In 2011, the global spending on cybersecurity reached US$60bn, according to estimates from PricewaterhouseCoopers (PwC), the business advisory firm. The firm expects that figure to grow by 10% annually over the next three to five years.
Continued growth in the sector – and the fact that security spending by business and government appears to be relatively immune to the cyclical swings that affect other areas of IT – is also making the market an attractive one to investors. PwC, for example, says that companies will continue to spend on security, because of “growing threats and awareness”, and because of the need to provide security in areas such as mobile and cloud computing.
This, in turn, has made the information security industry a hotbed of corporate activity. Total deal activity since 2008, as measured by PwC in its report ‘Cyber Security M&A: Decoding Deals in the Global Cyber Security Industry’, amounts to more than $22bn. The first six months of 2011 brought 37 deals, worth $10bn altogether. The largest deals involved US- and UK-based security vendors.
Over the years, this has led to a number of mega-deals, including Symantec’s purchase of Veritas, EMC²’s purchase of RSA and most recently, Intel’s acquisition of McAfee. The nature of the security industry, however, means that it remains more diversified, and more open to smaller vendors, than many others.
One reason for this, insiders suggest, is the constantly changing threat landscape; another is the close relationship between information security and both academic and military research. Moreover, chief information security officers are also more willing than other senior IT managers to buy from smaller, more specialist vendors, as they need to tackle specific security or data protection concerns. A customer relationship management system, or a word-processing package, may function adequately even if it is not the best. The concept of “good enough” technology, however, is harder to apply to security.
“If you look at the security market over the last few years, the top players have lost market share, despite high levels of mergers and acquisitions”, explains Ruggero Contu, a security specialist at industry analysts Gartner. “Although we have both larger and smaller companies acquiring for a number of reasons, there is also a lot of activity at the bottom of the ecosystem.
“We have start-ups with new ideas, or that cater for new security requirements. In the enterprise space, for example, we have companies targeting mobility, or virtualization”, Ruggero continues. “We have consolidation, with the larger players acquiring to beef up their portfolios, or looking to expand into new markets, but there is also a lot of dynamism.”
Nonetheless, the stage is set for more acquisitions in 2012. At the top end of the market, security vendors such as Symantec are relatively cash-rich, and have a track record of growth through acquisition. Lower down, some smaller vendors are likely to find it harder to raise funding for expansion or product development, pushing them toward deals with larger players.
“In general, I don’t think infosec companies are built to be sold; most are built to solve a particular problem, or because they believe they offer a superior alternative solution than the status quo”, says Chris McKie, director of investor relations at vendor WatchGuard. “The fact that many are sold is usually a result of market conditions, competitive pressures, or a need to accelerate growth.”
|"In my experience, [M&A] deals have not benefited users" |
|John Walker, ISACA, Secure Bastion |
According to Bob Tarzey, at industry analysts Quocirca, security industry mergers and acquisitions tend to happen either because ideas developed by smaller vendors become of interest to the larger players, or because larger vendors are looking to gain market share. “Symantec has grown by taking market share, through buying companies in the space”, he says.
Then there is the role of market consolidator being played by IT vendors that are not security specialists, but which have – or which want to have – a significant security capability. EMC²’s security acquisitions have been about bolstering its credentials as an information management provider, rather than a hardware security vendor. Oracle acquired some significant, non-database security assets when it bought Sun Microsystems, especially in the area of access and identity management.
General Blue Chip
The real driving force in recent M&A activity comes from among the generalist hardware vendors, including HP, Cisco, and Dell. HP has been building up its capabilities through acquisitions such as ArcSight. So far, HP has focused on deals that fit with its IT management capabilities. Dell bought SecureWorks early last year, and Cisco has also been buying, as security moves further into the network layer.
“Cisco has built up security to a $1bn revenue stream”, says Quocirca’s Tarzey. “But it also has security in its devices. HP is doing the same.”
In this, the vendors are following a trend toward diversifying out of hardware, and bolstering their in-built security offerings. It is a path IBM has been following for several years.
