Symantec, Sophos, NTT Lead Massive Cybersecurity M&A Surge
Consolidation across IT and the channel is significant, but security providers are gobbling each other up like crazy.
![Mergers and acquisitions Mergers and acquisitions](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltb8835558323e5083/6524346aecb8d71d4bc4088b/M-and-A-2018_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
“Doing your pre-merger due diligence is essential, but we have learned, at times the hard way, that this due diligence shouldn’t just be from a financial standpoint. Getting a full understanding of the way the incoming organization functions from a process, policies and a personal, human component (or ‘HR factor,’ as we’ve come to call it), is key. As the company doing the acquisition, you want to take your time in getting to know the organization you’ve acquired and fully understand the way that they were doing things, presumably successfully, before you came into the picture. Remember that if they were profitable before you merge, they should remain profitable afterward, so you do have some time on your side to cement the courtship before bringing things under one roof. You need to take your time with that HR factor in an acquisition, but not from a branding perspective. We once learned in an early acquisition, and learned the hard way, that corporate communication, both internal and external, needs to have a set ‘go-live’ date and plan in place well before the transaction. On that date, you need to have all your ducks in a row so that your two teams coming together as one know exactly what they need to about the company as a whole, its vision, and how the brand is going to go to market in the future. If you let both brands co-exist separately, it will only make ripping the Band-Aid off later more difficult, more time-consuming and more costly as the departing brand becomes more and more embedded.” —Aaron Bradley, VP of marketing, CareWorxShutterstock
In February, Symantec acquired Israel’s Luminate Security, a private company focused on software defined perimeter (SDP) technology. The cybersecurity giant said the acquisition strengthens its leadership in cloud security, delivering private, secure application access to all users, and securing access to workloads and applications regardless of where those workloads are deployed or through which infrastructure they are accessed.
“The Symantec-Luminate deal was interesting, as I am seeing a reasonable amount of activity in software-defined perimeter. You could almost think of Proofpoint’s acquisition of Meta Networks as part of the same trend, and of course CryptZone had already disappeared into the belly of Cyxtera,” Ovum’s Rik Turner said.
Last month, Palo AltoNetworks unveiled plans to buy Twistlock, a provider of container security, and PureSec, a serverless architectures security provider, to extend its Prisma cloud security strategy. Palo Alto will pay about $410 million in cash to acquire Twistlock, which combines vulnerability management, compliance and runtime defense for cloud-native applications and workloads.
The terms of the PureSec purchase weren’t disclosed. The company provides end-to-end security for serverless functions that cover vulnerability management, access permissions and runtime threats.
“Palo Alto has been highly acquisitive of late, particularly in IaaS and PaaS security, buying RedLock, TwistLock and PureSec, which sets it up to be a cloud security provider all the way into the serverless world,” Turner said.
Last month, FireEye announced it had acquired Verodin, whose security instrumentation platform (SIP) gauges the effectiveness of customers’ cybersecurity controls, for about $250 million in cash and stock. Verodin’s platform adds new capabilities to FireEye’s portfolio by identifying gaps in security effectiveness due to equipment misconfiguration, changes in the IT environment, evolving attacker tactics and more.
Anurag Agrawal, CEO and analyst at Techaisle, said security is the “most amorphous” of IT market categories.
“Virtually all other technologies occupy a defined position within the solution stack,” he said. “Security, though, needs to permeate all layers of the solution: It is used to protect the devices and their connection to the central application, to identify compromise (or malfeasance) of system users, and to safeguard the application itself; to protect the data both as it is in motion and when it is at rest; to build a shield around the data center and the connections between applications; to provide assurance that backups and business continuity/disaster recovery systems don’t become points of exposure for sensitive information. IT security isn’t a discrete category — it is a ubiquitous factor in all aspects of IT/business infrastructure.”
This month, Sophos announced the acquisition of Rook Security, combining that company’s threat detection, investigation and response capabilities with its recently acquired DarkBytes technology platform. The acquisition expands Sophos’ portfolio, providing partners with new revenue opportunities without extensive investment in their own tools or expertise, the company said.
Original investors are among the winners in M&A, Frost & Sullivan’s Mike Suby said. Part of their strategy was building and nurturing newer companies, and they can be handsomely rewarded in a sale, he added.
In March, NTT Security, an NTT Group company, signed an agreement to acquire WhiteHat. Post-acquisition, WhiteHat will operate as an independent, wholly owned subsidiary of NTT Security.
WhiteHat wants to accelerate its expansion outside of North America once the acquisition is complete, said Matt Handler, WhiteHat’s chief revenue officer.
Customers also can be among the winners in M&A because they get access to a better value proposition and newer technology, but that depends on “how well the vendor executes, how they absorb the company just acquired, and absorb the technology and offer better value to their customers,” Suby said.
