Inside the numbers of another big year for cyber mergers, acquisitions and investments

Sustained demand for cybersecurity services and continued innovation across the industry helped 2021 become a record-setting year for deals involving cyber companies, analysts say.

The funding that flowed into cyber companies increased 136% over 2020 levels, to $29.3 billion, up from $12.4 billion the previous year, according to a report published Wednesday by Momentum Cyber, which advises cyber companies on mergers and acquisitions.

Likewise, the total volume of mergers and acquisitions activity reached $77.5 billion, up 294% from calendar year 2020, according to the report.

Several trends are driving those numbers, analysts and executives say: Companies across the economy have expanded their budgets for reliable cybersecurity services, boosting revenues for the industry. In turn, big investors — including private equity groups and venture capitalists — are following that money. And as cyberthreats increase in severity and complexity, smaller firms continue to develop valuable expertise in niche areas of information security.

That innovation is key, according to Bob Ackerman, founder and managing director of AllegisCyber Capital. Not only are the larger “pure” cyber firms paying attention, but also the IT giants, which are always trying to bolster their reputations for security.

“I don’t care how good and how smart you are as a public company, it’s very difficult to make the investments to remain at the cutting edge of cyber innovation,” Ackerman told CyberScoop. “And if you’re not at the cutting edge, don’t bother, right? So what you have is a large group of established IT companies that want to be in cyber … and so they basically turn to the venture ecosystem where all the innovation takes place, and that’s their farm system.”

Major corporations like Accenture, Cisco, Deloitte, IBM, Mastercard, Microsoft and Schwarz Group all acquired cyber companies in 2021. (Microsoft’s potential interest in Mandiant, reported Tuesday by Bloomberg, would fit the trend, too.) Well-known cyber firms were active as well, including CrowdStrike, Forcepoint, Fortinet, Okta, Palo Alto Networks, Rapid7, Sophos and ZeroFox.

Independent cyber companies still took on later-stage venture capital, meanwhile, including cloud security vendors Lacework ($1.3 billion) and Snyk ($605 million); operational technology (OT) company Claroty ($400 million); secure access service edge (SASE) services provider Netskope ($300 million); and threat protection platform Cybereason ($355 million).

And millions of dollars are still flowing to small, unproven startups, of course. That end of the venture “ecosystem” can be a thicket of buzzwords and trend-chasing business plans, notes Kelly Shortridge, a senior principal product technologist at cloud platform Fastly and an adviser to companies, investors and startups. In the current environment, it doesn’t take much to get an investor’s attention, she says.

“Because [cybersecurity] practitioners struggle to measure security outcomes, it’s very easy for a startup to claim that a bunch of problems across infosec remain unsolved by existing vendors,” Shortridge says, especially given that there is daily news about compromised networks in business and government.

In particular, investors should beware of “artificial intelligence” claims by startups, she says.

“An in-joke right now is that you cannot raise funding as an infosec startup without inserting an AI or machine learning reference somewhere,” Shortridge says.

‘PE’ goes all-in

Private equity groups, meanwhile, have fully taken notice of the industry’s revenue growth, especially since the beginning of the COVID-19 pandemic and the related push to provide secure teleworking, the experts say. Symphony Technology Group (STG), which acquired FireEye and McAfee Enterprise last year, while spinning off FireEye’s Mandiant threat intelligence division as a public company, is only one example. Enterprise security company Proofpoint, for example, was acquired for more than $12 billion by Thoma Bravo, and email security firm Mimecast was snapped up for nearly $6 billion by Permira.

“What we’re seeing is that a lot of the investment firms, they see the value of being in cybersecurity,” said Tony Massimini, senior industry analyst for information and network security at consultancy Frost & Sullivan. “So they’re going out and they’re buying larger companies, bringing them under their umbrella. And sometimes they let them continue to work as always, but now privately held,” allowing them to refine what they offer to customers without the pressures of being publicly traded.

With that in mind, those privately held companies are making acquisitions, too, such as device security firm Forescout, which recently announced a deal to acquire medical-device security company CyberMDX. Forescout itself was acquired by private equity firm Advent International in 2020. That deal brought a certain amount of freedom, Forescout CEO Wael Mohamed told CyberScoop.

“For us, it was not a journey of taking the company public to private for financial engineering. It was, ‘This is a platform where we can be able to leap forward and do some interesting stuff,'” Mohamed said. “It was, basically, can we take it and give it all the oxygen it needs so that it can continue to innovate in a place that requires a lot of innovation?”

Sorting through the names

While investors and merger specialists are looking for money-making opportunities, customers have to sort out what the constant re-shuffling of cyber companies means for them. (The merging of FireEye and McAfee Enterprise has led to a new brand name, Trellix, for those combined services, for example.) And if a corporate CISO goes searching for a solution to help fight a specific kind of threat, it can be a new relationship on top of several existing services.

Ken Gonzalez, a managing director with investment and advisory firm NightDragon, said that acquisitions can actually help clarify things for CISOs, especially when a company with a useful niche product is folded into a larger platform.

“[CISOs] love the fact that they’re seeing all this investment … but the dissonance is that they’re saying, ‘I’ve already got 20 vendors and now I need another 10 more on top of that,” Gonzalez said. “And on the other hand, they sort of welcome the consolidation — the move to ‘best of suite’ in the more mature portions of their operations.”

Regardless of where the economy heads in the next year, many of those small vendors will still be attractive for investment or acquisition, analysts say.

Ackerman of AllegisCyber Capital pointed to one area that appears to be ripe for consolidation.

“How many threat intelligence companies do we need? Do we need 110 threat intelligence companies? Probably not,” he said. “Five will probably get us there. But that’s what happens when the venture herd overcapitalizes.”

What’s ahead

There are several areas where the experts see the need for more investment and innovation. Often near the top of the list is securing the hardware and software of industrial control systems (ICS) and operational technology (OT) — the devices and systems that govern everything from hospital equipment to water utilities to manufacturing plants.

Others include cloud security; the supply chains for software and goods in general; protecting open source software; securing connected devices, especially as 5G broadband takes hold; and avoiding what Ackerman calls “the weaponization of data,” or when an adversary either corrupts important data (like the kind used for training artificial intelligence) or casts doubt on its provenance.

One thing that remains true as the industry cycles through this boom in investment, says Ken Gonzalez of NightDragon, is that “there’s a sense of mission which is unique to this market, and it draws people in who want to protect our way of life, protect our companies, and our country.”

Part of that job is remembering that no single platform can solve every problem itself, says Wael Mohamed of Forescout.

“Here’s what I always tell my peers in the industry: The bad guys? They collaborate way better than us. … They’re incredible at sharing. They’re incredible at collaboration,” he says. “They are very innovative. And for us to get ahead … we need to figure out how to do the same.”