KEY SECURITY DEALS THAT HAVE SHAPED THE INDUSTRY
|June 1998 ||McAfee (then Network Associates) buys Dr Solomon |
|December 2004 ||Symantec merges with Veritas |
|June 2006 ||EMC² buys RSA |
|August 2006 ||IBM buys ISS |
|October 2008 ||Symantec buys Messagelabs |
|October 2009 ||Microsoft buys Frontbridge |
|August 2010 ||Intel buys McAfee |
|September 2010 ||HP buys ArcSight |
|January 2011 ||Dell buys SecureWorks |
|July 2011 ||Sophps buys Astaro |
|March 2012 ||Trustwave buys M86 Security |
“Our security framework is based on four dimensions: people, data, applications and infrastructure”, says Mark Van Zadelhoff, a vice president at IBM, which recently bought security vendor Q1 Labs. “Two trends favor the generalist vendor: the desire among customers to consolidate vendors, and to have their security requirements working well together.”
Doing this, he suggests, makes the CISO’s task easier. It is not, however, IBM’s intention to be in every sector: the company no longer develops anti-virus software, for example, but works instead with Trend Micro.
It’s Not All Roses
Not all security experts believe that mergers and acquisitions are beneficial for end-user businesses, with many suggesting it is the company’s founders, or its buyers, who reap the rewards.
“In my experience, deals have not benefited users”, cautions John Walker, a professor at Nottingham Trent University and member of the ISACA Security Advisory Group. “A lot of these deals occur where a product is bought, and it is never quite the same animal. Some of the niche companies produce specialist products and in my opinion, they deliver better products. The bigger companies buying them don’t have the spirit that produces them, the keenness and the attention to the product.”
In some cases, he says, good products have disappeared from view under the stewardship of new, larger owners, often by being incorporated into other products or as part of bundles. Others have been starved of investment and have fallen from favor, as their capabilities have diminished. Other acquisitions have been asset-stripped for interesting technology, leaving the original users behind; in some cases, acquisitions have been made simply to remove a competitor from the marketplace.
Walker also suggests that the presence of two large security vendors in the market brings its own problems. “Two big players – Symantec and McAfee – from a customer choice point of view, is not beneficial to the industry”, he says.
Buyers of IT security, however, can do little to protect themselves from the possibility that a supplier is bought out, suggests Walker. “The danger with niche players is that larger players buy them, and they could disappear overnight”, he says. “But smaller players can run into financial trouble, and disappear. You can do your due diligence, but there are no guarantees.”
The best way to protect security investments, Walker says, is always to buy into technology based on industry standards, and which support interoperability. In a market where deal-making may well increase, it is solid advice.
CASE STUDY: CLEARSWIFT
In November 2011, Clearswift, a UK-based security vendor, was bought for $46.5m (£30m) by Lyceum Capital, a London-based private equity house whose investments range from security, to care services, media, and food retail. Infosecurity magazine spoke with its CEO, and its new owner.
“Lyceum is focused on mid-cap UK-based companies. They are a ‘buy and build’ equity investor”, says Richard Turner, who will remain as CEO. “Private equity has a keen eye for quality assets in the security industry. They look at the technology, the customer base, and the distribution channels.”
According to Turner, the deal will allow Clearswift to grow organically, but also to grow through its own acquisitions, as businesses look to consolidate their security spending.
“What we look for in our acquisitions are good market fundamentals”, explains Jeremy Hand, a managing partner at Lyceum. “Clearswift has an impressive and loyal international customer base – especially government and defense clients that are attracted by the company’s software – which is capable
of dealing with the largest and most complex threats.
“The business fundamentals are strong, and Richard Turner has done a great job re-positioning the company. It has a well-invested software product with a differentiated offering, and a good reputation and positioning with customers”, Hand continues. “[We saw] strong underlying growth rates and low customer churn, with a clear strategy driven by capable management.”
As an investor, Lyceum has clear plans to help Clearswift grow. “Scale is an obvious advantage in terms of product development, threat identification and the recovery of fixed costs associated with sales and administration”, says Hand. “In the growing, but still young and fragmented IT security market, we would expect to see market consolidation. This has indeed happened to some extent, but we expect to see more over the next few years. Accelerated growth, both organically and through M&A, are certainly central to Clearswift’s plans over the next few years.”
Turner agrees that the market can only consolidate further. “Security has resisted [acquisitions] more than the general IT market, but customers want to deal with as few people as possible, to get the job done”, he says.