Thycotic-Centrify Merger Poses Potential Threat to PAM Leader CyberArk

A Thycotic–Centrify merger could shake up the privileged access management (PAM) market, posing a potential challenge to “800-pound gorilla” CyberArk.

That’s according to Rik Turner, Omdia’s principal analyst of cybersecurity. He said despite challenges from identity and access management (IAM) vendors, CyberArk held the top spot against all the other dedicated PAM vendors. That includes Centrify and Thycotic.

TPG Capital‘s acquisition of Centrify has closed. TPG also has acquired Thycotic from Insight Partners for $1.4 billion. It now plans to combine the two.

Omdia’s Rik Turner

“This acquisition looks to me to be a move by TPG to create a more serious challenger to CyberArk,” Turner said. “Centrify has certainly been an innovator with its more cloud-first approach rather than starting life on customers’ premises. Thycotic’s approach might be summed up as … a kind of ‘good enough’ PAM product that is designed to meet the needs of a significant part of the market.”

As part of the transaction, Art Gilliland, Centrify‘s CEO, will serve as the CEO of the newly expanded business. James Legg, Thycotic’s CEO, will be named president.

Thoma Bravo and Public Sector Pension Investment Board (PSP Investments) will support the combination with minority investments in the business. The merger is subject to customary closing conditions, including regulatory reviews.

Identity Security Adoption Soaring

Centrify’s Art Gilliland

“The increasing cost and impact of cyber breaches, coupled with the explosive growth of cloud services and the interconnection of networks has driven rapid adoption of identity security software,” Gilliland said. “Now more than ever, organizations are looking to strengthen their capabilities to ensure improved protection from the ever-increasing risk of cyber-intrusions. The combined company will deliver one of the most comprehensive product offerings in the business with the ability to adapt and scale to meet the evolving needs of customers.”

Thycotic provides PAM to more than 12,500 organizations globally. Centrify’s customers include the world’s largest financial institutions, intelligence agencies and critical infrastructure companies.

Thycotic’s James Legg

“Combining these two synergistic platforms allows us to offer customers an expanded range of products to address their increasingly complex security requirements,” Legg said. “Every company is currently facing sophisticated adversaries who take advantage of the complexity of operating in the cloud and work from home. Thycotic and Centrify together will help companies navigate this new environment with an innovative and intuitive product suite, backed by some of the most experienced operators in the identity security sector.”

Musical Chairs

Turner said there’s “a certain feeling of musical chairs going on here.”

“Centrify splits out it [its] vanilla IDaaS product into the Idaptive business a couple of years back to focus on PAM,” he said. “Then last, year CyberArk buys Idaptive to expand beyond PAM in IDaaS. Add into the mix the fact that Bomgar spent a couple of years hoovering up PAM businesses like Lieberman and BeyondTrust to become the new enlarged BeyondTrust. And you see that M&A has been underway for a while in this space.”

PAM technology is more relevant than ever now that much of the privileged access taking place is happening remotely, Turner said.

“The pandemic has accelerated cloud migration, which means even more non-human privileged access (M2M),” he said. “And with increasing agile/DevOps adoption, developers’ permissions must be monitored and, where possible, curtailed once they have completed their tasks.”

“The combination of Thycotic and Centrify creates a leader in one of the most important and strategic subsectors of security software,” said Tim Millikin, Partner at TPG Capital. “Identity security is mission-critical to any organization’s cybersecurity infrastructure and is becoming even more essential in a deeply interconnected world constantly under threat of cyberattacks.”