Is M&A Really the Silver Bullet for Legacy Security Vendors?
Two bad companies don’t make a good one, and two old ones don’t either. This common analyst tag line is synonymous with industry consolidation, which has been quite the buzzing topic in the security sector with the uptick in M&A announcements. For those still catching up on the news: Oracle just bought Palerra, Cisco bought Cloudlock, Symantec bought Blue Coat, Vista Equity Partners bought Ping Identity and Infoblox, and more. For additional background, Steve Herrod of General Catalyst wrote a poignant article that describes the forces at play here.
The old guard buying up the new is certainly exciting news for early-stage security entrepreneurs and VCs. But is M&A really the salve for legacy company woes? As an early-stage investor in security startups, this is a constant topic of debate. Seeing how large security vendors plan inorganic growth strategies in my prior consultations as an industry analyst, I’d like to contribute some perspective on the rising M&A trend by way of examining the possible set of strategies and outcomes. We believe cybersecurity industry consolidation takes many forms, not all to the benefit of incumbents.
There are many strategies underpinning technology M&A, ranging from accelerating product development (Google buying DeepMind) and go-to-market through distribution reach (Oracle buying PeopleSoft) to disrupting business models (EMC buying VMware). M&A rationalization is always a bit of a Rorschach blot, but examining the various means to value creation helps clear things up:
- Rolling up security companies to cross-sell products will not be successful. Legacy vendors and PE firms appear deterministic in their efforts to consolidate the industry to allow for one stop security shopping. This strategy is not as unmistakable as it would have been in the past. With the increasing availability of APIs and vendor willingness for interoperability of security tools, CISOs prefer best of breed software procurement. This allows them to select security services tuned to their exact needs, and swap services in and out to maintain an adequate security posture as these needs change with the ever-evolving threat landscape and enterprise footprint. Legacy vendors creating fiefdoms sit at odds with this strategy and also create the dreaded vendor lock-in. In a classic innovator’s dilemma, the legacy vendor’s product portfolio will always lag current and future security requirements. If you can only monitor “10% of my IT stack,” as the CISO of a major national sports league recently put it, you have a weak case for becoming the Costco of cybersecurity. Legacy vendors also limit customer flexibility and choice in favor of upselling their suite of services. We already see this today as Microsoft force feeds Adallom to its Office 365 customers below a certain contract size. For the most progressive CISOs who rapidly adopt new security technologies, M&A for the purpose of cross-selling is an annoyance.
- Rolling up security companies to tightly integrate products may be successful. The notion of one-stop shopping becomes compelling when the suite of products works together in a unique way that customers will have difficulty replicating on their own. This is often referred to as “product synergies” and the justification behind many acquisitions in the technology industry including the latest roundup in security. Cisco has endpoint assets that could beef up Cloudlock’s API-based data access model into something more robust. In a similar vein, Symantec can integrate Blue Coat’s Perspecsys and Elastica with its malware and MDM products for fully instrumented traffic steering between the endpoint and cloud. Oracle IAM and Palerra CASB offerings may be a match. These integrations would bring significant differentiation to the rapidly maturing CASB market by rounding out the many architectural tradeoffs that exist in current solutions developed by pure-play vendors. The flip side is that these integrations require heroic coordination across multiple business units. Cisco has a history of successfully folding acquired companies into their operations. Symantec, quite infamously, does not. In short, do not expect to see significant product synergies to come to fruition anytime soon.
- Rolling up security companies to bring new products to old customers will be successful.Product synergies that make the headlines often overshadow more attainable revenue synergies through distribution reach. Cisco and Symantec both have a strong network of channel partners, distributors, and VARs that are critical to reaching mainstream information security buyers outside of the early-adopter crowd on Wall Street and in the Valley. Successful security startups excel with early-adopters, but often fail to make the transition to mainstream buyers. Even those that succeed often suffer from growing pains and ballooning spend that force them to raise larger than expected growth financing rounds at unfavorable valuations. There simply isn’t much leverage in this industry given how different early-adopter customers are from the mainstream. The investment team at Greylock aptly labels the ‘winners’ side of this dividing line the cybersecurity “1%.” With proper execution, legacy security vendors can flex their muscles to bring modern security technology to the masses.
Consolidation is not a one-dimension concept in that it can take form outside the purview of incumbents. Consider that consolidation strategies are:
- Espoused by the pure-play vendors too. Netskope, Ping Identity, Airwatch, and ThreatMetrix are four pure-play vendors creating product synergies by way of strategic alliance. vArmour, and to some extent Illumio, are working to stitch together the pieces of the cloud security puzzle by way of internal development so CISOs don’t have to conduct extensive customization work to make the relevant security products work together. Pure-play vendors who can craft a holistic product suite for a particular customer will be a serious threat to incumbents. For now, they will certainly command much heftier acquisition price tags than what we’ve seen in recent years.
- Fueled by increasingly powerful PE firms. By tradition, private equity firms restructure pure-play vendors for an IPO or sale to an incumbent. As lucrative as this strategy has been, I believe there’s a massive opportunity to buy and consolidate a set of pure-play security companies unencumbered by legacy rut. This move would be a play against the incumbent vendor approach of buying new technologies for portfolio retrofit. Perhaps Vista bought Ping Identity and Infoblox to anchor its own consolidation playbook, bringing identity and network together a la Cisco and Lancope.
It’s also important to note that consolidation is only relevant in rapidly maturing market categories. Recent deals focus on CASB and IAM technologies, two developed segments within the modern security stack. In contrast, categories like security operations and application security are just now being disrupted by startups and are far from the sights of incumbent vendors. As these new market categories develop, they will add additional variables to the industry consolidation equation, making this latest round of M&A expendable to the overall market transformation we will see play out over the next five years.
The security M&A swarm can best be summed up as a test of legacy vendors’ grip over the mainstream customer. Can legacy vendors successfully scale new technologies using their existing go-to-market infrastructure like they did in the past? If the answer continues to be yes, M&A will prove to be the silver bullet legacy vendors need to maintain leadership in an otherwise flattening market. However, with a sea of new innovations on the way and pure-plays and PE firms forging empires in their own right, one can’t help but call into question the efficacy of 30 year-old companies incrementally innovating through acquisition.
Disclosure: vArmour is a Work-Bench Ventures portfolio company.