it’s in high demand… it is a tedious but mission critical task faced by all large corporations who are largely under cyber-staffed – and Herjavec Group has the people and technology who can do it.

Moving down the list of Global 2000 corporations, the sweet spot for MSSP services are companies in the market for a hybrid or fully outsourced security provider.

By 2018, Gartner projects that more than half of organizations will use security services firms that specialize in data protection, security risk management and security infrastructure management to enhance their security postures.

Infonetics Research says the managed security market will exceed $9 billion by 2017, in its “Cloud and CPE Managed Security Services” report.

Herjavec Group is aligned to these trends and the corporations who will be in the market for MSSP services.

North American expansion

Herjavec Group is new to the U.S. and closed its first deal there just over a year ago. It also closed the largest deal in company history with a U.S. customer. To say the U.S. business is growing quickly would be an understatement. The company posted $10 million in U.S. revenues in 2014 – which by any standard is off-the-charts for a new entrant. For 2015 the company has already generated $20 million, and they aren’t even halfway through the fiscal calendar year. Herjavec says one of the their major wins is a U.S. customer who is the world’s largest gaming company.

North American Managed Security Services will reach $3.25 billion in market revenue by 2018, according to research firm Frost & Sullivan. Herjavec Group currently derives about 40% of its revenues from its managed security services.

Going global

Herjavec has been doing his homework studying global regions ripe for MSSP services.

Frost & Sullivan researchers predict the EMEA MSSP market will reach $5 billion by 2018, almost $2 billion more than North America. “Threat intelligence, research, detection and remediation services are likely to grow at a rate twice that of security asset monitoring and management, becoming a critical focus area that will distinguish market leaders from the rest,” stated Network Security Industry Principal, Frank Dickson.

Herjavec Group has used the Sysec acquisition to set up its European headquarter in the UK, and tap into an explosive growth opportunity for MSSP services.

Acquisitions

Despite Herjavec Group acquiring several companies, it is not its fundamental growth strategy.

Herjavec says acquisitions are really difficult now. The better MSSPs have already been acquired during a period of intense M&A and consolidation over the past few years, and the valuations of private MSSPs are way too high.

The best acquisition targets are cybersecurity professional services firms who have people that can be cross-trained on to the MSSP side of the business.

When Herjavec group enters a new region, it builds a SOC from the group up. The firm essentially ghosts its technology platform in order to increase capacity or serve new geographies. You might think of this as its secret sauce. It is a much better strategy than acquiring other MSSPs with dislike platforms.

Looking ahead

Herjavec will continue to star as CEO at his firm, and there’s no plans for that to change. He says there’s infinite opportunity in the fast-growing cybersecurity industry, he loves what he does, and he gets a sense of fulfillment by helping to protect and make the world a better place. Herjavec points out that the basic premise of doing business is trust, and his firm helps to protect that trust.

His firm may look to outside investors for help financing expansion into additional international regions including Australia and Asia.

The rest of 2015 and 2016 should be interesting.

Is Herjavec a great white Cyber-shark in disguise – who will swallow other cybersecurity firms and MSSPs as he ventures out to deeper seas? Will he roll up a $300 million global cyber brand in the next few years like he says?

It is interesting to ponder a liquidity event down the line as the final episode.

Maybe Herjavec sell-offs and delivers the knock-out blow to Cuban.

Maybe Herjavec and Cuban emerge from the Dallas skybox to announce a joint venture deal and become the cybersecurity power couple.

You never know. Stay tuned to Herjavec Group!