Frankly Speaking - How private equity foreshadows cybersecurity market consolidation
Private equity revealed the inefficiencies
I’m still hiring at Headway. If you’re interested, please apply on our jobs page and mention that you’re interested because you heard about the job in my newsletter!
Cybersecurity market and vendor growth
Without a doubt, the number of cybersecurity products has ballooned over the past decade. This growth is a response to market expansion and increased demand as well as increased organizational investment in security. However, it’s also resulted in cybersecurity vendor bloat at companies.
Cybersecurity organizations are historically buyers rather than builders, i.e. they tend to buy products rather than build their own. A major reason for this is that most cybersecurity product needs are similar as they are trying to prevent similar risks, i.e. they all have essentially the same enemy, attackers, making it easy to productize many necessary tools. However, new technologies have emerged and changed the threat landscape as well as the cybersecurity needs of organizations, leading to a proliferation of tools.
Vendor bloat
The problem is that many cybersecurity tools have narrow use cases. This is great for a startup that needs somewhere to start and focus on without having to boil the ocean. However, this is problematic as many of these tools and companies never expand their use cases. As a result, companies end up with many dedicated point solutions.
What further compounds the issue is that many of these products are reactive, and cybersecurity leaders buy them in response to breaches without trying to understand the fundamental problems. For example, each year at RSA there are products that are marketed toward specific types of attacks. One year, it was ransomware, and almost every product and new startup was focused on that. Unfortunately, these types of products have short shelf lives as security teams and organizations figure out a solution to the underlying problems. In the case of ransomware, it was focused primarily on having BC/DR backups and detecting malware on endpoints using EDR. In other words, ransomware exploited poor backup and malware detection problems in organizations. Unfortunately, before that “hype” fizzled out, many companies bought “ransomware solutions.”
On a side note, the reason most of this happens is that most security leaders are risk-focused rather than solution-focused. This results in reactive buying of products, which quickly become irrelevant and put on the shelf. I’ve discussed this in the past, specifically the need for an engineering-focused security team/leader and why I believe there will be an increased demand for the technical security leader. But, I digress.
Other than buying products that become shelfware, many companies have existing security products that try to expand their platform and grow their market. Many times, this makes sense because these security companies don’t want to be singular products, which is risky and limits their market penetration. However, the timing rarely works in the customers’ favor. Specifically, there has been a trend toward multi-year contracts that lock customers in with the promises of steep discounts and additional product features. In reality, companies are left with multiple products that have overlapping features and a contract nightmare. Teams end up spending a good amount of time managing products and trying out new but immature features.
This comes to the heart of the problem. Many companies have tons of inefficiency and redundancy in their security tool portfolio, and security companies are only making this worse.
The sales and marketing inefficiency
Many companies want the best-of-breed product or platform. However, many companies only have the resources to focus on a couple of products. The innovation cycles in security are short because tools become irrelevant as technology stacks and strategies at companies evolve. However, every company, even ones that have a singular product, has to spend money on sales and marketing to produce revenue. This is a self-fulfilling inefficiency. As the market becomes more noisy, there needs to be increased sales and marketing spending to cut through the noise. However, as spending increases, the market becomes noisier.
Another source of inefficiency is across security companies. Each security company has to hire its own sales and marketing organization. This is traditionally fine, but in security, many products have the same buyer or persona even if the product is solving a different problem. In other words, many companies tend to buy the same suite of products, and/or they already know what they want to buy. For example, if you buy Palo Alto Networks, you are likely to buy Qualys. If you buy Proofpoint, you are likely to buy Veracode.
In the current world, the buyer has to talk to all the companies to buy that suite of products, and each company behind each product has to pay out its sales and marketing organizations. You can see where I’m going with this.
The private equity play
Private equity tends to buy companies using leveraged buyouts (LBOs). You should think of LBOs as buying a home with a mortgage, renting it out, and using the rent to pay back the mortgage. If you can improve the house along the way, you can get a higher price when you sell it back out. Specifically, they like to target positive cash-flow businesses and use the cash to pay back off the leverage. They also like to find businesses with operational inefficiencies and fix them to both increase the value of the company and increase cash flow.
Recently, many private equity firms have been buying strong cash flow security companies with low growth, e.g. Proofpoint and McAfee. Thoma Bravo and Vista (and many others are following suit) have amassed a large number of cybersecurity companies. From what I described above, the inefficiency is apparent: sales and marketing. That is also an area that private equity firms have experience improving efficiency. In many ways, buying up and consolidating security companies is a private equity’s dream!
The reason they need to create a portfolio of companies is that the private equity firm act as the conglomerate or “platform,” similar to Microsoft and its suite of products. They can share context as well as sales and marketing resources between portfolio companies. Also, many of the companies have overlapping customers. This has shown to be successful, and many joke that private equity firms, such as Thoma Bravo are the largest security companies!
Takeaway and looking forward
There’s a large amount of inefficiency in the cybersecurity market, and it’s bad for everyone. It’s especially bad for security organizations, who spend substantial resources trying to navigate these inefficiencies so that they can have a successful security program. There’s been a lot of talk about consolidation in the industry to focus on platform products and provide better value to the customer. Private equity firms are showing that one way to do this is through acquisitions rather than organically through product building. It seems that this strategy is successful, and it shows that consolidation is beneficial. So, this is likely the beginning of a wave of consolidations as we see growth in many security companies plateau.
Unfortunately, this might be bad news for cybersecurity sales and marketing as those are likely to shrink, but as a security leader, I’m a fan as it allows me to spend less time on navigating and managing vendors and more time solving problems!