The Margin Crush is Coming in 2024
Decreasing margins in 2024 will make acquisition numbers jump.
Costs are rising, prices are coming down, unit economics are going sideways, and cybersecurity startups must adapt. Cybersecurity SaaS businesses are undergoing several significant changes that will hurt the broader market. This is what it all means.
A Quick Primer on Margins
Here’s a quick lesson for those not versed in success metrics in software businesses. Gross margin is the difference between the cost to make software and the price at which you sell. There are many different types of “margin,” but the image below represents the most common math used in cybersecurity businesses at the board level.
Traditionally, in a software business, it’s widely believed that 85%+ is a good level of expected gross margin on software you sell. In board meetings everywhere, investors and business leaders track margins to ensure you aren’t losing money on each new subscriber to the business. This directly ties to the unit economics of the business and is a great way to determine how successful any business will be over time.
Business Math Basics
Now that we have the introduction aside, here’s the exciting part of the story. In 2022 through 2023, the world saw unit economics for subscription businesses start to change. The macroeconomic conditions in the United States put significant downward pressure on the price at which we could sell software, resulting in a lower revenue number. Businesses had to cut their prices to continue driving sales and extend their runway without returning to the investors in a down business cycle for more funding. If they didn’t lower their prices, they sold less software (or possibly both things happened), and revenue dipped either way.
At the same time, we have seen a continued increase in the price of cloud services required to build modern SaaS software businesses. Cloud services, specifically storage and read/write activities, have dramatically increased the cost of running a SaaS software business. This is represented in the gross margin equation's denominator and again puts pressure on the result.
All businesses will suffer when they see a top-line decrease in price and, therefore, revenue, coupled with a bottom-line increase in cost. Add to that the fact that cybersecurity products are going through a reinvention that requires a significant increase in the storage of large quantities of contextual data, and we see not just an increase in cost but an explosion in the bottom line of the margin equation.
See my piece on the Next Era of Cybersecurity Capabilities for more details on this reinvention.
All this “business math” leads to a lousy situation for software-as-a-service cybersecurity startups. The idea that we will be able to keep 85% margins on successful businesses in the future is becoming a fallacy. In the next 12 months, successful SaaS cybersecurity companies will see acceptable margins drop to the 50-60% range. Because of this, we will have to decrease the size of our sales and marketing engine, lower the number of engineers available to grow the business, and rely on things like AI and co-pilot style development to ensure that we have a stable and prosperous company.
The only other option will be to re-engineer our SaaS products to operate in a hybrid on-premise and cloud model or create BYOC solutions so that compute and storage costs can be passed through to the buyer of the product. By requiring the buyer to create their own storage and compute nodes to run our software, we can keep the cost of goods sold to a minimum and continue to see the traditionally high gross margin levels.
The Trickle-Down Effect of Pricing Pressure
Higher gross margin means higher valuations in both private and public companies. As you can see in the chart below from CloudZero, as the gross margin increases, so does the value of the business. The valuation is very important when it comes to raising capital, M&A, and stock options for your employees.
Price pressures, increases in cloud costs, and the resulting valuation decreases will result in a race to the gross margin-bottom for many markets. The best business leaders will rightsize their business expectations, allowing them to execute on a much longer timeline and, if possible, reach profitability well before initially intended.
The Impact On Investment and M&A
Venture capital is designed on a power law model, meaning that a select few investments return the entire fund, while most invested businesses go to zero. Suppose existing SaaS cyber companies retool their business to become profitable quicker instead of building towards the massive growth exit. In that case, it will permanently upset the apple cart that is venture investment in early-stage SaaS companies. This will decrease venture investment in the future due to limited returns to the venture LP base. We’re already seeing this in private funding numbers as tracked on Crunchbase.com.
When markets decrease in size and value, companies within them become logical acquisition targets for rollups and strategic acquisition plays. Most private equity investors are happy purchasing a company that is growing in the 10-20% annual range as they will inject efficiencies post-acquisition to help them get to scale and profitability as soon as possible. If the net impact of cost and margin changes identified earlier come true, the companies will better fit private equity than traditional venture investment. This will result in an increase in exits to private equity firms in 2024 for cybersecurity-related SaaS companies. Those companies with significant scale will be the first to be snapped up.
The Big Winner - At Scale Contextual Security
Healthier companies are an easier acquisition for strategic acquirers as well. Consider the Palo Alto Networks and Cisco Systems style, publicly traded companies out there. They both reinvented themselves not by innovating internally but instead by acquiring emerging cloud and application security companies to become dominant players in the market. Strategic acquisitions from large companies such as these, looking to increase the amount of contextual data under their control, will increase in quantity as SaaS-based cyber companies make themselves look pretty from a margin perspective. The end result should be an increase in momentum around the contextual cybersecurity data play and a significant move by major cyber vendors looking to unify the global cybersecurity market.
Let’s Go Out On A Limb - An Odd Prediction
As a closing thought and a long-shot bet, I have a final crystal ball prediction. Suppose the gross margin impact prediction comes true and the cloud services do not correct their pricing. In that case, we will eventually see hybrid hardware and bring your own cloud offerings take over for SaaS software only as businesses move to the on-premise approach and look for optimizations in speed and pass-through cost on the customer site. This will directly result in a rethinking of cybersecurity responsibilities and again require the CISO to reconsider where she places her trust.
Because of the impact of cloud costs and decreasing margins, I believe that there will be less cloud-focused innovation and less financial capital injection into young cyber software-as-a-service startups in the coming years. Services approaches and on-premise models come in waves, and I believe we are cresting the peak of a recent wave. The era of insane exit multiples and crazy returns for SaaS-specific cybersecurity investing is over. Lick your wounds. Exit what you can in 2024. And find a new way to make money.