Email Security

    Op-ed: Symantec and Carbon Black - A Tale of Two Cybersecurity Acquisitions

    From a CISO’s perspective: Why the Carbon Black acquisition is potentially good news and the Symantec one is not.

    by Matthew Gardiner
    gettyimages-867431800.jpg

    The following is an op-ed from Matthew Gardiner, Director, Enterprise Security Campaigns

    The recently announced acquisitions of Symantec by Broadcom and Carbon Black by VMware offers a great opportunity to compare and contrast the motivation behind these acquisitions and to explore how they might impact their existing customers. My takeaway is that the Symantec acquisition is generally bad news for customers, while the Carbon Black deal holds promise.

    CISOs and other cybersecurity leaders have a lot on their plates: managing security budgets, technology evolution, the security of cloud applications, staffing, upper management and the Board, compliance, and of course defending against the attacks by cybercriminals both petty and sophisticated.  But increasingly CISOs must also contend with managing the impact of cybersecurity vendor mergers and acquisitions (M&A) - which analyst firm 451 reports has already broken annual records just eight months into 2019.

    Symantec vs. Carbon Black Acquisition

    Beyond being 100% cybersecurity focused vendors, Symantec and Carbon Black are certainly positioned differently from a products perspective. For the purposes of this article I will gloss over the product and market focus differences and consider them both as well-established security vendors that are very critical providers respectively to their customers. Even at this early stage, how should CISOs be thinking of the impending acquisitions?

    I think it is best to attempt to predict the future impact of these acquisitions by starting with the stated strategies of the buyers – VMware and Broadcom. For VMware it is quite clear that this is primarily a strategic product acquisition to help accelerate the build-out of their – build, run, manage, connect, protect – cloud platform strategy.  As the world moves to cloud deployed applications it makes total sense that Carbon Black’s Predictive Security Cloud ™ platform and suite of applications - including endpoint detection and response (EDR) - allows VMware to clearly position this acquisition as a way of helping to address the fragmentation and lack of integration with security technologies. Of course, VMware wants to make a financial return on this investment, but they are doing so from a customer driven strategy perspective first.

    In contrast, the acquisition of the Symantec Enterprise business is clearly driven by financial considerations first and last, not how it fits into their security strategy or better addresses the security needs of customers. Broadcom couldn’t be much clearer, that their focus with Symantec is on cutting costs across the board, focusing on their most profitable products (DLP, endpoint, SWG) and not their lesser products (email security, network security, cryptology etc.), and prioritizing their most profitable customers in the Global 2000.

    CISOs will have to consider numerous questions with regards to this acquisition to ensure they’re protected in the way they signed-up for, including:

    • How does cost cutting help my organization become more secure?
    • How will this help drive technical innovation at a pace to keep up with the cybercriminals?
    • How will this address the evolution of IT and security to the cloud?
    • What if my organization isn’t in the Global 2000?

    Security leaders in general, and CISOs in particular are tasked with leading the security charge within their employers. To do this effectively it is key that they work with a set of security vendors and service providers with whom they can truly partner and depend on. Not all M&A scenarios are the same. It is incumbent on security leaders to evaluate each on its own merits and to frame their analysis by “what’s in it for my organization.” In some M&A situations the possible future, while not guaranteed, is bright, whereas with others, the customer well-being is forgotten.  

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top