Mike Privette: “Getting funding takes three years in Europe, six weeks in the US”

The cybersecurity sector is not a winner-take-all field, says Mike Privette, cybersecurity economist and founder of Return on Security. The investment opportunities are there, they are ever increasing, and they can be found outside of the US too. But why is the European investment landscape still lagging behind?
Mike’s unique position, bridging the gap between cybersecurity and economics, offers valuable insights into why European startups struggle to compete with their US counterparts, and what needs to change for Europe to stay competitive in the global cybersecurity landscape.
The accidental entrepreneur
Working as a security engineer, a team leader, and a CISO, Mike built up frustration by repeatedly having to explain the same concepts to venture capitalists and startups. “I found myself having to write things, explain things over and over again, which really annoyed me as an engineer,” Mike recalls.
This frustration led him to start Return on Security in 2020. However, what began as a side project, as a private newsletter, has now evolved into a comprehensive platform analyzing the economics of the cybersecurity industry worldwide.
Now based in London, Mike has made it his mission to meet every UK and European investor in cybersecurity – a task that would be impossible in the US. “I jokingly say that I went to a breakfast one day, and there were like thirty people there, and I thought, well, that’s about all of the Europe and UK cyber investors in one room,” he says, highlighting the stark difference in the size of the investment landscapes in the US and Europe.
A database spanning decades
Since founding Return on Security, Mike has been meticulously documenting every public transaction in the cybersecurity industry worldwide. His database stretches back to 1982, capturing historical milestones such as the first funding of Norton AntiVirus.
This comprehensive database enables him to track trends across different timescales – comparing developments week over week, month over month, or year over year. “My goal is to capture every single transaction in cybersecurity around the world that’s public,” Mike explains.
Next month, Mike will publish his highly anticipated annual global report. “It’s probably the most read and most shared post I write all year,” he says. The report will provide a comprehensive overview of what happened across sectors, including mergers and acquisitions and investment trends worldwide.
A tale of two different investment cultures
The cybersecurity investment landscape in the US thrives on speed and scale. Investors and entrepreneurs alike move fast, and with the right people, a VC fund can be closed and fully allocated within six weeks. This doesn’t necessarily mean you can start writing checks within six weeks, but momentum is everything in this industry. In Europe, however, this whole process might take two to three years, Mike highlights.
This disparity extends beyond timing, since, as Mike alluded to earlier, the number of early-stage investors in cybersecurity differs dramatically between continents. While Europe tends to focus on later-stage, more debt-focused, and credit-backed investments from larger institutions, the US embraces early-stage venture capital.
“In Europe, there’s a shockingly low amount of early-stage investment when it comes to cybersecurity,” Mike says. “In the US, and in Israel, It’s very much the norm to be an entrepreneur, make investments, and take VC funding. But this doesn’t happen that much in the rest of Europe or the UK – their approach is much more cautious, waiting for companies to become more mature and established.”
The numbers starkly illustrate this investment disparity. In 2023 Europe saw 59 early-stage cybersecurity investments – including angel, crowdfunding, pre-seed, seed, pre-Series A, and Series A rounds. This pales in comparison to the United States’ 233 early-stage investments in the same period. Perhaps most telling is that Israel – a country with less than 2% of Europe’s population – generated 38 early-stage cybersecurity investments, demonstrating a per-capita investment rate far exceeding that of Europe.
Europe’s regulatory-first approach, while protective, can hinder innovation, Mike says, arguing that this contrasts sharply with the US’s minimal intervention strategy which has enabled it to become home to the world’s leading AI companies. At the recent Web Summit, the European Investment Fund announced a €90 million investment into Portugal’s tech and AI ecosystem, acknowledging the need to address these barriers and stimulate innovation – and more of these initiatives are coming.
However, the cultural differences run deeper than regulation, Mike adds. “In Europe, there’s often a strong cultural value placed on traditional career paths – ones with contracts, stable incomes, and pensions. This can sometimes lead to uncertainty about digital entrepreneurship and tech careers, which follow different patterns and may be less familiar to many people.”
This cultural divide manifests in how success is measured. “The US has a higher standard of living but a lower quality of life potentially, whereas Europe has a much higher quality of life, but the standard of living is lower,” Mike observes. “It’s capped on the lows, but it’s also capped on the highs, where the US is uncapped high and low.” This uncapped nature of the US system helps explain why entrepreneurship is more culturally celebrated there, though entrepreneurs still represent a minority of the population.
Why European founders flee to the US
European cybersecurity startups face a challenging choice: stay local or go global. With about 80-90% of cyber companies ultimately selling to the US market, many choose to establish themselves there.
“Why bother in a small market, when you have a much better chance of success in a larger market?” Mike asks, trying to illustrate the typical mindset. “And the flight of European talent isn’t just about market size.” Unlike other sectors – think about social media for example – cybersecurity isn’t a winner-take-all field. “There can be ten companies that effectively do the exact same thing, and almost all of them can survive pretty well, and about half of them will get acquired by bigger companies,” Mike says.
The path forward
Recent developments suggest change is coming. For example, Mike also notes an emerging trend where companies adopt a dual-continent strategy or establish themselves in the US to then expand to Europe.
And the opposite is happening too: US funds are increasingly setting up secondary funds in the UK or Europe to tap into local innovation. Mike cites Forgepoint Capital’s new London office and Ten Eleven Ventures opening a London office in 2022 as examples of this trend, along with several other billion-dollar funds looking to expand globally. This doesn’t include the small, but growing strength of a few European-based VC funds with a focus on early-stage cybersecurity, like Osney Capital, IQ Capital, and Nauta Capital, to name a few.
As someone who invests globally himself – in companies from France to Australia – Mike sees potential in Europe’s cybersecurity ecosystem. But realizing this potential will require fundamental changes in how Europe approaches innovation, investment, and risk-taking in the cybersecurity sector.