Acquisitions are changing the shape of the cyber-security market

Evolving security threats are affecting businesses and governments worldwide, in large part due to the rapid development of digital technology. Globalization, the increasing adoption of connected devices and the fragmentation of workplaces have broadened the threat landscape. Large attacks have multiplied, and big breaches, such as those at TalkTalk and Equifax, continue to make headlines. Security vendors have struggled to keep up with the threats, as shown by the growing number of companies offering cyber-security technology. This has created opportunities for larger players to acquire, by adding skills, technologies and revenue that can help them better manage the increase in threat vectors.

Acquisition tactics are important for security vendors

Mergers and acquisitions are important for security vendors as they tackle a rapidly changing threat landscape. It is quicker to buy specialized technology rather than develop it and risk the R&D investment. By bringing these technologies in-house, security vendors broaden their portfolios as they try to address the gaps in their customers’ security environments. As the nature of security attacks and the technology used changes, new security vendors are constantly emerging to fill the voids left by larger companies and compete with them on multiple fronts. The best-of-breed mentality has also helped shape this fragmented landscape.

Since the start of 2016, the top 10 security vendors have made a combined 18 different acquisitions. The largest spender during this period has been Symantec, with its acquisitions of Blue Coat Systems for US$4.7 billion and LifeLock for US$2.3 billion. They were followed this year by the additions of Skycure and Fireglass. The Blue Coat acquisition allowed Symantec to add recognized capabilities in network and cloud security as it sought to refocus its strategy on security, having divested its Veritas storage business. LifeLock, which specialized in identity theft protection software and services, deepened Symantec’s reach into the American financial services market. Skycure’s mobile threat defense (MTD) technology focuses on improving network security by securing iOS, Android and Windows smartphones. With smartphones enabling mobile workforces to download and upload files to a network, the risks to businesses are growing. This acquisition is particularly important for Symantec’s OEM partnerships with smartphone providers in the commercial space and strengthens its offering for channel partners reselling mobility solutions to enterprise customers. Skycure’s own OEM relationship with mobility device management vendors, such as MobileIron and AirWatch, will help to reinforce Symantec’s message of helping businesses manage the widening threat landscape. Fireglass is an Israel-based start-up with a threat isolation platform that contrasts with Symantec’s traditional web gateways. Fireglass should complement Blue Coat’s network security portfolio and is intended to strengthen Symantec’s Integrated Cyber Defense Platform. These acquisitions have cemented Symantec’s position as the leading provider of security technology.

Cisco has focused its efforts on cloud and applications as it seeks to become a software company. Earlier in the year, it added to its growing security division with the acquisition of AppDynamics for US$3.7 billion. While not a security technology itself, AppDynamics specializes in application performance and end-user monitoring. As Cisco looks to add greater visibility to its networking and security technology for the current generation, AppDynamics brings new application-level intellectual property (IP) in addition to an established customer base and revenue stream. It also recently acquired security start-ups Observable Networks and Perspica. Observable Networks creates behavioral monitoring models for both private and public cloud network users and is integrated with AWS and Microsoft Azure. It is operating as part of Cisco’s Stealthwatch security portfolio. Perspica offers machine learning capabilities for real-time data analysis and fits in with Cisco’s current Stealthwatch technology. These deals were in addition to the previous security acquisitions of CloudLock in 2016, Portcullis and Lancope in 2015, and Neohapsis at the end of 2014.

Most of the other security vendors that made acquisitions targeted small start-ups with expertise in specific areas. This strategy sought to add innovative technologies to their portfolios. Fortinet’s acquisition of AccelOps for US$28 million in 2016 came after two years of collaboration as part of Fortinet’s Security Incident and Event Manager (SIEM) ecosystem, alongside IBM and LogRhythm. AccelOps is now part of Fortinet’s Security Fabric known as FortiSIEM, addressing big data security challenges and integrating with the security and monitoring solutions of its Fabric-Ready technology alliance partners. IBM, with its focus on cloud and cognitive IT solutions, acquired Agile 3 Solutions in early 2017. Agile 3’s evaluation software assesses an organization’s data-related risks and will represent a natural cross-sell opportunity with IBM’s Guardium data protection software. This also creates advantages for partners looking to boost General Data Protection Regulation-related sales and services as business leaders prepare for the May 2018 deadline. Trend Micro acquired TippingPoint from HP for US$300 million to boost its network security market position (see Canalys report, “HP sells TippingPoint to Trend Micro”). Other notable cyber-security acquisitions in 2017 include Sophos’ acquisition of deep learning neural network algorithm provider Invincea. Even smaller firms are looking to acquisitions to add IP and market presence, such as Malwarebytes buying Italian vendor Saferbytes, which has given it a cloud anti-virus technology and a footprint in Southern Europe.

Notably, the two vendors that did not make any acquisitions since the start of 2016 are Check Point and McAfee. McAfee has had to establish itself as a separate operation following its move away from Intel, and the restructuring has resulted in an undisclosed number of layoffs. But its renewed autonomy will give it the flexibility to focus on its own initiatives. For example, it recently announced a new partnership with Cisco. The agreement is to share threat intelligence, integrating McAfee’s Data Exchange Layer (DXL) with Cisco’s Platform Exchange Grid (pxGrid), to allow communication between endpoints and across the product lines of a combined total of over 100 integrated partners. McAfee is expected to pursue acquisitions more easily as a standalone company, though it will have less cash for this purpose. Check Point Software Technologies identified the need to add mobile security in 2015 and achieved this with the acquisition of fellow Israeli vendor Laccoon Mobile. Laccoon added advanced mobile threat prevention capabilities to Check Point’s portfolio, but this was the company’s last acquisition. Both vendors should pursue acquisitions to obtain new IP in a fast-changing market.

Cloud, analytics and data regulations will drive future security M&A activity

The cyber-security market is growing strongly and there is an ongoing need for integrated products and holistic offerings. Looking at the top 10 security vendors in the market, approximately 50% of major acquisitions were in network security, followed by 33% in content security and 17% in security management. Low interest rates have helped to fuel M&A activity, though recent rises may cool interest in large deals. Advances in technologies, such as cloud and mobility, have made it necessary for these vendors to add to their portfolios, and specialists have been obvious targets. Analytics and monitoring software has also seen growth in demand as automation will be an important part of the development of security. Cyber-security regulations around the world, such as the General Data Protection Regulation (GDPR) in Europe and the China Cybersecurity Law will fuel further M&A activity as vendors seek to add expertise from local vendors that are tackling these issues.

Unlike other sectors, which are seeing M&A activity derived from consolidation, in security, the need to add new innovative technologies remains paramount. Few start-ups will grow to be large enough to develop their own route-to-market ecosystems and be able to provide the support services required by customers. Their ability to innovate adds value to the industry, but M&As will be required to get these technologies into customer environments.