Last month, Proofpoint said it is acquiring Meta Networks, an Israel-based startup that develops cloud-native security tools for enterprise wide area networks (WAN).
Proofpoint said the acquisition will strengthen its cloud-based architecture and people-centric security platform, allowing customers to better protect their people, and the applications and data they access beyond the traditional perimeter.
Part of the benefit of being acquired by a larger organization is these are multibillion-dollar companies that are going to be around for many years to come and they “have a track record of supporting their customers,” Suby said.
“There’s a higher level of assurance that this innovative technology that they’re acquiring for use in their environment is going to be from a company with a track record, that has resources … and customer service,” he said.
In February, Carbonite, the cloud-based data protection provider, said it plans to acquire cybersecurity provider Webroot for nearly $619 million. Carbonite said the two companies would combine Carbonite’s backup and disaster recovery (BDR) solutions with Webroot’s machine-learning capabilities to address endpoint vulnerability.
No single security vendor has all the capabilities, Agrawal said. It is therefore inevitable for security suppliers to either merge or actively form an alliance, he said.
“There are two categories of M&As: acquiring security firms to build a more complete security stack [and] single product firms acquiring security firms for adjacency (e.g. Carbonite – a backup/disaster recovery firm buying a security firm),” he said.
Last month, KnowBe4 announced it had acquired CLTRe, a Norwegian company focused on helping organizations assess, build, maintain and measure a strong security posture. CLTRe will continue to operate as an independent subsidiary of KnowBe4, and service customers globally. CLTRe’s Toolkit and Security Culture Framework will be available to all KnowBe4 customers later this year.
It’s worth recognizing there’s always a certain amount of risk involved in any acquisition, Suby said.
“Just because you did an acquisition doesn’t mean it’s going to be as successful,” he said. “It’s not only how well you execute. The vendor community continues to evolve, so even if it’s well executed, it may not be the highest level of success. There [are] numerous factors.”
In January, Check Point Software Technologies acquired Israel-based ForceNock Security to strengthen its architecture with advanced machine-learning protection capabilities.
Founded in 2017, ForceNock developed a web application and API protection (WAAP) technology that uses machine learning, behavioral and reputation-based security engines.
Email security provider Zix began 2019 by acquiring AppRiver, the cloud-based cybersecurity and productivity company, for $275 million in cash. The combined companies create a cloud-based email security provider to SMBs with more than $180 million in annual recurring revenue.
The pairing will significantly expand Zix’s footprint through AppRiver’s numerous and longstanding partnerships, including growing its channel partners from about 400 to more than 4,000, and its customer base from about 20,000 to 80,000.
This week, Virginia-based MSSP DXC Technology got regulatory approval for its $2 billion acquisition of Luxoft, a global technology services and consulting partner that provides specialty technology solutions to customers in 22 countries across five continents.
DXC said the acquisition will expand its digital-services portfolio, broaden its presence in high-growth verticals, enhance access to engineering talent globally and strengthen its digital value proposition overall.
In January, Radware announced an agreement to buy ShieldSquare to boost its cloud-security capabilities. ShieldSquare’s particular specialty is bot-management tools that help businesses distinguish between human and bot traffic on their web and mobile apps.
In January, Radware announced an agreement to buy ShieldSquare to boost its cloud-security capabilities. ShieldSquare’s particular specialty is bot-management tools that help businesses distinguish between human and bot traffic on their web and mobile apps.
It’s been a big year for consolidation in cybersecurity this year, with hundreds of millions, and in some cases billions, of dollars being shelled out in headline-grabbing acquisitions.
The list of deals includes cybersecurity powerhouses like Symantec and Sophos, as well as lesser-known competitors like Zix and Radware. Analysts have long said the industry is overcrowded.
Rik Turner, principal analyst at Ovum, said the acquisitions are beneficial in that customers want to buy technology from a smaller number of vendors, and therefore manage fewer relationships.
Ovum’s Rik Turner
“I also fully expect this trend to continue for the foreseeable future, and possibly even accelerate if the stock market weakens and IPOs become a more difficult alternative,” he said. “The cyber industry has long been one in which a few behemoths at the high end of the market sit and watch the startups emerge in new market segments, then eventually acquire when they deem the time is right — a sort of a cyber version of Mao Zedong’s ‘let a thousand flowers bloom.'”
Mike Suby, Stratecast vice president of research at Frost & Sullivan, said there’s growing recognition that there’s “no silver bullet” in cybersecurity, and that it takes an assortment of technologies, depending on the risk, that need to be managed. Therefore, it’s more advantageous for businesses to get more technologies that work well together from fewer vendors, he said.
Cybersecurity M&A will continue through 2019 and into 2020, but there are “too many variables” to forecast whether the frenzied pace will continue, he said.
Scroll through our slideshow above for a look at the deals that have taken place so far this year.
About the Author(s)
You May Also Like