Thanks to the economy, cybersecurity consolidation is coming. CISOs are more than ready.

The complexities created by security “tool sprawl” are a major headache for a lot of businesses. But with many vendors and buyers expecting a broader economic slowdown, a wave of security industry acquisitions looks to be on the way.

RSA Conference 2022 show floor

A wave of acquisitions in the security industry may be on the way.

Photo: Kyle Alspach/Protocol

Thanks to the tumultuous first six months of 2022, the forces driving cybersecurity “tool sprawl” might be slowing down, which could be a case of a good outcome arising from a bad situation.

The cybersecurity industry is poised for a surge in acquisition activity in the coming months, spurred by the likelihood of a slowing economic environment. Certain venture-backed security startups will no doubt have some tough decisions ahead. But industry experts say that such consolidation is welcome news for many customers, who've been grappling with an overload in options for security tools and a related phenomenon known as "tool sprawl."

"The market is crying out for it," said Ryan LaSalle, a senior managing director and head of the North America practice for consulting giant Accenture Security. "Many of our clients talk about how many tools are in their portfolio — our back-of-the-envelope math is around 60 to 80 in a security architecture. Some companies are as high as 140, which is an untenable amount of sprawl."

The reasons why the cybersecurity industry got to this point are numerous, as are the factors behind the reversal that is likely to come soon. But the bottom line for many businesses is that consolidation in the cybersecurity market should have a positive effect on their ability to protect against cyber attacks, industry experts told Protocol.

Combating complexity

The complexity of configuring and using so many security tools is a huge problem for businesses, especially at a time when almost no one has enough skilled people to go around, said Frank Dickson, group vice president for security and trust at IDC.

In many cases, customers have adopted new security tools in an effort to support rapid digital transformation and the move to the cloud, according to Dickson. However, while such moves have created new complexities for businesses, he said the act of adding more security tools will often "exacerbate the complexity problem" even further. Every new tool must be learned, configured, maintained and used properly by security teams that are increasingly stretched too thin.

Security tools also usually work together more effectively when they’re owned by a single vendor, as opposed to needing to be stitched together by a customer or service provider, Dickson said. “It's probably a shortcoming in human nature: We tend to support and offer true integrated offerings best if we've got a profit motive,” he said.

Many of the chief information security officers LaSalle speaks with “know that their tools aren't working well together,” and are largely not getting them closer to achieving the biggest goals of their security strategies. For instance, “If you're trying to go to zero-trust architecture, stitching it together yourself is really, really hard,” he said.

Meanwhile, CISOs and other buyers are frankly overwhelmed by all the options out there right now, LaSalle said. With so many choices in the security market, he said "it's really hard to wade through all the marketing hype to find the things that really work."

For all these reasons and more, Dickson said consolidation in security is not just a good thing for businesses at this point; it's actually "necessary." The various dynamics at work for security teams in 2022 "almost mandate that we ask our security vendors to offer more comprehensive, integrated solutions, instead of offering best-of-breed point products," he said.

The great expansion

For years, the cybersecurity industry has seemingly defied the forces of consolidation: For every security vendor that got acquired, several new ones would spring up, said Kevin Lynch, CEO at Optiv, a major managed security services firm.

This was never more true than in 2021, when venture capital and private equity investors funneled nearly $30 billion into cybersecurity startups, more than double the amount invested the year before, according to advisory firm Momentum Cyber. Meanwhile, the number of security acquisitions last year remained similar to previous years, Lynch said.

The combination of these factors helped create widespread proliferation of available security tools; at the RSA Conference in San Francisco last week, more than 400 security vendors took part as exhibitors — which represented just a fraction of the industry.

Tool sprawl also exists in part because, for a long time, the role of the CISO revolved around buying new security tools, Lynch said. "If you were a CISO 10 years ago, a lot of the way that you were evaluated was on [whether] you were acquiring and deploying the right technology."

By contrast, today the security organization is "no longer a quiet function off in the corner," but instead is a top priority for the company's board and C-suite, Lynch said. And as a result, the CISO in 2022 is evaluated more on the outcomes they deliver for security, rather than which tools they deploy.

Many other forces have led to security tool sprawl, as well. The growing attack surface and intensifying threat landscape have led to an array of new types of tools, from cloud security to third-party risk management to AI-powered detection and response.

While innovation and competition are critical in security, like in any industry, many agree that customers would benefit from a cooling-off period for privately held security vendors.

RSA Conference 2022 show floor2022 RSA Conference Photo: RSA Conference

Consolidation window

However, security startups that depend on VC funding to sustain their businesses are expected to have fewer options in the changing economic environment. Some are already instituting layoffs, and the situation will lead many to be acquired, according to Dave DeWalt, the former CEO of FireEye and McAfee, and now founder and managing director of venture firm NightDragon.

The security industry is "heading towards a consolidation window," DeWalt said in an interview with Protocol. "I really think we're going to enter into the second half of 2022 with one [acquisition] after another."

Some cybersecurity startups are welcoming the changing environment. At IT asset security firm Armis, Co-founder and CTO Nadir Izrael contends that the large number of security startups — many of which he said have achieved "over-inflated" valuations without much in the way of revenue — has been unhelpful in terms of improving overall security.

With dozens of cybersecurity startups now boasting billion-dollar valuations, "it's very unclear [for customers] who is a big, mature, sustainable company that can actually support you as an enterprise — and who is a startup that doesn't necessarily have all of those things in place," Izrael said. "It creates a lot of confusion in the markets."

Larger security vendors haven't liked the high valuations for security startups very much either, based on conversations with the CEOs of several major cybersecurity firms. In recent years, the "valuations were crazy" for venture-backed security startups, said Bryan Palma, CEO of Trellix, the company formed through the merger of McAfee Enterprise and FireEye.

M&A opportunity

Since being named the CEO of publicly traded Secureworks last September, Wendy Thomas has been out looking for acquisitions at reasonable valuations, and not finding them.

Valuations for privately held security companies have often been in the range of 15 to 20 times annual recurring revenue, Thomas said. And frequently this is for vendors that are "still consuming a good bit of cash to drive that growth," she said, which effectively makes the acquisition price even higher.

The signs of a slowing economy and the dramatic reduction in public company valuations, however, appear to be changing the dynamic. Thomas said she's already seeing some private company valuations in security that've come down more to the range of 10 to 15 times ARR — and this is just the beginning. When it comes to cybersecurity startup acquisitions, "For us, now is the time to look," she said.

Zscaler founder and CEO Jay Chaudhry also said the company has not done as many acquisitions as it might have, as a result of the “unreasonable” valuations possessed by many security startups.

Chaudhry said, with valuations now coming back down, “it's an opportunity. And we are getting a lot more inbound calls," including from companies, investors and investment bankers. "These companies, who were trying to grow at any cost now have to worry about, 'How much money do I have left? How many months can I survive, if I don't get to raise the next round?'"

Ultimately, he said, "I think removing froth from time to time is healthy for the market."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories