The Gately Report: Cybersecurity M&A, Investment Likely to Cool Somewhat in 2023
Meantime, the FBI prevented more than $130 million in ransom payments to the Hive ransomware group.
![Slow investment Slow investment](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltd336f97c03e43b18/6524088440861a30daa83a01/Slow-Investment.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Cybersecurity M&A should continue this year, but not at the same valuations as 2021, said Progress Partners’ Parag Sheth.
“For cybersecurity, 2021 was a big year in terms of multiples for M&A,” he said. “And anybody who transacted will tell you that a number of deals … happened at the highest valuation. However, I think in 2022, especially toward the end of 2022, we went down from a 15x multiple to a 7.5x multiple. If you take the five-year average before COVID-19 of what multiples ran at, which was 8.4x, give or take, we are trending back to normal in my world. And I think this year it’s going to get even more normal.”
When capital costs more and there’s no clear IPO market, there’s still going to be a lot of private cybersecurity M&A this year, but it will likely be more tempered, said Cyber Advisory Partners’ Eric Bell.
The M&A environment continues to be driven by both private equity firms as well as strategic firms Sheth said.
“In Q4 of 2022, you had Vista Equity Partners on the one hand, who did a fairly significant transaction when they bought KnowBe4,” he said. “On the other hand, you have Palo Alto Networks which did a pretty significant acquisition [Cider Security]. I think the opportunity for strategic vendors to acquire other companies will continue to remain strong. But the private equity folks do have the capital. So we can expect both private equity firms to be active, as well as the strategics to be active in the M&A environment in 2023. And it will be active, I believe.”
There’s likely going to be more M&A in the lower middle market rather than giant deals this year, Bell said. The capital markets and interest rates, and cost of capital generally are going to limit the ability for some of the larger strategic buyers to make a play.
That doesn’t include Amazon, Google, Microsoft and IBM. “Groups like that have plenty of cash available,” he said.
“Honestly, a $1 billion acquisition [barely] hits their cash balance,” Bell said. “So they are making huge plays. I’d say Google and Microsoft more than any other in the space. And I don’t expect anything to change there. This is a time when groups like that have a huge competitive advantage because they didn’t want to pay or overpay for companies in prior years, and in some cases they did. But they now are in a situation where a lot of private equity firms are going to be looking to kind of exit from some of the investments they made over the last three to five years, and put more capital to work in new projects and new companies.”
Investment in cybersecurity brings expectations of performance, Sheth said.
“Whether it’s a venture capital fund or a growth equity fund, or a private equity fund that is investing in the companies, they are looking for returns,” he said. “And those are going to be driven by performance of these companies, whether that performance comes in the form of new features, new applications or new revenue, whatever that looks like. But there is definitely expectations and rightfully so on that investment.”
It’s a similar scenario on the M&A front, Sheth said.
“When those acquisitions occur, there is a point of view that says we can scale this business from where it is today to some multiple thereof because there is private equity capital behind it,” he said. “Either they can grow that business faster than what it used to grow, or they can penetrate new sectors faster. Perhaps because there’s capital available, they can potentially acquire new companies because of the capital and grow the business. So there are a lot of different scenarios where I think there’ll be firms who are acquiring the companies or even the strategics that are acquiring the companies. They have a point of view as to how they’re going to grow the business. It comes down to growth for these opportunities.”
From Thoma Bravo acquiring ForgeRock and Ping Identity, to Vista Equity Partners acquiring KnowBe4, there have been numerous deals in which public companies are going private. There could be more take-private deals in cybersecurity in the months ahead, Bell said.
“There are only going to be so many left,” he said. “I think there are probably 25 companies that are public. It’s if you have the capital and you can do it, it’s not always the worst play. There’s a lot that’s spent on complying with U.S. Securities and Exchange Commission (SEC) annual reports. Being public just makes companies think and act differently than they would if they were private. And if there are companies that have taken big hits in valuations, which most all of them have with the exception of a few, it’s a buying opportunity. I think investors, whether investing in public markets or private investors buying these public companies, it’s a chance to take the pressure off of management from kind of the public disclosure and your reporting perspective, kind of get their ship in order and then potentially go public again when markets are more favorable. But right now, it’s not a bull market.”
Cybersecurity providers have to continue evolving to survive, Seth said.
