For many industries, the pandemic was a time of economic uncertainty, great technological change and reflection about where they and their services fit into a post-COVID reality. For the bolder actors targeting acquisitions in the cybersecurity industry, it was apparently a time to sell, buy and make money.
According to research from technology consulting firm Forrester evaluating 120 cybersecurity acquisitions in 2020, many executives viewed the pandemic as an opportunity to strategically buy low and add new cybersecurity capabilities or highly qualified staff to their business. In interviews with more than 50 executives conducted in early 2020, about half said they would pause their merger and acquisitions, but those who decided to push on were more likely to follow their pre-pandemic buying strategy or opportunistically target distressed companies or new, noncore technologies and solutions.
Nowhere were these trends more prominent than the cybersecurity market, which was able to leverage mass digitization during the pandemic and a heightened profile from waves of damaging supply chain and ransomware attacks to attract record levels of acquisition and outside investment.
“Even in an uncertain climate, cybersecurity companies are still attractive acquisition targets,” write researchers Meritt Maxim, Elsa Pikulik, Stephanie Balaouras, Benjamin Corey and Melissa Bongarzone.
The investment market in 2020 was replete with action from top dogs, both from outside the cybersecurity industry and within. Mergers that added new capabilities and talent to existing products or services accounted for 90% of the action. Private equity-led purchases were far less common, though 2020 and 2021 have seen a number of firms drop down big money for established or emerging security brands.
More than one out of every four of the 120 acquisitions tracked by Forrester were for security services companies, with major IT consultants and system integrators like Accenture, Deloitte and others buying multiple cybersecurity companies. No other technology or service came close to the 35 acquisitions in this space over the past year, though application security (14), data security (10), identity and access management (10), network security (10) and IoT security (9) were active areas as well. Other research looking into 2020 activity found that cloud security companies are also high in demand.
One potential reason so many service-oriented cyber companies are being snatched up left and right: it might ultimately be a cheaper and more direct way to add high-quality cybersecurity talent than the normal hiring process.
“The high number of security services acquisitions reflects growing enterprise demand for services and skilled personnel to help firms meet emerging cybersecurity challenges,” the authors noted. “Buying services may be more budget-friendly than hiring full-time employees, which was also a consideration during the economic uncertainty in 2020.”
By comparison, companies offering business continuity and disaster recovery or zero trust security solutions saw a lower frequency of deals, but ones that usually brought some eye-opening valuations with them.
For instance, in the BC/DR space there were only two purchases, including private equity firm Insight Partners purchasing Veeam Software for a whopping $5 billion at the start of the year. The seven acquisitions that involved zero trust companies (including the purchase of IT security giant Sophos by Thoma Bravo) averaged around $2.1 billion per deal. That’s about four times higher than the price paid for the average security service company acquisition.
Among individual buyer companies, double or triple dipping into the market was not an uncommon sight. Just 13 companies bought 30 different cybersecurity companies over the past year, with VMWare, Palo Alto Networks, Atos and Cerberus Sentinel leading the field with three cybersecurity acquisitions each.
As for what will come of all this activity and consolidation, whether it will lead to better security and integration with existing technologies, remains to be seen. Forrester notes that companies who took an aggressive acquisition strategy during the Great Recession wound up outperforming their peers who didn't after the economic crisis subsided. However, this is not the first time the business world has felt gold rush fever towards the cybersecurity market; multiple times during the last decade promising startups were snatched up by executives or companies less familiar with market nuances. That in turn can squash innovative spirit as those businesses get absorbed into larger corporate structures.
Past runs in the cybersecurity market have seen “a plethora of cyber companies bought up by consulting firms or bigger tech companies, often for absurd valuations, only to be rolled into larger divisions,” noted SC Media Editor-in-Chief Jill Aitoro in a May editorial on the perils of too much cybersecurity investment.
“Founding teams of the startups would move on, and technology that showed so much promise withered within a corporate giant,” Aitoro wrote. “Not always, mind you; but often enough.”