Thanks to the tumultuous first six months of 2022, the forces driving cybersecurity “tool sprawl” might be slowing down, which could be a case of a good outcome arising from a bad situation.
The cybersecurity industry is poised for a surge in acquisition activity in the coming months, spurred by the likelihood of a slowing economic environment. Certain venture-backed security startups will no doubt have some tough decisions ahead. But industry experts say that such consolidation is welcome news for many customers, who've been grappling with an overload in options for security tools and a related phenomenon known as "tool sprawl."
"The market is crying out for it," said Ryan LaSalle, a senior managing director and head of the North America practice for consulting giant Accenture Security. "Many of our clients talk about how many tools are in their portfolio — our back-of-the-envelope math is around 60 to 80 in a security architecture. Some companies are as high as 140, which is an untenable amount of sprawl."
The reasons why the cybersecurity industry got to this point are numerous, as are the factors behind the reversal that is likely to come soon. But the bottom line for many businesses is that consolidation in the cybersecurity market should have a positive effect on their ability to protect against cyber attacks, industry experts told Protocol.
The complexity of configuring and using so many security tools is a huge problem for businesses, especially at a time when almost no one has enough skilled people to go around, said Frank Dickson, group vice president for security and trust at IDC.
In many cases, customers have adopted new security tools in an effort to support rapid digital transformation and the move to the cloud, according to Dickson. However, while such moves have created new complexities for businesses, he said the act of adding more security tools will often "exacerbate the complexity problem" even further. Every new tool must be learned, configured, maintained and used properly by security teams that are increasingly stretched too thin.
Security tools also usually work together more effectively when they’re owned by a single vendor, as opposed to needing to be stitched together by a customer or service provider, Dickson said. “It's probably a shortcoming in human nature: We tend to support and offer true integrated offerings best if we've got a profit motive,” he said.
Many of the chief information security officers LaSalle speaks with “know that their tools aren't working well together,” and are largely not getting them closer to achieving the biggest goals of their security strategies. For instance, “If you're trying to go to zero-trust architecture, stitching it together yourself is really, really hard,” he said.
Meanwhile, CISOs and other buyers are frankly overwhelmed by all the options out there right now, LaSalle said. With so many choices in the security market, he said "it's really hard to wade through all the marketing hype to find the things that really work."
For all these reasons and more, Dickson said consolidation in security is not just a good thing for businesses at this point; it's actually "necessary." The various dynamics at work for security teams in 2022 "almost mandate that we ask our security vendors to offer more comprehensive, integrated solutions, instead of offering best-of-breed point products," he said.
The great expansion
For years, the cybersecurity industry has seemingly defied the forces of consolidation: For every security vendor that got acquired, several new ones would spring up, said Kevin Lynch, CEO at Optiv, a major managed security services firm.
This was never more true than in 2021, when venture capital and private equity investors funneled nearly $30 billion into cybersecurity startups, more than double the amount invested the year before, according to advisory firm Momentum Cyber. Meanwhile, the number of security acquisitions last year remained similar to previous years, Lynch said.
The combination of these factors helped create widespread proliferation of available security tools; at the RSA Conference in San Francisco last week, more than 400 security vendors took part as exhibitors — which represented just a fraction of the industry.
Tool sprawl also exists in part because, for a long time, the role of the CISO revolved around buying new security tools, Lynch said. "If you were a CISO 10 years ago, a lot of the way that you were evaluated was on [whether] you were acquiring and deploying the right technology."
By contrast, today the security organization is "no longer a quiet function off in the corner," but instead is a top priority for the company's board and C-suite, Lynch said. And as a result, the CISO in 2022 is evaluated more on the outcomes they deliver for security, rather than which tools they deploy.
Many other forces have led to security tool sprawl, as well. The growing attack surface and intensifying threat landscape have led to an array of new types of tools, from cloud security to third-party risk management to AI-powered detection and response.
While innovation and competition are critical in security, like in any industry, many agree that customers would benefit from a cooling-off period for privately held security vendors.
2022 RSA Conference Photo: RSA Conference
However, security startups that depend on VC funding to sustain their businesses are expected to have fewer options in the changing economic environment. Some are already instituting layoffs, and the situation will lead many to be acquired, according to Dave DeWalt, the former CEO of FireEye and McAfee, and now founder and managing director of venture firm NightDragon.
The security industry is "heading towards a consolidation window," DeWalt said in an interview with Protocol. "I really think we're going to enter into the second half of 2022 with one [acquisition] after another."
Some cybersecurity startups are welcoming the changing environment. At IT asset security firm Armis, Co-founder and CTO Nadir Izrael contends that the large number of security startups — many of which he said have achieved "over-inflated" valuations without much in the way of revenue — has been unhelpful in terms of improving overall security.
With dozens of cybersecurity startups now boasting billion-dollar valuations, "it's very unclear [for customers] who is a big, mature, sustainable company that can actually support you as an enterprise — and who is a startup that doesn't necessarily have all of those things in place," Izrael said. "It creates a lot of confusion in the markets."
Larger security vendors haven't liked the high valuations for security startups very much either, based on conversations with the CEOs of several major cybersecurity firms. In recent years, the "valuations were crazy" for venture-backed security startups, said Bryan Palma, CEO of Trellix, the company formed through the merger of McAfee Enterprise and FireEye.
Since being named the CEO of publicly traded Secureworks last September, Wendy Thomas has been out looking for acquisitions at reasonable valuations, and not finding them.
Valuations for privately held security companies have often been in the range of 15 to 20 times annual recurring revenue, Thomas said. And frequently this is for vendors that are "still consuming a good bit of cash to drive that growth," she said, which effectively makes the acquisition price even higher.
The signs of a slowing economy and the dramatic reduction in public company valuations, however, appear to be changing the dynamic. Thomas said she's already seeing some private company valuations in security that've come down more to the range of 10 to 15 times ARR — and this is just the beginning. When it comes to cybersecurity startup acquisitions, "For us, now is the time to look," she said.
Zscaler founder and CEO Jay Chaudhry also said the company has not done as many acquisitions as it might have, as a result of the “unreasonable” valuations possessed by many security startups.
Chaudhry said, with valuations now coming back down, “it's an opportunity. And we are getting a lot more inbound calls," including from companies, investors and investment bankers. "These companies, who were trying to grow at any cost now have to worry about, 'How much money do I have left? How many months can I survive, if I don't get to raise the next round?'"
Ultimately, he said, "I think removing froth from time to time is healthy for the market."