Flush with cash and buzzing on the confidence that comes with sitting near the top of an emerging market during a strong economy, a handful of cybersecurity giants are lining up for a race where the winner could emerge as the nascent industry’s first dominant player.
Major cybersecurity companies spent the first half of 2019 exploring business deals meant to complement their core product offering: device security. The entire industry has been in on the action, though, with more than 80 mergers or acquisitions in the first half of this year totaling more than $22 billion, according to numbers compiled by Cybersecurity Ventures. Compare that to the 58 deals totaling roughly $24 billion over the same period last year, though the financial terms in many of the deals in both years were not disclosed.
The uptick is the result of a strong economy, and high valuations for security vendors that make it easier to sell equity, investors and analysts told CyberScoop. It’s also proof that the security market is maturing, and demonstrates how established companies are seeking to fill out their portfolio to offer a unified security service to Fortune 500 CISOs tired of stitching together hundreds of security products to protect their business. By buying startups, and bringing various tools under a single umbrella, companies with $2 billion to $3 billion in revenue are betting they can double their value, leverage their place near the top of the market and emerge as a true market leader, experts said.
“We’ve got a lot of different companies in this industry making spark plugs and headlights and windshields, but there’s not any companies out there building a real car,” said Bill Crowell, a partner at the venture capital firm Alsop Louie Partners and former deputy director of the U.S. National Security Agency.
Analysts previously suggested to CyberScoop that the number of cybersecurity companies could reduce by half within the next five to seven years. As consolidation accelerates, and market leaders emerge in niche areas, such as security analytics or containerization, Fortune 500 companies that rely on vendors to protect their data no longer will need hundreds of products on their digital shelf.
Mergers and acquisitions represent opportunities to accelerate that process. Take Palo Alto Networks as an example: The $27 billion company was founded in 2005 as a network security and firewall management provider, but it’s been on a shopping spree as part of an effort to ensure the firm can keep up with emerging security technologies.
Buying, not building
Palo Alto announced in May it will acquire Twistlock and PureSec to boost its own presence on containerization and cloud security technology. Prior to those purchases, Palo Alto announced in March it would spend $560 million on Demisto as part of a deal that could enable Palo Alto to enhance its third party application security tools.
Meanwhile, Palo Alto competitor Symantec confirmed it would acquire Luminate with an eye on updated its own cloud security offerings. Then, last week, Symantec sold its enterprise security business to Broadcom for $10.7 billion as part of what the Wall Street Journal described as the next logical step in building a business around software.
“A lot of these companies cut their teeth on physical devices and on-premises infrastructure, and we’re now moving toward a world of virtual devices and cloud infrastructure,” said Jon Oltsik, principal analyst at Enterprise Strategy Group, a market research firm. “So it makes sense for Palo Alto to push into newer areas because they can use that…as a pivot point to move [further] into the cloud.”
Security giants like Palo Alto are trying to get ahead of their clients, who want to buy more products from fewer vendors or have more connective tissue between standalone products, Oltsik said. With more visibility for chief information security officers trying to monitor their networks, Oltisk says, the consolidation “could ultimately mean stronger data protection in the corporate world.”
Palo Alto, in particular, has a long record of acquiring Israeli cybersecurity companies, in keeping with its own founder’s background. Palo Alto acquired LightCyber, SecDo and a number of other firms over the past decade which no longer exist as standalone offerings. Many of those founders have since departed, too.
“Sometimes companies aren’t around anymore because they offer technologies, but they’re not a full company,” said one vice president in the cybersecurity industry not authorized to discuss other organizations by name. “Because they were acquired by Palo Alto, does that mean they were the best product? It means they operated in the same circle as Palo Alto.”
Rohit Ghai, president of RSA Security, says his company is taking a similar approach. Acquisitions are “absolutely a priority” for the security giant, Ghai says, adding that the company also seeks partnerships where it can easily integrate new technology into RSA’s software tools.
RSA joined the behavioral analytics race last year when it acquired Fortscale Security, which uses machine learning to identify malicious anomalies. The company also partnered with third-party risk assessment provider RiskRecon, in a market that analysts expect to grow in the coming years. RiskRecon competes with SecurityScorecard and BitSight in the space.
“There are two strategies for consolidation,” Ghai said. “One is acquiring all these technologies and you offer buyers the convenience of commerce, where they buy all their things from you…The other approach is being deliberate about how it fits in your platform, and you offer customers a collection of integrated offerings.”
Cybereason CEO Lior Div told CyberScoop last week his company has explored the acquisition of an internet of things firm to boost Cybereason’s ability to offer services in that sector as it moves toward an IPO.
“You need to develop a technology that will be better than what’s been developed over the past 30 years,” he said.
“A company that cannot raise money to keep growing will not be able to do it.”
Other notable deals so far in 2019 have included Carbonite’s $618 acquisition of Webroot, FireEye’s $250 million Verodin takeover, Imperva’s acquisition of Distil Networks and Insight Partners paying $780 million in cash for the threat intelligence provider Recorded Future.
Success not guaranteed
While companies like Cisco have a long track record of buying companies then pushing them to thrive — Duo Security now has access to far more clients than it did before last year’s $2.35 billion deal — there have been many instances when big players fail to invest in their new partner, and allow the technology that initially made a startup so appealing go stagnant. Cisco has acquired security vendors for years, spending $2.7 billion on the intrusion detection company Sourcefire in 2013 and $635 million for the filtering service OpenDNS in June 2015, among others.
Between 30% and 40% of merger and acquisition deals in the security industry are considered “successful” by enterprise customers, said ESG’s Oltsik. OpenDNS still is in operation, while Sourcefirce was folded into Cisco when it was acquired.
“They fail if you don’t take care of the founders and they leave, you don’t invest in the company, or you go too fast and create a mismatch,” he said.
These deals are often considered successful when the acquired company is allowed to continue on the path that made it such an attractive startup in the first place. That means the original founders are incentivized not only to remain a part of the company, but continue developing new products. To grade the deal, client CISOs monitor whether their startup maintains its prior release schedule, whether sales executives keep their jobs and how long it takes the vendor to respond to customer inquiries.
Analysts cited IBM’s 2006 acquisition of Internet Security Systems, when customers complained the network security provider was positioned as a service, rather than a product, and HP’s 2010 acquisition of ArcSight, when key sales staffers were replaced, as failures.
“There’s not an example I can think of where a company has been successful in rolling a number of these products together,” said Crowell.
“The problem with acquiring companies too early in their lifetime is that those products haven’t established themselves in the market, and customers haven’t been able to buy into the product of those relationships,” he said. “Most of these companies are in the $2 million to $20 million revenue area, and that’s just too early to know if they’re going to make a difference.”