The year of “better” cybersecurity

Chris Lewis

Cybersecurity trends

2018 was an interesting year for the cybersecurity sector with valuations at their highest since 2016, as a wave of inorganic growth surged. The sector shares many traits with other B2B software markets – it’s growing well, innovating rapidly, and is experiencing strong valuations and record M&A activity.

The fundamental difference with other subsectors though, is that there is an additional external adversary to deal with; not just a competitor but a malicious actor, trying to subvert or break the security infrastructure to steal data, move money, deny service or otherwise cause mayhem. Consequently, the industry sells on a heady mix of fear (well-grounded) and hope (some better grounded than others).

As we forge ahead, into the fourth industrial revolution and the profound opportunities that come with it, cybersecurity has quickly become one of the most important issues on business leaders’ minds. This sentiment was palpable at the RSA conference this year where the theme was simply to be “better” – better solutions, sharper algorithms, more sophisticated machine learning but also generally just being better at making cybersecurity a top priority across industries. There was clear recognition that (i) the industry needs to up its game against increasingly strong, well organised, and well-funded criminal gangs and nation state actors, and (ii) that organisations, large and small, need to improve their overall security stance.

Further high-profile breaches in 2018 including T-Mobile, Quora, Google, and Orbitz, have driven demand for innovative technologies that prevent or mitigate against highly complex business-critical cyber risk. The increase has also been driving M&A activity, and 2019 started out strong with 47 deals completed in Q1, closely aligning with our global security share price index growing 22% over the quarter. We expect the market to continue to reward cybersecurity firms, especially those able to mitigate the biggest organisational risks such as Identity and Access Management, with vendors CyberArk, SailPoint and Okta trading at a median valuation of 9.9x revenue. Another leading player in the space, Ping Identity, will be taking notice as it plans its own IPO later this year.

How many significant cyber breaches will there be in 2019? And how will the M&A landscape look as a result? This remains to be seen but there are some key trends to note:

Threat intelligence: cybersecurity professionals are calling out for “better” threat intelligence platforms that give them rich and granular data to interrogate, reducing uncertainty for their businesses. Venture capitalists globally, are backing and will continue to back the need for greater threat intelligence as they invest heavily into start-ups innovating in the space. In order to prioritise scarce resource to detect and remedy issues, threat intelligence is being used to identify and focus on the biggest potential business-risks.

Artificial intelligence: a marketing buzzword two years ago, is now commonly being deployed into specific value-add use cases. However, all the vendors are short of talent and use-case specific capability however, and many are seeking to add these through acquisition. Of particular note is the use of AI and machine learning techniques to better triage the firehose of alert data coming out of threat intelligence and Security Information and Events Management (SIEM) systems, to enable Security Operations Centre (SOC) analysts to be a lot more focused on high-threat items.

Managing identity and privilege remains key: identity theft is a key threat vector and none is more dangerous than those in privileged positions (system administrators, payments processing teams etc.) 2018’s roll-up of BeyondTrust, Bomgar, Avecto and Lieberman into a scaled, broad-line player (in which CG Results International advised Avecto) to challenge CyberArk for leadership in this space is meaningful and we expect further consolidation ahead in this area.

Zero Trust: cloud security solutions which eliminate the idea that internal players are trustworthy, are at the top of enterprise C-suite boardroom conversations. 90% of organisations feel vulnerable to inside attacks due to excess access privilege, an increasing number of devices with access to sensitive data and the increasing complexity of IT, (according to the CA Technologies Insider Threat Report 2018). The largest vendors have begun addressing the issue; Symantec, for example, acquired Luminate earlier this year.

Back to the future – rebuilding onpremise capability: a number of vendors talk to us about building or re-building capability to deploy products on-premise or in a single-tenant private cloud in response to some larger customers – especially in financial services and government – expressing growing concern about the security of public cloud security infrastructure and containerisation.

Cybersecurity managed services: managed services are growing in importance within the space and not just for mid-market customers. Many product focused vendors are talking about adding managed services to their endpoint detection and response (EDR) platforms, and Symantec notably announced its new managed endpoint detection and response offering at the RSA Conference this year. F-Secure was an early mover with this strategy and the intent to build a world-class services and managed services organisation played a key part in its acquisition of MWR last year (a transaction in which CG Results International advised MWR). The growing shortage of skilled cybersecurity professionals will continue to drive this trend in our view.

Skills shortage: the cybersecurity skills shortage is nothing new, however according to a survey by ESG at the end of last year, the problem is getting progressively worse. In its Global Survey of IT Professionals 2018-2019, cybersecurity skills topped the list – 53% of survey respondents reported a problematic shortage of cybersecurity skills at their organisation compared to 51% the year before and 45% the year before that. As this trend continues, organisations will look to acquire businesses to fill the gap. A report delivered by Capgemini last year in 2018, Cybersecurity Talent: The Big Gap in Cyber Protection, found that the UK is home to 13% of the world’s cybersecurity talent, putting it in third place behind India and the US, and making it a key acquisition hub for buyers.

Consolidation: With the average large corporate deploying security products from over 70 different vendors there is tangible need for the industry and a real push from customers for more joined-up solutions from fewer vendors. This trend, coupled with the ever-changing threat landscape, will see larger security vendors acquiring for talent, innovation, and to enter new solution categories.

As the cyber risks of a connected world keep expanding and getting more threatening, the future of cybersecurity M&A is bright.

For more information on deal activity and valuation metrics, download the CyberScope from our website – our regular market update for the global cybersecurity space. If you’re looking for advice on future growth plans or the next phase of your company’s development, please do get in touch.

Download The Bulletin: Issue 71 here