What Happens to a Cybersecurity Vendor When it is Acquired?
There have been more than a thousand acquisitions of cybersecurity vendors since I began covering the space 22 years ago. Security Yearbook 2022 lists 304 in 2021 (data provided by AGC partners.) There are several flavors of acquisitions.
A typical strategic acquisition is when a large vendor acquirers a new technology to fill out its offerings. For over a decade the primary strategic investors were Symantec, McAfee, CA, and Cisco. All but Cisco have themselves fallen prey to buy outs by Private Equity.
When a vendor gets acquired by a strategic buyer the most common result is for the brand to get absorbed. In Cisco’s case think about IronPort (2007), SourceFire (2013), Lancope (2015), and OpenDNS (2015). Those were quickly absorbed into Cisco’s security business and the brands dissolved. After the brand disappears we stop tracking a vendor in our platform. We publish the vendor data in the next edition of Security Yearbook with the note that it has been acquired.
Duo Security (2018), is the exception for Cisco. The brand is still alive and well. Look at the head count chart.
If a vendor maintains an active website and its employees do not switch their employer designation to the acquirer that is our measure of the brand still being “alive.”
Sometimes the executives of the acquired company infiltrate the acquirer and change its makeup and direction. Cisco’s acquisition of IronPort was one such example. Even today, the upper management of Trend Micro came from its acquisition of Ottawa based Third Brigade in 2009. But most often the executives at an acquired company stay long enough for their “earn outs” to complete and move on.
Tuck-in
Lately the tuck-in model has gained more prominence. Essentially, a holding company with deep financial resources acts like a private equity firm and acquires many vendors to create a portfolio of different solutions. Two good examples are OpenText and Help Systems.
OpenText, an Ontario based company, was founded in 1991 to index the Oxford English Dictionary. It started an acquisition spree in 2001 and has acquired over 60 companies.
This head count graph of Zix, acquired by OpenText a year ago is a good example of what happens when a holding company acquires a vendor to operate them.
Employment falls off as the vendor is tuned to ROI instead of growth.
Roll up
A roll-up is when a large PE firm or other investor sees an opportunity to grow market share in a particular arena. The MSSP space is the best example of this. Manged service providers tend to be local or regional at best. Their assets are the people in their SOCs and their customer base. MSSPs tend to develop their own technology to make alert triage and threat hunting easier. By acquiring a bunch of these it is possible to reduce overall costs by sharing marketing, technology, and sales expenses. Arctic Wolf and Cyderes are two great examples.
Cyderes was formed after the Herjavic Group was acquired by PE firm Apex in a deal announced at the end of 2021. They then merged with Fishtech and created the Cyderes brand. Look for more tuck-ins as they compete with Arctic Wolf for the title of largest MSSP.
Arctic Wolf has had steady growth in head count both organically and through M&A.
Private Equity firms like Thoma Bravo, and Insight Partners have varying strategies. They may acquire a vendor and then finance additional tuck-ins. Or they may take a public company private in the hopes of beefing up revenue and growth and flipping them, either back to the public markets or to another PE firm or strategic buyer. Like Apex taking Sophos private then selling it on to Thoma Bravo.
Predicting results of an acquisition
Let’s look at one of the largest acquisitions of 2022, Mandiant by Google. (We can look at the $61 billion VMware deal after Broadcom goes through the regulatory hurdles it faces.)
Mandiant was originally acquired by FireEye in 2014 for $1 billion. As Kevin Mandia took over the reins he spun off most of FireEye’s products into a confusing cloud of investment vehicles from which was reborn McAfee as Trellix. In the meantime the name and ticker for the company was changed to Mandiant and Google made an offer for the public company of $5.4 billion in March, 2022. Watch the head count.
Typically I expect to see employment drop as soon as a deal is in the works. People without options start looking around, people who have earned out run for the exits, people who don’t want to work at the acquirer leave too. Not so in Mandiant’s case! My Linkedin was full of people joining after the announcement. Almost 200 people joined after the announcement.
Now the big question: wither Mandiant? Google has tucked them into “Google Cloud.” The dramatic drop in head count in November does not look like people jumping ship, they are just updating their affiliation to Google. Having Google on your resume is valuable.
Why did Google pay $5.4 billion for Mandiant which is primarily a services business? I think it was for the association with the unparalleled Mandiant brand. They just acquired one of the best incident response/investigation teams in the world for $2.3 million per employee. They should be able to use the enhanced security branding to convince at least big players that they are a leading cybersecurity company that can compete with Microsoft and AWS in the hopes of expanding GCP’s market share from third place.
Despite the current enthusiasm expressed by Google Cloud people I do not think Mandiant will stick around as a major brand. All eyes are on Kevin Mandia. If he takes on an expanded role at Google, there is hope. If he departs after his presumed earn-out, than Mandiant may join all the other great brands that have been absorbed by giant companies.
Want to be empowered to do your own research and analysis? Subscribe to the only platform for cybersecurity industry research.