Thanks to the economy, cybersecurity consolidation is coming. CISOs are more than ready.

The complexities created by security “tool sprawl” are a major headache for a lot of businesses. But with many vendors and buyers expecting a broader economic slowdown, a wave of security industry acquisitions looks to be on the way.

RSA Conference 2022 show floor

A wave of acquisitions in the security industry may be on the way.

Photo: Kyle Alspach/Protocol

Thanks to the tumultuous first six months of 2022, the forces driving cybersecurity “tool sprawl” might be slowing down, which could be a case of a good outcome arising from a bad situation.

The cybersecurity industry is poised for a surge in acquisition activity in the coming months, spurred by the likelihood of a slowing economic environment. Certain venture-backed security startups will no doubt have some tough decisions ahead. But industry experts say that such consolidation is welcome news for many customers, who've been grappling with an overload in options for security tools and a related phenomenon known as "tool sprawl."

"The market is crying out for it," said Ryan LaSalle, a senior managing director and head of the North America practice for consulting giant Accenture Security. "Many of our clients talk about how many tools are in their portfolio — our back-of-the-envelope math is around 60 to 80 in a security architecture. Some companies are as high as 140, which is an untenable amount of sprawl."

The reasons why the cybersecurity industry got to this point are numerous, as are the factors behind the reversal that is likely to come soon. But the bottom line for many businesses is that consolidation in the cybersecurity market should have a positive effect on their ability to protect against cyber attacks, industry experts told Protocol.

Combating complexity

The complexity of configuring and using so many security tools is a huge problem for businesses, especially at a time when almost no one has enough skilled people to go around, said Frank Dickson, group vice president for security and trust at IDC.

In many cases, customers have adopted new security tools in an effort to support rapid digital transformation and the move to the cloud, according to Dickson. However, while such moves have created new complexities for businesses, he said the act of adding more security tools will often "exacerbate the complexity problem" even further. Every new tool must be learned, configured, maintained and used properly by security teams that are increasingly stretched too thin.

Security tools also usually work together more effectively when they’re owned by a single vendor, as opposed to needing to be stitched together by a customer or service provider, Dickson said. “It's probably a shortcoming in human nature: We tend to support and offer true integrated offerings best if we've got a profit motive,” he said.

Many of the chief information security officers LaSalle speaks with “know that their tools aren't working well together,” and are largely not getting them closer to achieving the biggest goals of their security strategies. For instance, “If you're trying to go to zero-trust architecture, stitching it together yourself is really, really hard,” he said.

Meanwhile, CISOs and other buyers are frankly overwhelmed by all the options out there right now, LaSalle said. With so many choices in the security market, he said "it's really hard to wade through all the marketing hype to find the things that really work."

For all these reasons and more, Dickson said consolidation in security is not just a good thing for businesses at this point; it's actually "necessary." The various dynamics at work for security teams in 2022 "almost mandate that we ask our security vendors to offer more comprehensive, integrated solutions, instead of offering best-of-breed point products," he said.

The great expansion

For years, the cybersecurity industry has seemingly defied the forces of consolidation: For every security vendor that got acquired, several new ones would spring up, said Kevin Lynch, CEO at Optiv, a major managed security services firm.

This was never more true than in 2021, when venture capital and private equity investors funneled nearly $30 billion into cybersecurity startups, more than double the amount invested the year before, according to advisory firm Momentum Cyber. Meanwhile, the number of security acquisitions last year remained similar to previous years, Lynch said.

The combination of these factors helped create widespread proliferation of available security tools; at the RSA Conference in San Francisco last week, more than 400 security vendors took part as exhibitors — which represented just a fraction of the industry.

Tool sprawl also exists in part because, for a long time, the role of the CISO revolved around buying new security tools, Lynch said. "If you were a CISO 10 years ago, a lot of the way that you were evaluated was on [whether] you were acquiring and deploying the right technology."

