This week starts the RSA Security Conference[1] in San Francisco, probably the world’s biggest collection of security technology vendors and their associated investors and bankers.
It was exactly one year ago I was walking the aisles of RSA with the CEO of a very large European security software company, and we were marveling at how many VC-backed start-up companies were there. So many company names we’d never even heard of, yet they all had impressive (and expensive) booths.
We commented out loud: In a sector with hundreds of already-established security vendors with mature customer rosters, respectable R&D budgets and global sales teams, how much room could there possibly be for yet another security startup to enter the market? Why are VCs and PEs so eager to fund the next cybersecurity startup?
You might already know the answer: Because Companies Get Acquired!
Turns out that 2019 was a banner year for cybersecurity M&A exits and a strong year for IPOs. Focusing on just the M&A deals, there were more than 180 cybersecurity acquisitions totaling greater than $27 Billion. Those exits made their founders and VC investors quite wealthy.
So how does your cybersecurity company rise above the noise of 000’s of other competitors and position itself to get acquired?
TL;DR
- Nearly a decade of VC investments has created a glut of security startups, many of which are more “features” than fully baked companies, and that is now driving industry consolidation via M&A.
- Incumbent enterprise security companies are feeling Wall Street pressure to fortify their positions in this fragmented market and to grow revenue. They are looking to acquire startups that offer orchestration and automation technologies to help them build out true security platforms (vs. baskets of technologies). They are also looking to acquire startups focused on securing emerging areas like cloud services, IoT, Kubernetes/containers, etc. These are areas that your security startup can focus on to distinguish itself.
- The incumbent security players also use M&A to acquire predictable and recurring revenue streams, which in turn creates investor confidence and stable stock prices for them. If your company can build a high-margin SaaS model and prove strong revenue growth, these buyers are motivated to pay high multiples.
- Cybersecurity is now a problem that nearly every company and every sector of the economy has to deal with, so we are seeing M&A deals from adjacent sectors like Telco, Aerospace, Energy, and others now acquiring cybersecurity technologies to manage their operations. Startups can look for M&A exit opportunities among non-software companies that need to build (or buy) in-house security expertise.
- Private Equity (PE) firms are enjoying the glut and looking to roll up companies for an eventual flip. Thoma Bravo alone owns 10 brand-name security firms including Barracuda and Imperva, and is closing a $3.8 billion deal with Sophos next week. Your startup can find potential buyers by looking at PE firms’ portfolio holdings and deciding if you can provide a missing piece in a roll-up technology stack.
That’s the very, very high-level summary. Below we take a closer look at the rationale behind a few of the year’s bigger M&A deals.
What’s Going On?
Short answer: What’s going on in the cybersecurity sector is there are too many companies chasing too few paying customers. For a long time there has been a glut of VC dollars flowing into funding new cyber security startups, and that imbalance is driving current M&A activity.
To illustrate, look at Momentum Cyber’s (in)famous CyberSCAPE.[2] Can you even see your logo in here? Didn’t think so.
VMware’s CEO, Pat Gelsinger, said it best in a press release[3] justifying their $2.1 Billion acquisition of Carbon Black: “The security industry is broken and ineffective with too many fragmented solutions and no cohesive platform architecture.”
Such an environment affords opportunities for successful security startups to get acquired by incumbent companies that are feeling pressure from Wall Street to spur some movement in their stock price, or by private equity companies that can afford to roll up several technologies now and make a larger play in the future.
Positioning Yourself for an Acquisition
I believe that companies should be thinking about their eventual exit strategy from Day One. The usual advice is “build a great company and the exit will take care of itself,” and while that’s true to an extent there are things that you can be doing to raise your profile and improve the odds of a high-valuation exit:
- Solve a big problem. Aggressive VC investments have created an over-supply of security startups, many of which are more “features” than fully baked companies. M&A buyers want fully baked solutions. Buyers are also looking to acquire startups focused on securing emerging areas like cloud services, IoT, Kubernetes/containers, etc. These are all ways that your security company can distinguish itself for M&A and rise above the noise.
