France-headquartered service provider Orange has announced an agreement to acquire managed security services provider (MSSP) SecureLink for €515 million (US$580 million). SecureLink, headquartered in the Netherlands, had revenue of €248 million (US$280 million) in 2018 following a wave of acquisitions (including Coresec in the Nordics and Nebulas in the UK) since it was bought by private equity firm Investcorp in 2015. The company replaced founder and former CEO Marco Barkmeijer in mid-2018, bringing in former Getronics COO Thomas Fetten.

SecureLink will be integrated into Orange’s security division, Orange Cyberdefense, which also acquired UK security specialist SecureData earlier in 2019. As a result, the division’s pro forma security revenue is now estimated to be €600 million (US$675 million), with an estimated 25% to 30% coming from managed security services. As managed security skills are increasingly being demanded by customers and targeted by vendors, the channel landscape is undergoing a tectonic shift. Large partners with the size and capabilities to deliver next-generation solutions and services are rare, and consolidation is both inevitable and expected at that end of the market. A recent Canalys survey of channel partners showed 53% of respondents in EMEA are generating just 1% to 10% of their revenue from managed security services. The larger partners have often achieved their size through acquisitions of local specialists. NTT Security, for example, is a key competitor in the region and it too has acquired to add skills and market presence. As two of the region’s biggest partners come together, what will it mean for its vendor partners and how will Orange use SecureLink’s capabilities?

Orange Cyberdefense strategy enters a new phase, but the risks are high

Orange Cyberdefense, led by CEO Michel Van Den Berghe, is a wholly owned but autonomous division of the wider Orange service provider company. It works closely with Orange Business Services, the telco’s systems integration and consulting business. It holds partnerships with networking security vendors, including Arbor Networks (owned by Netscout), Check Point, Fortinet and Palo Alto Networks, and is Splunk’s largest partner in France.

With over 50 vendors in its portfolio, SecureLink’s network is extensive and brings a number of complementary and additional solutions capabilities to Orange. Its strongest vendor relationships are with Check Point, F5, Juniper, Palo Alto Networks and Symantec. One important aspect of this deal will be the relationships SecureLink has with vendors in the broader network access management and monitoring space. This sector is made up of many smaller vendors with specialized capabilities and technologies. This is where the SecureLink galaxy of acquired partners, each with skills in these specific areas, becomes attractive to both Orange’s Cyberdefense and Business Services divisions. For example, the recently launched SecureDetect solution, built on Vectra’s Cognito platform, is an important addition to SecureLink’s existing managed detection and response (MDR) capabilities. These are the kinds of investments, built on specialized vendor relationships, which Orange knows will be a boon to its business customers.

After Orange bought SecureData, a UK-based managed security services partner, with €44 million (US$50 million) in revenue in 2018, a move to buy an even larger part of the MSSP market seems logical. Consolidation at this end of the market is not uncommon, but the difficulties it will face in integrating this fragmented group of acquisitions should not be underestimated.

SecureLink’s acquisitions have been made in a manner typical of private equity backing, quickly buying smaller partners with marketable capabilities across Europe and increasing the price of the overall investment. This can often cause problems when trying to tie the skills, cultures and accounting platforms of these companies together into one cohesive whole. SecureLink appears to have bypassed some of these issues with a strong management team and a clear focus on technological integrations and advancements in the company’s portfolio of solutions. How Orange manages this, particularly the relationships with some of the smaller specialist vendors, will be important for maintaining the company’s value proposition. It is worth noting a €150 million (US$170 million) convertible bond was issued by SecureLink earlier in 2019 to attract further investment, the obligations of which are likely to have contributed to the final valuation of €515 million (US$580 million). That figure seems high when one considers SecureLink ended 2018 with a €10 million (US$11 million) operating loss, though this was due to integration and re-financing costs. The underlying value of SecureLink’s business is not in question, but Orange will be under pressure to make sure this acquisition is profitable as quickly as possible.

SecureLink will also help Orange to expand its geographical coverage into highly desirable markets that are advanced in managed security services, such as the Nordics, while growing its market share in the Netherlands, Germany and the UK. SecureLink also announced the opening of a Cyber Defence Centre in Shanghai, China at the end of 2017. This was not mentioned by Orange in the press release reporting the acquisition. This suggests it is either not part of the deal or perhaps Orange must seek approval from the Chinese authorities following the change of ownership.

The managed security services landscape is shifting

Orange’s motivations for the acquisitions are clear. Channel partners selling cybersecurity are facing increasing pressure from both vendors and customers to add services and improve their skills. Customers are experiencing increasing threats, and vendors want partners to invest in their relationships. Partners themselves are looking for ways to differentiate and managed security is seen as an obvious way to achieve this. The perennial security skills shortfall means acquisitions are common, but there are specific threats to Orange’s business on the horizon. NTT Security, the security division of Japanese-headquartered service provider NTT (and fellow subsidiary of Dimension Data) has been steadily positioning itself to grow its business in Europe. NTT Security grew out of the acquisition of Integralis in 2008 and has been building its relationships with key vendor partners in recent years.

In the broader partner community, systems integrators, resellers and even second-tier cloud service providers (below the likes of AWS, Azure and Google) are all developing their security services portfolios. Leading this drive are companies as diverse as Atos, BT, Computacenter, DXC, SecureWorks, T-Systems and WWT. Telco service providers such as Orange have long sought to improve their business IT services capabilities, with mixed success, in the hope of using their networking assets as though these gave them a tangible differentiator from other channel partners. Orange has smartly decided to abandon this pretense and siloed its Business Services and Cyberdefense divisions, showing it understands customers are looking for expertise. It must now keep the strong brand image SecureLink has successfully built up among vendors and customers and maintain investment in its own services offerings.

Receiving updates

Receive our latest PRs on emerging, enterprise and mobile tech delivered straight to your inbox.