The S&P Global 451 Research Tech M&A Outlook Survey found that the value of technology deals announced in 2021 exceeded $1 trillion for the first time in history – and 69% of respondents predicted that the pace would continue or increase in 2022.
As a subset of that, cybersecurity M&A activity hit an all-time high with total deal value reaching $74.1 billion, more than the total of the previous four years combined. This massive growth in M&A activity should make organizations take a step back, press pause, and truly examine how they are spending their hard-earned capital, especially as financial storm clouds gather on the horizon. Financial markets have already changed significantly since the S&P Global report was published in January 2022.
It’s not my area of expertise to speculate on the impact to M&A activity in the rest of 2022, but I am interested in how the M&A activity that has already occurred impacts buyers of cybersecurity technology. It takes a lot of time for these acquisitions to sort themselves out so that companies can offer a truly integrated offering.
When we look at an emerging category like extended detection and response (XDR) that’s still relatively early in its maturity, it’s too early to tell if an integrated XDR offering is viable, or even desirable, from the perspective of a buyer. Still, there’s a lot of interest in XDR and many security leaders I speak with wonder how to determine if a new offering will live up to what’s written on the label and make it worth putting all their eggs in one basket.
There are many angles to consider and sources of information to gather to make the best decision possible for an organization. Based on my experience of more than 20 years in the cybersecurity industry, including developing and integrating many of the core technologies and tools that are foundational to XDR, here are five recommendations to consider before acquiring any cybersecurity company or technology:
- Consider the company’s roots. If the acquiring company plans to get more than one product from a company, look at how the company started and what its initial area of domain expertise and set of solutions are included. Examine the track record for these offerings using product reviews, analyst reports, customer satisfaction surveys, and customer and analyst references. Ask about their vision and roadmap as they expand their offering and how their domain expertise will let them successfully deliver against that plan. It's important to understand how their expertise with relevant security tools will set them up for success as they expand into the response side.
- Research where additional capabilities came from. Are the new capabilities the company touts acquired from a separate deal, or internally developed? If acquired, then ask the company about their best practices and track record for integrations with the rest of their ecosystem, as well as with other third-party products the business may already have deployed. Quite often, acquiring companies find that they don’t necessarily work well together. Also dig into who from the acquired company still works in product development and what the company does to retain that expertise. We all know that people are the greatest asset in an acquisition and will ensure the ongoing innovation and value of that investment. If internally developed, ask about the team and the expertise they leveraged to develop, integrate and test the new capability.
- Take advantage of the return of face-to-face conferences to network. Conferences are back, which means it’s now possible to start networking with people more easily and talk to them directly. Ask them what they are using, how they like it and what the drawbacks are. Include questions about the user experience since that’s critical for rapid adoption and time-to-value, as well as support and pricing models to get a more complete picture of costs.
- Trial products whenever possible. It isn’t enough to look at checklists to compare how the product stacks up competitively or to talk to references and read third-party reviews. If there’s time, take a few weeks so the team can gain hand-on experience to assess if the capabilities and useability align with the organization’s needs and resources. It’s the best way to measure if the solution will live up to what’s written on the label and work well within the company’s existing environment.
- Ask the vendor what technology they use. I have spent a good part of my career managing security for security vendors themselves, and I can say what they use to protect themselves indicates their level of confidence in any given technology. Many organizations don’t think to go down this line of questioning, but it’s worthwhile and acquiring companies may find that many don’t use their own solutions.
Regardless of what happens with ongoing M&A activity, S&P Global Research has already recorded 28 deals in the “XDR offerings” category. That’s a lot to absorb and turn into solid offerings so that security leaders get the value they need and expect. Hopefully these recommendations will help potential buyers look at all the angles when they evaluate potential solutions and figure out what makes sense for their organizations.
Nigel Houghton, director of marketplace and ecosystem development, ThreatQuotient