Consolidation is coming for the cybersecurity industry

Amid a flurry of mergers and acquisitions, analysts predict far fewer companies will exist in a few years.
cybersecurity consolidation
Companies are looking to shore up their security by just turning to their checkbook. (Getty)

It’s starting to happen.

Amid a flurry of mergers and acquisitions, the cybersecurity industry is embarking on a path of consolidation that analysts predict will result in the existence of far fewer companies within just a few years.

Thousands of cybersecurity vendors are in the marketplace, offering services ranging from anti-phishing and malicious-software analysis to threat detection that relies on artificial intelligence technology. The number of companies will reduce by half within five to seven years, as many existing firms are acquired by larger players, and others simply go out of business, said Bill Crowell, a partner at the venture capital firm Alsop Louie Partners.

“Cyberdefense is about having an integrated set of tools that work together to prevent attacks,” said Crowell, a former deputy director of the U.S. National Security Agency. “But the industry now has a thousand points of light and no illumination. It’s as if in the automotive industry, a spark plug company advertised itself as making the best transportation service in the world.”


Over the last week, a number of deals have either been announced or rumored to be in the works. BlackBerry is in talks to purchase the A.I.-focused Cylance in a transaction that could be announced as soon as this week, Business Insider reported. Such a deal would come after the private equity firm Thoma Bravo bought the application security company Veracode for $950 million in cash, and more than a month after Cisco completed its acquisition of Duo.

Those deals are evidence that more established companies will invest in smaller, innovative startups to develop new products, said Jeff Pollard, an analyst with market research firm Forrester.

“Individual entities will eventually be subsumed into a larger company that bottles 10 or 15 solutions into a suite,” he said. “There are a lot of companies out there [now] that might just offer a feature when they think they have a whole product.”

Security vendor FireEye is an example of a company that was more one-dimensional, Pollard said. To diversify its portfolio FireEye acquired Mandiant, then the threat intelligence service iSIGHT Partners and a number of other services. FireEye has since seen its stock soar and, in a sign of how much the M&A market has accelerated, now is rumored to be the target of a possible Facebook acquisition.

Large investments like Cisco’s $2.35 billion deal for Duo also provide evidence that cybersecurity company value is exceeding the IT industry and growing to join the larger technology sector. Private equity deals likely will push that trend forward as security technologists join forces with investors who can offer guidance on how to help companies grow.


“The biggest enterprise cybersecurity companies are worth roughly $2 billion,” said Jon Oltisk principal analyst at Enterprise Strategy Group, a market research firm. “There’s no reason they shouldn’t be a $5 billion company.”

But many of the executives leading cybersecurity companies now started as experts in cryptography, malware analysis or another field of expertise that did not prepare them for the responsibilities of growing a multi-billion dollar business, said Pollard. That’s where the right investor comes in.

“Private equity folks can step in and offer management expertise and offer guardrails for companies to help them build the business much in the same way social media companies did ten years ago,” he said.

“It’s going to be interesting to see where some of these companies are in three or four years,” he said.

Latest Podcasts