ARTICLES

Advice for CISOs on the SPAC Craze

My mother told me to never bite that hand that feeds you – and yet, I may be doing so here, if only just-a-tad. Full disclosure: At TAG Cyber, we’ve been directly involved in supporting SPAC initiatives across the cyber security industry, both as advisors to venture capital, and as independent experts serving rich investors. So, to those of you with whom we are engaged, I hope you will continue to solicit our services. We’re open for business.

That said, let’s take a moment to provide some honest advice to CISO practitioners. And I will start by explaining a SPAC. I first heard the term from my friend Don Dixon at ForgePoint Capital who asked me last year what I thought of SPACs. My mind immediately began to spin through the possible expansions: Security Policy Access Control? System Protections for Authentication Consoles? Uh oh. Sorry, I admitted to Don. I have no clue what a SPAC is.

Here is what I soon learned: A Special Purpose Acquisition Company or SPAC involves financial experts setting up a shell company that then acquires another company. In the case of cyber security, the acquired company is usually a private commercial vendor doing between $20M and $150M in revenue with presumably good future prospects for growth. Like any IPO, the SPAC is designed to raise funds from investors seeking nice returns.

SPACs are popular with companies because the acquisition and resulting merger can be done much more quickly than a traditional IPO – sometimes in multiple weeks versus large portions of a year. Weirdly, at least to me (and yes, I attended Columbia Business School, but that makes me no corporate finance expert), the investors write checks blindly into the SPAC, not even knowing the eventual acquisition targets. Go figure.

Anyway – the reason for this note is that I am being asked by our enterprise security customers literally every day what they should make of this SPAC craze, as they often describe it. After having answered the question many times, I thought it would be helpful to share my guidance here. My lawyer reminds me, by the way, that talking about such matters requires this: I am not offering investment advice. I am only offering operational advice to practitioners. OK?

Point 1: The SPAC process is less distracting for your vendor than IPO or even acquisition.

So, this this first point is positive regarding SPACs. We like the idea that going public in this manner is smoother for your vendor than other options (oops, financial pun). We’ve seen great deals such as the recent IronNet SPAC, move along smoothly with minimal impact to operations. In fact, SPACs will produce more working capital that should help your vendor improve its offering (good) and hire more sales reps (ugh).

Point 2: The convenient SPAC process will attract more vendors into the IPO market.

This second point is not 100% positive. Certainly, solution providers with excellent growth prospects and healthy revenue should consider the IPO route. But when mediocre vendors with sales propped up by POCs start to get pulled into SPAC offerings, CISOs should begin to worry. We advise that they watch carefully in such cases. If a vendor quadruples its marketing post-SPAC with minimal improvements to the platform, then beware.

Point 3: All IPOs distract your vendor from serving your needs.

Sorry, but despite what your vendor’s CEO promises on the phone, and what your sales rep swears to you would never, ever happen, this one is true: When any vendor goes through a massive financial change of status, it distracts literally everyone in the company. Yes, for SPACs this is minimized (see Point 1), but at a time when enterprise teams are having their cyber tires rotated by adversaries, the last thing we all need is for vendors to be distracted.

This last point summarizes my primary warning: Cyber security is best performed when the purpose is vocational. Every one of your vendors, partners, and suppliers should be driven by one goal – and one goal only: To make society, business, and citizenry more secure. It should not be to make money – and while this is a perfectly acceptable goal for VCs and investors, it must not be the primary drivers for leadership teams.

Advice to enterprise teams: Keep an eye on this. If your primary vendor is going through a SPAC, then maybe it would be good to double the number of check-in meetings you have with your representative. It might also be a good idea to double up on the diligence in the KPIs and metrics you use to track their performance. Do not accepts any dip whatsoever in their support. Their decision to go the SPAC route must never, ever increase your cyber risk.

Let me know what you think.