By contrast, today the security organization is "no longer a quiet function off in the corner," but instead is a top priority for the company's board and C-suite, Lynch said. And as a result, the CISO in 2022 is evaluated more on the outcomes they deliver for security, rather than which tools they deploy.

Many other forces have led to security tool sprawl, as well. The growing attack surface and intensifying threat landscape have led to an array of new types of tools, from cloud security to third-party risk management to AI-powered detection and response.

While innovation and competition are critical in security, like in any industry, many agree that customers would benefit from a cooling-off period for privately held security vendors.

RSA Conference 2022 show floor 2022 RSA Conference Photo: RSA Conference

Consolidation window

However, security startups that depend on VC funding to sustain their businesses are expected to have fewer options in the changing economic environment. Some are already instituting layoffs, and the situation will lead many to be acquired, according to Dave DeWalt, the former CEO of FireEye and McAfee, and now founder and managing director of venture firm NightDragon.

The security industry is "heading towards a consolidation window," DeWalt said in an interview with Protocol. "I really think we're going to enter into the second half of 2022 with one [acquisition] after another."

Some cybersecurity startups are welcoming the changing environment. At IT asset security firm Armis, Co-founder and CTO Nadir Izrael contends that the large number of security startups — many of which he said have achieved "over-inflated" valuations without much in the way of revenue — has been unhelpful in terms of improving overall security.

With dozens of cybersecurity startups now boasting billion-dollar valuations, "it's very unclear [for customers] who is a big, mature, sustainable company that can actually support you as an enterprise — and who is a startup that doesn't necessarily have all of those things in place," Izrael said. "It creates a lot of confusion in the markets."

Larger security vendors haven't liked the high valuations for security startups very much either, based on conversations with the CEOs of several major cybersecurity firms. In recent years, the "valuations were crazy" for venture-backed security startups, said Bryan Palma, CEO of Trellix, the company formed through the merger of McAfee Enterprise and FireEye.

M&A opportunity

Since being named the CEO of publicly traded Secureworks last September, Wendy Thomas has been out looking for acquisitions at reasonable valuations, and not finding them.

Valuations for privately held security companies have often been in the range of 15 to 20 times annual recurring revenue, Thomas said. And frequently this is for vendors that are "still consuming a good bit of cash to drive that growth," she said, which effectively makes the acquisition price even higher.

The signs of a slowing economy and the dramatic reduction in public company valuations, however, appear to be changing the dynamic. Thomas said she's already seeing some private company valuations in security that've come down more to the range of 10 to 15 times ARR — and this is just the beginning. When it comes to cybersecurity startup acquisitions, "For us, now is the time to look," she said.

Zscaler founder and CEO Jay Chaudhry also said the company has not done as many acquisitions as it might have, as a result of the “unreasonable” valuations possessed by many security startups.

Chaudhry said, with valuations now coming back down, “it's an opportunity. And we are getting a lot more inbound calls," including from companies, investors and investment bankers. "These companies, who were trying to grow at any cost now have to worry about, 'How much money do I have left? How many months can I survive, if I don't get to raise the next round?'"

Ultimately, he said, "I think removing froth from time to time is healthy for the market."


Niantic’s future hinges on mapping the metaverse

The maker of Pokémon Go is hoping the metaverse will deliver its next big break.

Niantic's new standalone messaging and social app, Campfire, is a way to get players organizing and meeting up in the real world. It launches today for select Pokémon Go players.

Image: Niantic

Pokémon Go sent Niantic to the moon. But now the San Francisco-based augmented reality developer has returned to earth, and it’s been trying to chart its way back to the stars ever since. The company yesterday announced layoffs of about 8% of its workforce (about 85 to 90 people) and canceled four projects, Bloomberg reported, signaling another disappointment for the studio that still generates about $1 billion in revenue per year from Pokémon Go.

Finding its next big hit has been Niantic’s priority for years, and the company has been coming up short. For much of the past year or so, Niantic has turned its attention to the metaverse, with hopes that its location-based mobile games, AR tech and company philosophy around fostering physical connection and outdoor exploration can help it build what it now calls the “real world metaverse.”