- Focus on recurring revenues. The key to a lot of successful M&A deals in the security sector recently is that the target company brings predictable subscription revenues to the table. That is important because many of the older/larger security firms still sell applications and large enterprise deals that make revenue unpredictable and spikey; acquiring a healthy book of subscription business is a quick way for them to create operating leverage and improve revenue predictability that shareholders crave. Buyers are looking for acquisition candidates with $5M-$10M ARR or more.
- Establish partnerships. Look at the adjacencies and see where you fit in the larger security ecosystem, then partner with companies on either side of you. You will get traction faster and you will be making yourself known to the most likely buyers down the road.
- Solve for emerging security needs. Know what the incumbant players need in their arsenal and solve a problem for them, like bringing security to an emerging cloud environment (e.g. to Kubernetes or containers). Many of the most successful M&A transactions brought adjacent technologies or cloud-based solutions that complemented buyers’ existing products.
- Bring automation technologies to the table to help incumbants coalesce their fragmented ‘best of breed’ environments into one platform. If your company is just a point solution, you might consider acquiring or partnering with other point solutions so that you can solve a larger piece of the puzzle and achieve better visibility among potential buyers.
Cybersecurity is now a problem that nearly every company and every sector of the economy has to deal with, so we are also seeing M&A deals from adjacent sectors like Telco, Aerospace, Energy, and others now acquiring cybersecurity technologies to manage their operations. Startups can look for M&A exit opportunities among non-software companies that need to build (or buy) in-house security expertise.
Acquisition Rationale from the Buyer’s Perspective
Because there were so many deals in 2019 it’s meaningless to try to review them all. Instead, I’ll pick out some star examples of the different types of investment activity going on.
My own personal way of categorizing M&A activity is by an acquirer’s motivation for a deal, because this way it’s easier for entrepreneurs to see what their angle might be to get attention. From this perspective, let’s look at a few deals that illustrate three different motivations driving acquisitions:
1. Industry Consolidation: (Be Eaten by a Bigger Fish)
As the VMware CEO quote underscored, there are too many solutions chasing too few paying customers. So, the established security vendors are motivated to fortify their positions by buying up adjacent technologies in an attempt to build complete platforms and become a one-stop solution for their customers. In 2019, most of the major security vendors made at least one acquisition. Let that sink in for a minute. I can’t think of another tech sector where M&A is so widely prevalent:
– Trend Micro acquired Cloud Conformity
– McAfee acquired NanoSec and Uplevel Security
– FireEye acquired Verodin
– Proofpoint acquired both ObserveIT and Meta Networks
– Check Point acquired Cymplify, Protego Labs, and ForceNock
– Fortinet acquired enSilo and Cybersponse
– Sophos acquired Avid Secure and DarkBytes and Rook Security
– Carbonite acquired Webroot, and was in turn acquired by OpenText
– Palo Alto Networks acquired… a LOT (see below)!
… and the list goes on…
A key to a lot of these deals is that the target company brought subscription revenues to the table. Many of the older/larger security firms still sell applications and large enterprise deals that make revenue unpredictable and spikey; acquiring a healthy book of subscription business is a quick way to create operating leverage and improve revenue predictability that shareholders crave. These transactions also brought adjacent technologies or cloud-based solutions that complement existing products.
Specific to Palo Alto Networks, not only did they acquire a lot of companies they also paid premium valuations to get some of them. On top of three acquisitions they made in 2018, totaling $563 million, they did another five deals in 2019[4] totaling $1.24 Billion:
– Demisto ($560 million)
– Twistlock ($410 million)
– Aporeto ($150 million)
– Zingbox ($75 million)
– PureSec ($47 million)
What is Palo Alto’s motivation? Notwithstanding the ~$3 billion in cash and short-term investments burning a hole in their pocket, Palo Alto wants to see a greater mix of their revenues coming from subscriptions (for reasons outlined above) and also sees the industry-wide shortage of experienced cybersecurity talent as reason to buy up automation and cloud technologies. Twistlock, PureSec and Aporeto focused on security for new cloud development technologies like containers. Zingbox provides security for IoT devices, another emerging area. And Demisto addresses the automation and collaboration themes discussed above. While PANW’s stock price took a hit during mid-2019 as the company announced its flurry of acquisitions, the stock recovered nicely in Q4 and currently more than two dozen analysts have ‘buy’ ratings.[5]
2. Non-Software Buyers: (Bring Value to an Adjacent Ecosystem)
If you missed the chance to be acquired by a larger security vendor in 2019, there’s still the opportunity to become a strategic acquisition by a company from a non-software sector that is motivated to buy some security domain expertise. Below, I outline two deals that I think illustrate the motivations of these strategic buyers:
Broadcom’s acquisition of Symantec Enterprise Security: We might have expected to see Symantec being on the buying end of the deal, but in this case it was enterprise hardware maker Broadcom that spent $10.7 Billion to acquire Symantec — after spending $18.9 Billion the year prior to acquire CA Technologies. How are these deals strategic? On one hand, we see a company augmenting its core hardware business with Symantec’s ~$2 billion of steady, recurring revenue from security software and services; on the other hand, according to one analyst, Broadcom is acting more as a financial investor in Symantec and CA, looking to improve returns on under-performing assets by consolidating operations, lowering costs, improving sales, etc.
