Mergers and acquisitions among security vendors are on the rise. Are you asking the right questions?
The cybersecurity market is growing rapidly, expected to exceed $1 trillion by 2021. But while new companies are cropping up fast, they’re being acquired or going through mergers almost as quickly. Throughout 2017, moves by big players like McAfee, Intel and CA Technologies signaled an accelerating industry-wide shift toward consolidation.
“We think the security software industry is reaching a tipping point of maturity, where we will see a faster pace of consolidation than we’ve seen in the past,” says Keith Weiss, who leads Morgan Stanley’s U.S. software research team.
In recent years, the rise of cloud computing and mobile technology has exposed companies to new security risks and—in the scramble to meet these demands— security technology has become fragmented. Point solutions have popped up to fill specific emerging needs, but they’re often too siloed to provide the end-to-end visibility and interoperability needed in the age of massive data breaches.
But as new technologies become essential to broader security portfolios, large legacy vendors are swooping in to pick up critical point solutions. This consolidation often brings maturation to vendors’ portfolios, but it also brings users challenges and risks, such as gaps in protection and the potential for overlapping tools. When vendors announce a merger or acquisition, their enterprise customers shouldn’t be afraid to ask them tough questions about the road ahead.
Do I Need a Redundant Technology?
Often, vendors acquire technologies that fill gaps in their product lines, but customers usually don’t wait for vendors to act. Chances are they’ve already subscribed to providers that deliver the missing capabilities.
“Customers then have to ask themselves: Can I maintain flexibility and continue using my existing tool? Or should I adopt the technology that they’ve acquired? Sometimes it’s more efficient to use tools from a single vendor than attempt to stitch together a patchwork of solutions, especially if the solution is powerful,” says Nick McQuire, Vice President of Enterprise Research at CCS Insight.
Is Product Integration Worth the Wait?
Vendors often buy, rather than build, technology to bring it to market faster. But integrating a product into an existing portfolio takes time, leaving customers that aren’t invested in comparable solutions exposed to security threats.
“In this case, enterprises have to consider investing in a temporary solution while the acquired one is integrated. It depends on how critical the tool is, but they have to assess the risks involved with the wait,” says McQuire. “I’ve seen companies have anywhere between six and 12 months before the vision of the acquisition actually manifested itself in real technology—and they had to bring on other technology in the interim.”
The M&A is Complete—Now What?
Even completed integrations often leave customers with unanswered concerns about the future of their tools.
“Acquiring companies will typically communicate their plans for ongoing support of acquired products shortly after acquisition,” says Mordecai Rosen, General Manager, Security at CA Technologies. “However, future direction may not be completely aligned to the original company’s plan for the product and may change over time.”
As a result, customers should thoroughly familiarize themselves with their service agreements, and keep an eye out for changes, regularly asking vendors to share their visions for the future of specific offerings. Rosen says that a vendor’s continued investment in a product area is typically a good indication of that product’s importance, and vice versa.
“Customers want to know when their vendors plan to change their direction,” Rosen says. “They need transparency and communication and should ask this of their providers.”
As consolidation progresses, it’s likely that vendors with broad ranges of security offerings will continue to expand their portfolios through acquisitions and become increasingly appealing to customers seeking cohesive security.
That’s not to say that point solutions won’t play a role in the future of cybersecurity. But, moving forward, enterprise customers will be able to rely on their primary vendors to provide the protection they need, and only turn to point solutions when components are truly missing from their security stacks.