Despite cataclysmic changes affecting other parts of the economy, 2020 and 2021 were very good years for the cybersecurity industry. The security sector saw 178 strategic merger and acquisition (M&A) deals in 2020, and 238 deals in the first three quarters of 2021 alone.
Many large enterprises and private equity (PE) firms now engage in high-volume programmatic acquisitions of cybersecurity companies. Thoma Bravo alone owns 25 security companies. Even among smaller security vendors, consistent M&A acquisition of key technologies and talent is a proven strategy for growth.
Meanwhile, new investments continue to pour in. The first half of 2021 broke all records with $11.5 billion in venture capital funding going into cybersecurity startups. Six new cybersecurity "unicorns" — companies worth $1 billion or more in valuation — were born in 2020, and nine more originated in 2021.
What is driving such high-volume M&A and investment activity in the cybersecurity sector?
Most other IT sectors reach some sort of technology maturity and statis after a decade or so. But the cybersecurity sector is unique in that the technology can never become mature because adversaries are always evolving. Incumbent security vendors must continue to respond, and M&A acquisition is one of the ways they stay on the leading edge of the innovation curve. VCs and PEs that see this exit potential continue to fuel new startups.
In my work, I see both the sell-side and the buy-side of the M&A market. Here are five structural trends that drive M&A activity in cybersecurity.
1. More than a decade of VC and PE investments has created a bounty of security startups. Walk the aisles at the RSA Conference and you'll see them. Many of these funded startups are essentially built for acquisition, in that they are more focused on developing "features" than becoming fully baked companies.
What that means: The funding glut and proliferation is driving industry consolidation via M&A.
2. Incumbent enterprise security companies are feeling Wall Street pressure to fortify their positions in a fragmented market. The security market is still highly fragmented. Incumbents are acquiring startups that offer orchestration and automation technologies to help them build out true security platforms (as opposed to baskets of disparate technologies). They are also looking to acquire startups focused on securing emerging areas such as cloud services, Internet of Things, and Kubernetes/containers. This month's announcement that Google acquired Siemplify's SOAR (security orchestration, automation and response) technology for cloud environments is a perfect example.
What that means: Companies that innovate security for emerging areas, and companies that automate disparate security functions, will continue to get acquired.
3. Publicly traded security companies need to show predictable and recurring revenue. These companies use M&A to acquire existing customer bases and future revenue streams, which in turn creates investor confidence and stable stock prices for them.
What that means: High-margin software-as-a-service companies that can prove future revenue growth are particularly attractive M&A targets.
4. Cybersecurity affects every sector. Just like energy costs creep into every aspect of our economy, security is now a problem that nearly every company must deal with. We are seeing cybersecurity M&A deals coming from corporations in adjacent sectors like telco, aerospace, and energy that are acquiring cybersecurity technology to manage their operations.
What that means: Security startups can look for M&A exit opportunities among non-software companies that need to build (or buy) in-house security expertise.
5. PE firms are enjoying the M&A velocity. PE firms are looking to roll up security companies for an eventual flip or IPO. Investcorp recently acquired Avira for $180 million and flipped it eight months later to NortonLifeLock for double the price — $360 million. Thoma Bravo has acquired a portfolio of 25+ brand-name security firms, including Barracuda, McAfee, and Sophos.
What that means: Your cybersecurity startup should look at PE firms' current portfolio holdings to see if you can provide a missing piece to a roll-up technology stack.
Structural drivers in the cybersecurity sector ensure that new startups will continue to get funded and incumbent players will continue to acquire fresh security technologies and talent via M&A. Continuously evolving adversaries and threats essentially guarantee a need for niche technologies, and this market dynamic is a win for both sell-side and buy-side. M&A is a driver of innovation and creator of value in the cybersecurity sector, and a consistent programmatic M&A strategy is a proven formula for growth and success.