Consolidation: Why there should be big acquisition announcements at RSA

Blackberry became a bigger player in cybersecurity with its recent acquisition of Cylance. In the past year, Palo Alto made several acquisitions, including the recently announced Demisto deal, to improve its security offerings and is expected to make more.

With the RSA Security Conference on the horizon, will there be more consolidation announcements? Will this be the last time we see some of the smaller security companies exhibit under their own banner? Which companies won’t be buying…but maybe should be?

It’s all speculation what companies will or should do, but there is a trend happening. Over the past couple of years, there’s been a movement for larger tech companies to absorb smaller security companies, which automatically make them major players in the cybersecurity space.

Survival mode

We all know cybersecurity is a crowded market. Take a walk across RSA’s event floor and it is impossible to not be overwhelmed with the sheer number of companies competing for attention. And that doesn’t include the newest and smallest startups who don’t make the vendor floor but are at the show, hoping to make connections. For a CSO or CISO looking to add a new endpoint or identity management solution, trying to find the needle in the haystack among all of those options is a daunting task. For smaller cybersecurity companies, surviving and rising above the noise is difficult, even with groundbreaking technology introduced into the market.

Large companies don’t have to worry about survival, but they do need to worry about staying current with an always evolving threat landscape. At the same time, government entities continue to introduce stricter regulations surrounding cybersecurity and data privacy. By onboarding an already established cybersecurity entity, larger companies better position themselves to address and prevent vulnerabilities, exploits, and cyberattacks.

The upside

For customers, market consolidation has its advantages, one of which is having to deal with fewer vendors. Instead of getting their endpoint security from one company and their firewall from another and DLP from a third company and trying to find the “best of breed” option for each security need, market consolidation means customers can get all of their needs from fewer but larger security providers. Customers get to build a closer relationship with their providers, ideally with one or two account managers who can provide a complete solution, and the in-house team doesn’t have to spread itself across a dozen different vendors and contracts. CSOs get a more complete portfolio of offerings from a smaller set of vendors.

For the buyers, it’s all about growth. In an industry where innovation lifecycles last only three to five years, old defenses are no longer relevant. Companies and their technologies need to constantly be evolving. Start-ups and smaller companies are built for innovation and agility, unlike large companies. For incumbent cybersecurity brands to stay ahead of the game and stay relevant, they have to bring in new ideas. That comes through acquiring innovative start-ups.

Acquisitions also allow the buyer to offer more options and provides them with the ability to be a preferred vendor. They may also keep customers who may have begun looking around to find the missing pieces to their security system. Acquisitions can also turn companies that you liked and trusted for one service, like Blackberry, into a company that provides a whole new service, as Blackberry can do with Cylance. You once trusted them for their secure phones; now they can provide another level of security for all of your endpoints.

The downside

For all the positive drivers, there are some negatives to this consolidation trend. Customers now have less leverage. They can no longer get smaller companies to compete for contracts and get the best possible outcome. And there will always be CSOs who prefer the hunt to find the best smaller company or point solution that can address specific needs.

Buyers get a bump in innovation whenever there is a new acquisition, but within a year or two, that new company gets absorbed into the larger business operation. The people who provided the initial innovation will likely leave for another start up opportunity. And after three to five years, the bump in innovation and revenue has passed, and it is time to look into the next innovation and acquisition.

Who’s next?

There are a lot of companies that we haven’t seen enter the buyers’ market just yet or haven’t been a major security buyer for a couple of years, such as Proofpoint, Microsoft and Symantec.  Even Google, Amazon and Apple should be making major security pick-ups. These players could be due to make a major acquisition that focuses on endpoint security or next-generation network products.

Blackberry’s acquisition of Cylance and Palo Alto’s acquisition of Demisto show the importance for other large tech companies to shore-up their security weaknesses. The question now is will these companies make a big announcement at RSA or will they wait until later in the spring or summer? And if they don’t make an acquisition announcement, are they at risk falling behind in their cybersecurity offerings?