The demand for effective cybersecurity solutions is there. A sentence that’s not in dispute thanks to the proliferation of increasingly sophisticated cyberattacks coupled with the widespread adoption of cloud computing and IoT technology.
As the repercussions of cybercrime get more expensive, businesses are allocating more and more resource to their fighting funds and to that end, according to Cyber Security Ventures, global spending is set to hit $1 trillion by 2021. And, so says Capstone Headwater’s Cybersecurity report, ‘cyber criminals and nation-state actors continue to penetrate information technology (IT) networks and sensitive infrastructure, companies offering innovative and effective solutions are poised to capture further market share and higher valuations.’
Who’s Buying Who?
Our very own Stephen Dorling says that ‘there’s lots of VC money being pumped into cybersecurity start-ups (including the $340m raised by Netskope back in February) and as with all innovative businesses, they cement places on the radars of VCs and the big players and many will be acquired.
Now seems like the perfect time to introduce some lovely, big-money stats on 2019’s top 10 big spenders –
1. Broadcom buys Symantec’s enterprise security business for $10.7 billion
2. Thales complete the $5.4 billion acquisition of Gemalto
3. Francisco Partners and Evergreen Coast Capital Corp buy LogMeIn for $4.3 billion
4. Thoma Bravo spend $3.9 billion buying Sophos
5. VMWare bought Carbon Black for $2.1 billion
6. Open Text buys Carbonite for $1.42 billion, who then buy Webroot for $618 million
7. F5 buy Shape Security for $1 billion
8. Jacobs Engineering spent $815 million on KeyW Corp
9. Insight Venture Partners acquire Recorded Future for $780 million
10. Orange buy SecureLink for $577 million
In 2019, there were over 150 deals totalling more than $23 billion and perhaps the most interesting element of these deals – notwithstanding the eye-watering amount of money involved – is the breakdown of the deals –
30% of all deals were for security services providers, identity and access management accounted for 22%, network and endpoint security 15% and anti-malware 11%.
When mergers and acquisitions happen (across all industries), the default position for many is that the newly-created company (or the same company with new owners and ideas) will lose the personal touch that the original company had, they’re only interested in their bottom line and instead of speaking to the same person we’ve spoken to for years, we’re now going to be re-routed through an anonymous call centre or a junior account manager looking after dozens of accounts.
On the flip side, the products remain robust and they solve the problems you face and even better, more solutions will be available from a single vendor which reduces the need to shop around. Stephen put it slightly better – ‘M&A could present potential consolidation opportunities within your stack’ – but of course there are also risks.
That said, 2020 is set to become a landmark year for industry consolidation.
But It’s Not Just About Money – Consolidation Is A Challenge
The demand and the need for more unions is there but, according to Mimecast Content Manager Renatta Siewert, ‘despite the benefits decluttered environments bring, the process of removing or updating tools that have been consolidated can be a challenge.’
As consolidation takes place across the industry, we will see fewer vendors and, says Marc French, CISO and MD of Product Security Group, ‘If you had seven vendors, you could be down to three, and you have to be prepared for the projects you had planned that should be restructured due to market moves. Also, due to platform companies that offer endpoint solutions or other tools as a package, I predict organisations will end up with a handful of single-platform solution providers running the bulk of your security protection environment.’
The new breed of cybersecurity start-ups with great ideas remains a waterfall of innovation but like all small companies with aspirations, the end goal is acquisition and a life driving the newest Lamborghini to and from the Cote d’Azur (even if that’s not freely admitted) and while no-one is throwing out their SIEM or antivirus, Sam Curry, CEO at Cybereason says that ‘the industry is likely to see the brands that have dominated it for 20 years fade and a new crop of midsize companies emerge in a healthy rejuvenation of the industry.’
Think what Manchester City, Liverpool and Leicester have done for Manchester United over the last few years…
The implication however is that with the emergence of new players on the scene, customers must also prepare.
How Do You Assess The Implication Of Security Vendor Acquisition On Your Business?
When and if your particular security vendor is acquired, the onus is on them to alleviate your fears and to provide future plans and timelines in relation to the products and services you deploy in your environments but to ensure a smooth transition and to guarantee business continuity, CISOs can conduct their own due diligence.
Mimecast has a five-point plan:
1. If your vendor has not yet communicated future plans and timelines after an acquisition has been announced, reach out and explore the possibility of having a meaningful conversation about changes that may impact your business – for example, will your product or platform be enhanced? How can you reach an understanding about the future product roadmap? Additionally, the acquiring company will want to keep existing business, making it likely there will be official communications about the deal that include product roadmaps.
2. Review SLAs and contracts to understand the scope of service, because upon renewal, the new entity will likely want to institute new contracts, perhaps a new pricing structure, or another change that will impact SLAs.
3. Conduct an audit of the security vendor’s performance – does it adhere to the SLA, and is it a mission-critical tool?
4. Reflect on the goal of the acquisition; if the acquiring company purports to add value to existing customers by improving on existing products and broadening in other areas, the move may be a positive one. If, however, the deal was made as a cost-cutting measure, it will be prudent to review contracts and discuss future plans as soon as possible.
5. Related to this, review whether the new vendor’s solution will be an add-on to its existing product suite, or if it is likely to be a multi-solution platform.
There’s always risk involved when using a third-party tool in your environment and Kristyn Ulrich, VP of Corporate Development at Mimecast goes one step further. ‘If you’re a customer who has selected an early-stage vendor for your security environment, you know there’s a chance they won’t be there tomorrow.’
We use tools or services because they suit particular business needs and we hope that if they get acquired or they merge with someone else, the T&Cs we signed up to at the start carry on for the duration of our time with them but that’s not always the case, hence the risk.
For many of the companies involved – not all, but many – it’s about getting through the transaction but it shouldn’t be. It should be about being a better company and letting customers know they’re getting value for money, as they always have.
Because of the nature of the industry, we’ll keep seeing new threats and that opens up the door for more and more start-ups and point tool vendors. Krystin Ulrich says that ‘As we see the types of valuations that these firms will get as deal making heats up this year, it entices new companies to enter the market. There is a point at which any mature market reaches the peak of its consolidation, and growth rates tend to taper off. I don’t think we’re there yet, and the threats are so vast that it is hard to see that happening anytime soon.’
Contact us today on firstname.lastname@example.org or call 020 7078 0789 and we’ll talk cloud and email security, communications platforms, cutting-edge IT solutions or what would you prefer to happen, your team winning the Premier League or England winning the World Cup?