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

Every day, millions of us press the “order” button on our favorite coffee store's mobile application: Our chosen brew will be on the counter when we arrive. It’s a personalized, seamless experience that we have all come to expect. What we don’t know is what’s happening behind the scenes. The mobile application is sourcing data from a database that stores information about each customer and what their favorite coffee drinks are. It is also leveraging event-streaming data in real time to ensure the ingredients for your personal coffee are in supply at your local store.

Applications like this power our daily lives, and if they can’t access massive amounts of data stored in a database as well as stream data “in motion” instantaneously, you — and millions of customers — won’t have these in-the-moment experiences.

Keep Reading Show less
Jennifer Goforth Gregory
Jennifer Goforth Gregory has worked in the B2B technology industry for over 20 years. As a freelance writer she writes for top technology brands, including IBM, HPE, Adobe, AT&T, Verizon, Epson, Oracle, Intel and Square. She specializes in a wide range of technology, such as AI, IoT, cloud, cybersecurity, and CX. Jennifer also wrote a bestselling book The Freelance Content Marketing Writer to help other writers launch a high earning freelance business.

Supreme Court takes a sledgehammer to greenhouse gas regulations

The court ruled 6-3 that the EPA cannot use the Clean Air Act to regulate power plant greenhouse gas emissions. That leaves a patchwork of policies from states, utilities and, increasingly, tech companies to pick up the slack.

The Supreme Court struck a major blow to the federal government's ability to regulate greenhouse gases.

Eric Lee/Bloomberg via Getty Images

Striking down the right to abortion may be the Supreme Court's highest-profile decision this term. But on Thursday, the court handed down an equally massive verdict on the federal government's ability to regulate greenhouse gas emissions. In the case of West Virginia v. EPA, the court decided that the agency has no ability to regulate greenhouse gas pollution under the Clean Air Act. Weakening the federal government's powers leaves a patchwork of states, utilities and, increasingly, tech companies to pick up the slack in reducing carbon pollution.

Keep Reading Show less
Brian Kahn

Brian ( @blkahn) is Protocol's climate editor. Previously, he was the managing editor and founding senior writer at Earther, Gizmodo's climate site, where he covered everything from the weather to Big Oil's influence on politics. He also reported for Climate Central and the Wall Street Journal. In the even more distant past, he led sleigh rides to visit a herd of 7,000 elk and boat tours on the deepest lake in the U.S.


Can crypto regulate itself? The Lummis-Gillibrand bill hopes so.

Creating the equivalent of the stock markets’ FINRA for crypto is the ideal, but experts doubt that it will be easy.

The idea of creating a government-sanctioned private regulatory association has been drawing more attention in the debate over how to rein in a fast-growing industry whose technological quirks have baffled policymakers.

Illustration: Christopher T. Fong/Protocol

Regulating crypto is complicated. That’s why Sens. Cynthia Lummis and Kirsten Gillibrand want to explore the creation of a private sector group to help federal regulators do their job.

The bipartisan bill introduced by Lummis and Gillibrand would require the CFTC and the SEC to work with the crypto industry to look into setting up a self-regulatory organization to “facilitate innovative, efficient and orderly markets for digital assets.”

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.


Alperovitch: Cybersecurity defenders can’t be on high alert every day

With the continued threat of Russian cyber escalation, cybersecurity and geopolitics expert Dmitri Alperovitch says it’s not ideal for the U.S. to oscillate between moments of high alert and lesser states of cyber readiness.

Dmitri Alperovitch (the co-founder and former CTO of CrowdStrike) speaks at RSA Conference 2022.

Photo: RSA Conference

When it comes to cybersecurity vigilance, Dmitri Alperovitch wants to see more focus on resiliency of IT systems — and less on doing "surges" around particular dates or events.

For instance, whatever Russia is doing at the moment.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Latest Stories