Why Security Services Are the M&A Trend to Watch

Growing enterprise demand for managed security services is driving a flurry of acquisition and investment activity in the space. Among those rushing to stake a claim in the booming market — or to expand their presence in it  — are pure-play security vendors, IT consulting firms, systems integrators, and telecommunication vendors.

Examples of recent deals that illustrate the trend include Proofpoint's $62.5 million purchase of data loss protection services company InteliSecure in February, Deloitte's June acquisitions of cloud security posture management firm CloudQuest and risk management services provider Terbium Labs, and Accenture's purchase of French cybersecurity services firm OpenMinded in April. In addition, last September Palo Alto Networks paid some $265 million in cash to acquire incident response, forensics, and risk management firm The Crypsis Group, and in October 2020 services provider KBR acquired Centauri for $800 million.

In each instance, the acquiring organization was trying to expand its current service portfolio, broaden its customer base, or break into a new market space. The deals are representative of what Forrester Research has described as the "scorching" pace of acquisition activity in the cybersecurity services space over the past year. Thirty-five out of the 129 cybersecurity acquisitions that Forrester tracked in 2020 — or more than 25% — involved services firms. The average transaction value for these deals was just over $324 million, which, while certainly not the highest, is higher than acquisition deals in areas such as endpoint security, cloud security, and threat intelligence.

Reasons for Demand
Forrester analyst Merritt Maxim says the recent acquisition activity reflects growing demand for managed services from companies that are unable or don't want to deal with increasingly complex security challenges amid a worsening skills shortage. 

"A lot of times organizations look to managed services as an alternative to hiring their own staff," he says. 

They view these companies as offering a way to address labor shortages and potentially the overhead associated with onboarding new staff, Maxim says. In addition, sometimes organizations may not necessarily have a staffing problem, but they have a skills problem, he says. 

"They might not have the staffing for a new area they want to move quickly on, and services become a way to fill that gap more quickly versus onboarding new staff," Maxim explains.

A rapid and continuing uptick in intrusions and attacks is another major factor, says Hank Thomas, CEO at investment firm Strategic Cyber Ventures. Companies are being forced to stand up security functions and capabilities that they are quickly determining are not their core competency. 

"Outsourcing security to trained professionals is a quick way to stand up a capability," Thomas says. "Almost anything in security can be outsourced if organizations are willing to turn over some of the keys to their networks and data to third-party security teams."

Increased Spending
Gartner expects organizations worldwide will spend some $72.5 billion on security services in 2021, up 11.4% from last year's nearly $65.1 billion. In fact, they will spend more on security services — including hardware support, consulting, implementation, and outsourced services — than any other category of security spending this year. The industry analyst firm predicts that by 2025, half of all organizations — from 15% currently — will use third parties for a wide range of threat monitoring and detection, as well for remotely managed incident response and mitigation services.

Traditionally, most of those offering such services have been pure-play security vendors, such as IBM, Trustwave, ReliaQuest. Secureworks, and Optiv. In recent years, though, many non-security-specific vendors have begun muscling into the space via strategic investments and acquisitions. Gartner has put these vendors under two broad categories: network services and telecommunications vendors, such as AT&T Cybersecurity and BT Security, and systems integration and consulting firms, such as Atos, Cap Gemini, and Deloitte.

Some of these latter categories of firms have been the most active acquirers of security services providers in recent months. Companies like Accenture and Deloitte, for instance, have been on an M&A spree over the past year, with each organization purchasing multiple security services companies. Among the several companies Accenture has acquired are Symantec's cybersecurity business, Context Information Security, and Sentor. Deloitte has made five cybersecurity purchases just in 2021, including Terbium and CloudQuest.

A lot of what's going on with the big consulting firms and systems integrators is just a function of market conditions being right and these firms having the capital to invest in acquisitions, says Forrester's Maxim. Accenture CEO Julie Sweet, for instance, has said the firm plans to spend a substantial $4 billion in acquisitions to expand its capabilities in multiple areas, including cybersecurity services. 

Firms like these are "making these deals to either acquire additional customers, to acquire different capabilities, or to further round out existing cybersecurity services they already had," Maxim notes.

An (Over)Abundance of Options
For enterprise organizations, the bustling activity is making available to them a wide and constantly expanding range of cybersecurity services from a varied set of third-party service providers. The range of services available through third party providers include threat detection and alerting services, incident response and mitigation, endpoint detection and response, network detection and response, vulnerability assessment and monitoring, SIEM management, security consulting, and advisory services. These services are often delivered via subscription on a 24x7 basis and are designed to addressed everything from generalized detection and monitoring requirements to high-end highly customized services.

For many organizations, the main advantage of signing up for these services is the increased flexibility it gives them to leverage their existing security investments while accelerating operational effectiveness, according to Gartner.

"The spectrum of managed services is gigantic, and there are plenty of nodes along the managed services spectrum for investors to explore," says Shaun Gordon, co-founder and CEO at BreachQuest. Heightened cyber-risks and the generally higher media attention focused on cybersecurity threats appear to have convinced investors that a huge opportunity exists within the managed security services space, he says.

Demand for managed security services will continue to increase as organizations realize that they are unable to deliver industry best practices with internal resources or to effectively meet requirements defined by their clients and supply chain partners, Gordon says. 

"It is a strong trend of demand from a broad spectrum of companies of all sizes looking externally for cyber expertise and capability to support a variety of functions," he says. 

Over the past 12 months, the trend has been exacerbated further by cyber insurance carriers that have been increasing their expectations for clients’ cybersecurity maturity levels at renewal time, Gordon notes.

For enterprises, the surge in investment and acquisition activity in the cybersecurity services space is both a boon and cause for more careful consideration of their available options. Choosing a managed security services vendor has become more difficult because of the large and disparate array of services that many providers have, Gartner says. Big providers in this space often have capabilities that cross over into other markets such as consulting, systems integration, and network connectivity. Managed service providers have also begun running up against providers of turnkey services, such as managed detection and response providers --which in turn have begun encroaching on territory once owned by service providers, the analyst firm noted. 

"MSS buyers must focus on the deliverables and outcomes rather than the delivery mechanism and they are risk-driven rather than technology-driven in their requirement setting," Gartner said.

Forrester's Maxim also cautioned about the perceived cost effectiveness of outsourcing security functions to third parties. In the short term, the strategy might offer a faster and less-expensive approach to acquiring required capabilities compared with onboarding new skills. But as with everything security-related, conditions can change, he says. 

"Over the longer term, those benefits may go away if the firm increases prices or requirements change," Maxim says. "It's not the case that third-party services are absolutely always cheaper or always more expensive," he says. "There are a variety of factors that can affect this."