How to Address Cybersecurity Vendor Acquisitions

The role of cybersecurity and the overall importance of ensuring CISOs have a seat at the table for the acquisition process in its entirety is well documented; the value of data and the complexity of IT/IT security environments in today’s enterprises mean information security is a critical component of the traditional due diligence process in a deal, particularly due to the rate at which new threats can arrive. And, according to enterprise CISOs, 2020 is already set to be a landmark year for industry consolidation.

Cybersecurity M&A and industry consolidation is already underway

Twenty-nineteen was a busy year for deals in the security space; larger players snapped up smaller ones to expand their portfolios. VMware’s acquisition of Carbon Black and its recent purchase of Nyansa are good examples, as well as Broadcom’s acquisition of Symantec, and Palo Alto Networks’ purchase of Demisto. And, given the immense proportions of point tools that declutter organizations’ security environments, there is certainly the demand and the need for more unions.

Despite the benefits decluttered environments bring, the process of removing or updating tools that have been consolidated can be a challenge.

“We’ll have fewer vendors in 2020 because they’ll get consolidated away, so you must prepare for that,” Marc French, CISO & managing director of product security group, predicted. “If you had seven vendors, you could be down to three, and you have to be prepared for the projects you had planned that should be restructured due to market moves. Also, due to platform companies that offer endpoint solutions or other tools as a package, I predict organizations will end up with a handful of single-platform solution providers running the bulk of your security protection environment.”

“New companies are emerging like water from a fountain, and the rate of new startups isn’t likely to slow down at all,” according to Sam Curry, CSO at Cybereason. He argued, “The incentive is present for startups to dream about growing and getting acquired. This will all continue in 2020, and while no one is throwing out their SIEM or their antivirus, the industry is likely to see the brands that have dominated it for 20 years fade and a new crop of midsize companies emerge in a healthy rejuvenation of the industry.”

If new, midsize companies are expected to arrive on the scene this year, the implication is that customers must prepare now as well.

Assessing the impact of security vendor acquisition on your business

While the onus is on the newly-acquired company to provide future plans and timelines on its products and/or services deployed in your environments, CISOs can look to conduct their own reconnaissance to ensure business continuity.

1. If your vendor has not yet communicated future plans and timelines after an acquisition has been announced, reach out and explore the possibility of having a meaningful conversation about changes that may impact your business – for example, will your product or platform be enhanced? How can you reach an understanding about the future product roadmap? Additionally, the acquiring company will want to keep existing business, making it likely there will be official communications about the deal that include product roadmaps.
2. Review SLAs and contracts to understand the scope of service, because upon renewal, the new entity will likely want to institute new contracts, perhaps a new pricing structure, or another change that will impact SLAs.
3. Conduct an audit of the security vendor’s performance – does it adhere to the SLA, and is it a mission-critical tool?
4. Reflect on the goal of the acquisition; if the acquiring company purports to add value to existing customers by improving on existing products and broadening in other areas, the move may be a positive one. If, however, the deal was made as a cost-cutting measure, it will be prudent to review contracts and discuss future plans as soon as possible.
5. Related to this, review whether the new vendor’s solution will be an add-on to its existing product suite, or if it is likely to be a multi-solution platform.

When using any third-party tool in your environment – security-related or otherwise – there’s risk involved.

“If you’re a customer who has selected an early-stage vendor for your security environment, you know there’s a chance they won’t be there tomorrow,” said Kristyn Ulrich, VP of corporate development at Mimecast. “You use the tool or service because it meets your business needs, and you hope that if they go public or get acquired, the terms and conditions that impact your business will protect you for the length of the contract.”

At the same time, more established cybersecurity companies can be a target for disruption acquisition if they fail to evolve with the changing landscape.

According to Chris­tina Van Houten, chief strategy officer at Mimecast, most companies use M&A to buy growth and revenue. But there should be greater value placed on the relationship well before the transaction takes place, using regular strategy discussions, participation and presentation in each other’s offsites, conferences, and customer accounts.

“All these different ways of getting to know the people, the product and the company overall are important,” Van Houten said. “It’s not about getting through the transac­tion; it’s about giving customers value and becoming a better company.”

Looking ahead to 2020 and 2021, Ulrich believes the cybersecurity market will continue to grow rapidly due to the nature of new threats, which opens the door for more security startups and point tool vendors. She added, “As we see the types of valuations that these firms will get as deal making heats up this year, it entices new companies to enter the market. There is a point at which any mature market reaches the peak of its consolidation, and growth rates tend to taper off. I don’t think we’re there yet, and the threats are so vast that it is hard to see that happening anytime soon.”