“If you don’t evolve your solutions, then sooner or later that solution is no longer valid because if the hackers can get through, then really the solution didn’t meet anyone’s needs,” he said. “So I think this is why we have to constantly be three steps ahead. We have to anticipate what’s happening. We have to come up with the solutions that we believe will avoid these attacks because these attacks are expensive. They cost a lot of money. There are a lot of compliance-related issues that they create. There is a lot of data fragility where the data gets stolen. So certainly on a daily basis, more and more attacks are happening in different ways. So you as a business, you have to evolve your solutions. You have to sort of say, ‘Where else should I go before the bad guys get there?’ And there’s a lot of room for improvement, I would say.”
Cybersecurity M&A is always going to be somewhat of a challenge for the channel, Bell said.
“Companies are coming and going, and what does that mean?” he said. “[Partners] need to look at the agreements that they have and make sure that they have change-in-control provisions set in the contracts. One way to mitigate that is if you are acquired, we still are your partner and we’re working with you. You can’t just be canceled in that transaction as a provider or a channel partner, and you’ve got to negotiate strong contracts.”
In terms of investment, it’s a good thing for the channel if companies are getting funding, Bell said.
“A side of the due diligence when you’re working with cyber providers is, do they have adequate funding to last because somebody can come and sell you a great product? If they don’t have the financing that they need or they don’t have access to capital, you’re taking a huge risk as a channel partner,” he said. “Oftentimes investing, whether it’s in the sales and marketing of it, or even just implementing platforms, you want to make sure you’re not putting something in and it’s going to get pulled out tomorrow.
“And I think that also goes to some of the reasons some of the providers, the larger players in the space, are trying to tuck in these capabilities. They’ve seen enough companies come and go over time to know that they can take advantage when somebody has something very unique that fits well within their platform.”
Sheth said although the cybersecurity industry continues to consolidate, there’s still room for newcomers in the space.
“New companies are coming out,” he said. “They are getting funded and they’re getting funded in a very healthy fashion. I think it’s going to continue to happen as long as there are cyberattacks that are going to happen. There are AI-based attacks. There are cloud-based attacks. So somebody has got to address all these new threats that are occurring on a ongoing basis. And for that, there are new opportunities, new entrepreneurs, new folks who build businesses. They’re going to come up with something else. New companies are coming to market every single day, and they’re coming in at an equally high pace, and they’re competing with some great ideas. So there are some amazing companies that are out in the market right now. I think that’s the exciting part about our ecosystem.”
In other cybersecurity news …
The FBI on Thursday confirmed it had been able to access the computer network of the Hive ransomware group since July 2022.
During that time, the agency was able to capture and provide decryption keys to 336 victims of the group, preventing more than $130 million in ransom payments. Additionally, it stopped a ransomware attack on a Louisiana hospital and one targeting a school in Texas, saving both victims from paying a ransom.
The Hive group’s dark web leak sites have been taken down. The group has targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms and critical infrastructure.
Tim Morris is Tanium‘s chief security advisor for the Americas. He said this is a “huge development.”
“In cybersecurity, there is a tendency to be on one’s heels from a defensive posturing standpoint,” he said. “Concentrated offensive actions such as this expansive takedown not only disrupt the criminal crew’s immediate activities, but also compromise their overall operation by obtaining the encryptions keys to stolen data. This could lead to the recovery of data previously thought lost or inaccessible, which is a significant victory for authorities. While it’s unlikely to make all victims whole, even a partial recovery of data is promising. Obtaining the keys is one of the biggest wins in this case by far.”
Kurt Baumgartner is principal researcher at Kaspersky.
“This coordinated effort is what we need to see more of from law enforcement around the world,” he said. “Some of this effort in letting the activity progress may seem somewhat controversial, but generating decryption keys for victims over time helps to exhaust the group’s resources. Yes, in all likelihood, another gang is going to fill the void. It takes time and effort, but the incentives are in the hundreds of millions of dollars.”
Law enforcement put on display some impressive capabilities in infiltrating, seizing and disrupting some of the gang’s resources, Baumgartner said.
“The actors behind this group have shown a reckless disregard for human life in their efforts to victimize schools and hospitals,” he said. “We urge people to never pay any ransom if they are attacked and to check nomoreransom.org to see if there is an available encryption key to unlock their data.”
On Dec. 23, KrebsOnSecurity alerted big three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report. They did so armed with nothing more than a person’s name, address, date of birth and Social Security number.
Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9 and Dec. 26.
Darren Guccione is Keeper Security‘s CEO and co-founder.
“Our research shows the average U.S. business experiences 42 cyberattacks per year, three of them successful,” he said. “While the impact to business operations and financial losses may be the most tangible examples of the damage these attacks cause, the impact to customers can be devastating. Consumers are putting their trust in an organization to handle their data with the utmost security. When the organization fails to do this, it understandably breaks that trust. This Experian security flaw serves as yet another reminder of why everyone must make cybersecurity a priority. A password manager is a critical first step to create high-strength, unique passwords for every account to help prevent attacks and mitigate the risk of sprawl if a consumer’s information is posted to the dark web.”
Mike Parkin is senior technical engineer at Vulcan Cyber.
“Brian Krebs’ report on the security issue at Experian is troubling on a lot of levels,” he said. “The three credit reporting bureaus determine people’s credit scores and have little oversight, and a convoluted and time-consuming process to deal with when there is a mistake. And people report a lot of mistakes. That their system was vulnerable to what appears to be a simple bypass is problematic. People are forced to trust these systems whether they want to or not and, as breaches that include this one show, these systems are not always trustworthy.”
Zero trust is top of mind for most organizations as a critical strategy to reduce risk, but few organizations have actually completed zero-trust implementations, according to Gartner. It predicts that by 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from less than 1% today.
In addition, by 2026, more than one-half of cyberattacks will target areas that are not protected by or cannot be prevented by zero-trust controls.
Gartner defines zero trust as a security paradigm that explicitly identifies users and devices, and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.
Gartner warns CISOs and risk management leaders should not assume that zero trust will eliminate cyber threats. Rather, zero trust reduces risk and limits impacts of an attack.
Jeremy D’Hoinne is security analyst and research vice president at Gartner.
“The enterprise attack surface is expanding faster and attackers will quickly consider pivoting and targeting assets and vulnerabilities outside of the scope of zero-trust architectures (ZTAs),” he said.” This can take the form of scanning and exploiting of public-facing APIs or targeting employees through social engineering, bullying or exploiting flaws due to employees creating their own bypass to avoid stringent zero-trust policies.”
Claude Mandy is chief evangelist of data security at Symmetry Systems.
“The current assessment of the percentage of large enterprises with mature zero-trust programs at just 1% will be depressing to read for large organizations, who have spent millions on the latest zero-trust technologies,” he said. “No matter how damning it feels, it is unfortunately a fair assessment considering the holistic definition of zero trust as outlined by Gartner. One of the key gaps that we continually identify is the excessive amount of access to data, provided to everyone in the organization, including machine identities. The only way to limit the impact of an attack (or data blast radius) is by continuously assessing the amount of data access (including data accessible through API’s) and rightsizing it, to reduce the implicit trust provided to users and machine identities. Unfortunately maintaining least privilege like this remains a challenge for all organizations.”
Cybercriminals only need to find one hole in the attack surface, while enterprises are currently trying to find and plug all the holes, Mandy said. It is almost inevitable that cybercriminals will find it easier to take advantage of human nature or to target the weakest part of the attack surface, in this case poor API security, and therefore do that more frequently.
John Yun is vice president of product strategy at ColorTokens.
“From my experience, I have yet to meet large enterprises who do not have a zero trust initiative of some sort,” he said. “I think the bigger question is how you define mature zero trust implementation. It is common for organizations to implement zero trust in multiple stages. They may elect to implement microsegmentation first, to segment their network, application and users. They can expand the solution from on-premises to hybrid and also to cloud environments. Once such expansion has taken place, organizations look to zero trust network access (ZTNA ) or to now include remote users under the zero trust umbrella. As you can imagine, such adoption for large enterprises can take a considerable amount of time. Most organizations take incremental steps toward zero trust and often do not equate mature deployment to complete coverage under zero trust including remote access scenarios.”
Zero trust absolutely reduces the cost of breaches, Yun said.
“Today, you have to operate under the assumption that perimeter security, no matter how big the lock, will get breached,” he said. “Under that assumption, the more difficult you make for the attackers to navigate your network, the more time you have to thwart the attack. Even if any nodes become compromised, zero trust minimizes the blast radius.”
And finally, Jan. 28 is Data Privacy Day, an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.
Don Boxley is CEO and co-founder of DH2i. He said the perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world.
“According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation,” he said. “This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day, whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery or package transport.”
Nathan Howe is vice president of emerging tech and 5G at Zscaler. He said those responsible for protecting organizations’ information, such as IT security and HR departments, must do so with great care. That’s because each piece of information has a completely different value today than it would have had a few years ago and so must be protected differently.
“The first step is to decide which data is and is not private so it can be categorized,” he said. “With data flagged as private or public, for example, an appropriately trained chatbot can filter it before processing.”
The fear of mishandling information is justified in light of technological progress, Howe said.
“Organizations have the power to protect their data, however, and they need to take countermeasures so that sensitive and private data is not made public,” he said. “As a first step, they must get complete visibility of all the data stored in their IT ecosystem in order to take measures to classify it. A cloud-based internet security platform provides the power to scan for sensitive data about to be exposed on the internet, and moreover, it can secure cloud environments with a zero trust approach to effectively categorize each piece of data.”
And finally, Jan. 28 is Data Privacy Day, an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.
Don Boxley is CEO and co-founder of DH2i. He said the perpetual concern around data privacy and protection has led to an abundance of new and increasingly stringent regulations around the world.
“According to the United Nations Conference on Trade and Development (UNCTAD), 71% of countries now have data protection and privacy legislation, with another 9% having draft legislation,” he said. “This increased scrutiny makes perfect sense. Data is being created and flowing not just from our business endeavors, but countless personal interactions we make every day, whether we are hosting an online conference, making an online purchase, or using a third party for ride-hailing, food delivery or package transport.”
Nathan Howe is vice president of emerging tech and 5G at Zscaler. He said those responsible for protecting organizations’ information, such as IT security and HR departments, must do so with great care. That’s because each piece of information has a completely different value today than it would have had a few years ago and so must be protected differently.
“The first step is to decide which data is and is not private so it can be categorized,” he said. “With data flagged as private or public, for example, an appropriately trained chatbot can filter it before processing.”
The fear of mishandling information is justified in light of technological progress, Howe said.
“Organizations have the power to protect their data, however, and they need to take countermeasures so that sensitive and private data is not made public,” he said. “As a first step, they must get complete visibility of all the data stored in their IT ecosystem in order to take measures to classify it. A cloud-based internet security platform provides the power to scan for sensitive data about to be exposed on the internet, and moreover, it can secure cloud environments with a zero trust approach to effectively categorize each piece of data.”
Cybersecurity M&A and investment have been explosive the past few years, but the volume is likely to return to more normal levels in 2023.
So say Parag Sheth, managing director of Progress Partners, and Eric Bell, managing director of Cyber Advisory Partners. We asked both to assess trends in cybersecurity M&A and investment, and what we can expect in 2023.
Progress Partners is a corporate advisory firm that works with buyers and sellers of emerging growth companies to complete M&A or private placement transactions. Cyber Advisory Partners helps emerging and leading security companies access the resources, relationships and intelligence needed to grow their businesses and advance U.S. national security.
Cybersecurity Industry Remains Strong Regardless of Economy
Despite economic headwinds, cybersecurity remains a strong and thriving industry because organizations have to protect themselves from ever-increasing cyber threats.
Progress Partners’ Parag Sheth
“There’s no alternative to doing so because we have moved into a data-centric society and that data is worth something to somebody,” Sheth said. “So they are constantly looking for ways to acquire that data and we have to find ways to protect it. People have wearables. People wear these devices on their body. That data is going to be put somewhere. And if you don’t protect that data and somebody gets ahold of that, that can be dangerous to that person. We have to keep evolving. We have to keep innovating. And I think that is why the cyber market continues to be robust. It continues to be attractive. And it’s a highly innovative market where a lot of capital is invested so that we can address these ongoing issues that you and I both face.”
Cybersecurity ‘Strategic Imperative’
Within technology, cybersecurity is “such a strategic imperative from top down,” Bell said.
Cyber Advisory Partners’ Eric Bell
“The consequences of not having security are just enormously high for any organization,” he said. “And it’s not like breaches or ransomware attacks are stopping. They’re happening every day. And every day I see new headlines of a school system being shut down, hospitals being held hostage. So it’s still top of mind for everyone. And I think cyber, unlike a lot of categories within technology, doesn’t go through the same kind of technology maturation cycle. Innovation is going to happen because the hackers are innovating and malicious actors are out there constantly trying to find new ways to get our data and to get our information. And so you can’t kind of sit back and wait for cybersecurity to be solved. It’s constantly evolving and it doesn’t go through kind of peaks and troughs.”
There’s more ways that people can get hacked, and that’s forced organizations to invest more in cybersecurity, Bell said.
Scroll through our slideshow above for more from Sheth and Bell, and more of the week’s cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like