Orange’s acquisitions of SecureLink and SecureData: European telco Orange acquired both SecureLink for € 515 Euro (~$577 million USD at the time of the deal), and SecureData for £120 million[6] Pounds (~$156 million USD).
In both Orange deals, the official reason given was to expand into the growing enterprise security market. What is tacitly understood is that growth in their core telco market is flat, having exhausted ARPU (Average Revenue Per User) growth from voice, text and data, and having run out of companies to sell new accounts into. Telcos also need to secure their own massive networks from hacks and data breaches, and so in acquiring security expertise they can both manage their in-house technology and create a value-added security services business for their large enterprise clients. Most importantly, these two acquisitions moved Orange toward a Managed Security Services revenue model (i.e. recurring revenue) which brings revenue predictability and, hence, shareholder confidence.
3. Private Equity Bets: (Be a Cog in the Wheel)
I’m no fan of private equity’s reputation for cutthroat tactics, but these investors can serve an important role in revitalizing more mature companies and creating an acquisition market for young technology companies. Just be aware that PE firms are motivated by bargain valuations and the opportunity for aggressive cost cutting post-deal.
In the security sector, the powerhouse PE firm is Thoma Bravo, a Chicago-based firm with $30 billion under management.[7] Thoma Bravo currently has investments in 10 cybersecurity technology companies including major names like McAfee, Barracuda and LogRhythm. During 2019, Thoma Bravo continued its security shopping spree by announcing its acquisition of Sophos for $3.8 billion[8], buying out Imperva for $2.1 billion, and acquiring Veracode Software for $950 million. Surely, more cybersecurity acquisitions and investments are in the cards for 2020.
It will be interesting to see how the PE firms re-combine these assets and flip them to another buyer or offer them back to the public capital markets via IPO. With so many major security vendors locked up in their collective portfolios, the PE firms could literally re-shape the entire enterprise security market over the coming years.
Conclusion:
The cybersecurity sector is one of the hottest for M&A. If your security company is looking to position itself for acquisition, one way is to bring predictable subscription revenue and/or automation technologies to one of the larger incumbent security vendors that is looking to satisfy its own investor demands. Another way is to solve for security in emerging areas like cloud and containers; another is to focus on automation technologies to help buyers build out security platforms; another is to seek partnerships with adjacent technologies so that you can scale faster and look bigger; another is to position yourself for buyers in non-software sectors where companies need to bring security technologies in-house.
It’s a great time to be a cybersecurity software or services company looking for an M&A exit. Here at XROCKET we use our proprietary ‘valuation levers’ audit to position companies for maximum M&A valuation and help you find the right M&A banker for your unique deal.
I will be roaming the aisles of RSA again this year; connect with me at m.addison@xrocket.io if you’ll be there also and would like to meet. -Mark
____________
[1] https://www.rsaconference.com/usa
[2] https://momentumcyber.com/docs/CYBERscape.pdf
[5] https://money.cnn.com/quote/forecast/forecast.html?symb=PANW
[6] https://megabuyte.com/free-to-air/5c546284e4b0114f1b34df2f/august-squeezes-orange-120m-securedata
[7] https://www.thomabravo.com/
[8] The deal has been accepted and trading of Sophos stock will cease on February 27th, 2020: https://www.morningstar.co.uk/uk/news/AN_1581586391988777200/sophos-shares-to-be-cancelled-in-february-as-us-takeover-nears.aspx