A tale of two acquisition strategies
Thursday, September 17 2020
Since the start of 2018 Cisco and Palo Alto Networks have each, coincidentally, spent approximately US$2.4 billion acquiring cybersecurity companies. Yet the two vendors had very different acquisition strategies: Cisco bought two cybersecurity companies while Palo Alto Networks acquired ten. Acquisitions are critical to the product portfolios of cybersecurity vendors, accelerating features and capabilities beyond what the internal R&D efforts are able to deliver. The cybersecurity vendor ecosystem is vast, with over 2,500 active worldwide according to Canalys estimates, and contribute significantly to innovation in the industry. The majority of these are small and privately owned. Unlike other sectors of the IT industry, not one vendor commands more than 10% of the total cybersecurity market. This means no vendor can realistically meet all customers' needs.
Both Cisco (Security) and Palo Alto Networks are, at their cores, network security companies. Network security remains the single largest category in cybersecurity spending, and Cisco led this market for over a decade until Palo Alto Networks surpassed it in Q1 2020. Cisco remains the largest cybersecurity vendor overall, but faces two, somewhat related challenges. Firstly, the world of cybersecurity is changing rapidly, and the traditional perimeter-based defenses are only a part of an organizations’ overall strategy. Secondly, Palo Alto Networks continues to expand its capabilities beyond network security, and is on pace to become the number one cybersecurity vendor.
Two different acquisition approaches
Acquisitions have played a big role in both vendors’ cybersecurity strategies since 2018, but materialized in very different ways. Almost the entirety of Cisco’s US$2.4 billion spend came in 2018 when it bought Duo Security. The acquisition gave Cisco a big footprint in the important and growing area of cloud-based authentication. It gave Cisco a foundation in zero-trust security, and from a corporate priorities standpoint, extended its portfolio of SaaS-based solutions. It was a critical acquisition for Cisco’s security business, but since then it has been in a drought. Since Duo Security, Cisco has only acquired one other security company, Sentryo, a small France-based startup focused on the niche area of security in industrial systems. Cisco, though, has many other areas of its business to consider and has not been inactive in acquisitions overall. It has acquired 16 companies since the start of 2018, shifting between its different segments as it added capabilities around video conferencing, application visibility, service provider infrastructure and semiconductor technologies. Some of the acquired companies, such as Singularity Networks, bring some security capabilities and IP to the Cisco portfolio, but outside of Duo Security there has been a lack of attention by Cisco to this segment in the last two years.
Palo Alto Networks, by contrast, was busy adding to its portfolio, although, like SD-WAN, Cisco already had some of the assets it acquired. On average, it has purchased a new security company every quarter since the start of 2018. Unlike Cisco, which must balance its M&A strategy across different business units, Palo Alto Networks was hyper-focused on enhancing its security portfolio. Its strategy has been one of diversification, where it has targeted smaller companies across a wide range of cybersecurity niches, rather than make a significant financial outlay on any one company. Its largest deal size during this spree was US$560 million for Demisto, and the average transaction size was around US$240 million (about 1% of its market capitalization).
The variety of technologies it acquired highlights the degree to which Palo Alto Networks aspires to be a truly end-to-end cybersecurity solution provider. Many acquisitions are more about advancing beyond its network security heritage into new technology areas than simply driving market share in core segments, although some are niche and nascent opportunities. There are some common themes from the acquisitions. Cloud security is a focal point, as highlighted by acquisition of Evident.io and RedLock. It is also looking to secure modern infrastructure with Twistlock and PureSec, which tackle container and serverless security respectively. It expanded security management capabilities, with Demisto, Aporeto and Crypsis Group. And is tackling the SD-WAN opportunity (another one of Cisco’s growth priorities) with its acquisition of CloudGenix. It even made a small acquisition in the IoT space with its US$75 million purchase of Zingbox.
Cisco continues to highlight security as an important growth area, but the reality is there are bigger concerns and pressures to drive top-line revenue growth; security, while important, is a difficult business to scale quickly. Cisco will undoubtedly continue to acquire further assets, though it will almost certainly not be able to achieve one acquisition a quarter. Palo Alto Networks, meanwhile, looks poised to continue to add to its portfolio and, with its current trajectory, is on pace to overtake Cisco as the leading cybersecurity vendor.
For more information or to receive a copy: