Despite cataclysmic changes affecting other parts of the economy, 2020 and 2021 have been very good years for the cybersecurity industry. The security industry saw 178 strategic merger and acquisition (M&A) deals in 2020, and 238 offers in the first three quarters of 2021 alone.
Many large corporations and private equity (PE) firms are now engaging in high-volume, programmatic acquisitions of cybersecurity companies. Thoma Bravo alone owns 25 security companies. Even among smaller security vendors, consistent M&A acquisition of key technologies and talent is a proven growth strategy.
Meanwhile, new investments continue to pour in. first semester 2021 broke all records with $11.5 billion in venture capital funding for cybersecurity startups. Six new cybersecurity “unicorns” — companies worth at least $1 billion — were born in 2020, and nine more born in 2021.
What is driving such a volume of M&A and investment activity in the cybersecurity industry?
Most other IT industries reach some sort of technological and statistical maturity after a decade or so. But the cybersecurity industry is unique in that technology can never become mature because opponents are always evolving. Incumbent security vendors must continue to respond, and M&A acquisition is one way they can stay at the forefront of the innovation curve. VCs and PEs who see this exit potential continue to fuel new startups.
In my work, I see both the sell side and the buy side of the M&A market. Here are five structural trends driving M&A activity in cybersecurity.
1. Over a decade of VC and PE investment has created an abundance of security startups. Walk the aisles of the RSA conference and you will see them. Many of these funded startups are essentially built to be acquired, in that they focus more on developing “features” than becoming fully baked companies.
What does that mean : The glut and proliferation of funding is driving industry consolidation through mergers and acquisitions.
2. Incumbent corporate security firms are feeling pressure from Wall Street to strengthen their positions in a fragmented market. The security market is still very fragmented. Incumbents are acquiring startups that offer orchestration and automation technologies to help them build true security platforms (as opposed to baskets of disparate technologies). They are also looking to acquire startups focused on securing emerging areas such as cloud services, Internet of Things, and Kubernetes/containers. This month’s announcement that Google acquired Siemplify SOAR (security orchestration, automation and response) technology for cloud environments is a perfect example.
What does that mean : Companies that innovate security for emerging domains and companies that automate disparate security functions will continue to be acquired.
3. Publicly traded security companies must show predictable and recurring revenue. These companies use mergers and acquisitions to acquire existing customer bases and future revenue streams, which in turn creates investor confidence and stable stock prices for them.
What does that mean : High-margin software-as-a-service companies that can demonstrate future revenue growth are particularly attractive M&A targets.
4. Cybersecurity affects all sectors. Just as energy costs creep into every aspect of our economy, security is now an issue that almost every business must deal with. We are seeing cybersecurity M&A deals from companies in adjacent sectors such as telecommunications, aerospace and energy acquiring cybersecurity technology to run their operations.
What does that mean : Security startups can look for M&A exit opportunities among non-software companies that need to develop (or buy) in-house security expertise.
5. Private equity firms benefit from the speed of mergers and acquisitions. Private equity firms seek to consolidate security companies in preparation for a possible turnaround or IPO. Investcorp recently acquired Avira for $180 million and returned it eight months later to NortonLifeLock for double the price – $360 million. Thoma Bravo has acquired a portfolio of over 25 branded security companies, including Barracuda, McAfee and Sophos.
What does that mean : Your cybersecurity startup should examine the current portfolios of private equity firms to see if you can provide a missing piece to a deployment technology stack.
The structural drivers of the cybersecurity industry ensure that new startups will continue to be funded and incumbents will continue to acquire new security technologies and talent through mergers and acquisitions. Ever-changing adversaries and threats essentially guarantee a need for niche technologies, and this market dynamic is a win for both the selling side and the buying side. M&A is a driver of innovation and value creator in the cybersecurity industry, and a consistent programmatic M&A strategy is a proven formula for growth and success.