By Wallace Witkowski, MarketWatch
MarketWatch photo illustration/iStockphoto
There are too many cybersecurity companies offering too many solutions to too many problems, with too few qualified workers seeking to help. After years of hoping for a change, it’s possible that the fourth-quarter market correction could help 2019 be the year that change finally happens.
The cybersecurity industry faces many challenges beyond a barrage of attacks that use constantly shifting tactics, but the biggest issue that chief information security officers, also known as CISOs, bring up repeatedly is a glut of vendors. As the industry matures, culling looks to be a natural part of the process.
“I think there’ll be a lot of acquisitions,” Ann Johnson, corporate vice president of the cybersecurity solutions group at Microsoft Corp. /zigman2/quotes/207732364/composite MSFT -1.49% , told MarketWatch in a recent interview. “I think you’ll see a lot of M&A. I think you’ll see not just platform vendors buying but people trying to consolidate their position that are big security vendors. There are only three or four left big security play-pay vendors, and I think you’ll see them trying to consolidate their positions.”
Security acquisitions could be more possible after the recent decline in their valuations. The industry, as followed by the ETFMG Prime Cyber Security ETF /zigman2/quotes/207892345/composite HACK -0.51% , is still performing better than the broader market, with the ETF rising 6.5% in 2018, compared with a 6.2% drop in the S&P 500 index /zigman2/quotes/210599714/realtime SPX -0.36% . The ETF, however, was in bear-market territory until last week as stocks faced their worst December in decades, and is still more than 17% off its 52-week high in mid-September.
During the past decade, cybersecurity received a huge spike in investment as startups were formed to address niche issues, according to security executive Adam Ely, who served as CISO at Heroku following Salesforce.com Inc.’s /zigman2/quotes/200515854/composite CRM -1.54% acquisition of the company. Back then, venture-capital money was free flowing, and consumers were just starting to care more about how companies were securing their data, Ely told MarketWatch.
Now, there’s a glut of companies, many of which should be “features” in a larger system, Ely said, VC money is drying up, and companies have raised the security of customer data to a board-level discussion because of public outcry and government oversight. All these factors point toward streamlining operations and M&A activity.
“All of a sudden these acquisitions have gotten cheaper for them because raising capital or going IPO is now not an option for a lot of these security companies, so the acquisitions have gotten cheaper,” Ely said. “And people are going out and saying, ‘OK, Where do we need to expand our portfolio?’ ”
Consolidation of resources may also help to mitigate another problem that the fractured cybersecurity industry faces: a lack of talent. Citing an estimate from research firm Cybersecurity Ventures, Johnson said the industry faces a shortage of about 3.5 million qualified workers by 2022, which also awakens the industry to another problem: a lack of diversity. And, Johnson said, the problem isn’t just one of gender equality; it’s one of smart business. Cybersecurity is a business that faces tough problems from persistent adversaries and a lack of diversification from the defenders becomes a glaring security flaw.
“You never solve hard problems with like-minded people,” Johnson said.
Research firm Forrester predicts that the number of women CISOs at Fortune 500 companies will rise to 20% in 2019, compared with 13% in 2017.
“For too long, the cybersecurity industry has relied on exclusive hiring methods that favor men over women and fail to promote diversity,” Forrester said. “This trend has held steady even though diverse companies are proven to be smarter and more capable and to routinely outperform competitors.”
Diversity applies to training as well. Firms are finding that computer-science majors may not necessarily be the best candidates for hiring. Even while many low-level security functions can be performed by machine learning or AI, the sophisticated attacks that do the most damage, like the Equifaxes /zigman2/quotes/208789454/composite EFX -4.25% and the Marriotts /zigman2/quotes/200170042/composite MAR -0.77% , rely upon humans doing the hunting.
“In my career lifetime, we’re never going to get to the point where human hunters don’t exist,” Microsoft’s Johnson said. “I love to hire ex-law enforcement, ex-military investigators because I can teach them computer tooling, but they understand motive, they understand how to chase somebody, they know how to track movement, and that’s something that’s really hard to train.”
Consolidation in the industry is overdue, according to Bret Arsenault, CISO at Microsoft.
“From the CISO chair, we’ve expected consolidation for years,” Arsenault said. “We didn’t see as much as we had expected.”
The landscape was not barren in 2018. Cisco Systems Inc. /zigman2/quotes/209509471/composite CSCO +0.34% — one of the largest cybersecurity companies — acquired Duo for $2.35 billion, and Palo Alto Networks Inc. /zigman2/quotes/207599953/composite PANW +0.54% pushed deeper into the cloud with its acquisitions of Evident.io and RedLock. Consolidation seemed to be outdone by new issues, though, as companies like Zscaler Inc. /zigman2/quotes/203585803/composite ZS -3.37% and Carbon Black Inc.executed initial public offerings.
Those companies are going to run into CISOs who are looking for a bundle, though. Arsenault said he’s reduced the number of security vendors he deals with by about 40% over the past two years.
“If I have to have a staff to run four products versus a staff to do the same capability on one vendor product, it’s just way more operationally efficient, not just in terms of contract negotiation, but in terms of operation, in terms of running the stack,” Arsenault told MarketWatch. “So that’s a big push for us.”
According to Arsenault, the areas of security that are most ripe for consolidation are mature parts of the industry like endpoint security, vulnerability management, security information and event management. Startups, for now, will likely still dominate less mature security areas like internet-of-things applications and supply-chain management, he said.
U.S. components of the ETFMG Prime Cyber Security ETF (as of Dec. 31)
|Company/Index||% off 52-week high||2018 performance||Market Cap (millions)|
|Cisco Systems Inc. /zigman2/quotes/209509471/composite CSCO||12.4%||13.1%||$194,810|
|FireEye Inc. /zigman2/quotes/204730283/composite FEYE||21.4%||14.2%||$3,194|
|Symantec Corp. /zigman2/quotes/200957356/composite SYMC||36.4%||-32.7%||$12,072|
|Juniper Networks Inc. /zigman2/quotes/207361368/composite JNPR||12.6%||-5.6%||$9,288|
|CyberArk Software Ltd. /zigman2/quotes/206810080/composite CYBR||12.0%||79.1%||$2,674|
|Check Point Software Technologies Ltd. /zigman2/quotes/200866016/composite CHKP||15.0%||-0.9%||$16,035|
|Akamai Technologies Inc. /zigman2/quotes/203072268/composite AKAM||26.5%||-6.1%||$9,948|
|CommVault Systems Inc. /zigman2/quotes/205571392/composite CVLT||18.7%||12.6%||$2,735|
|Splunk Inc. /zigman2/quotes/203060494/composite SPLK||19.4%||26.6%||$15,495|
|Science Applications International Corp. /zigman2/quotes/202740286/composite SAIC||31.7%||-16.8%||$2,710|
|Fortinet Inc. /zigman2/quotes/205733290/composite FTNT||25.7%||61.2%||$11,999|
|Palo Alto Networks Inc. /zigman2/quotes/207599953/composite PANW||21.4%||30.0%||$17,871|
|Proofpoint Inc. /zigman2/quotes/207816916/composite PFPT||35.7%||-5.6%||$4,580|
|Qualys Inc. /zigman2/quotes/201504669/composite QLYS||24.0%||25.9%||$2,943|
|CACI International Inc. /zigman2/quotes/205763384/composite CACI||28.3%||8.8%||$3,579|
|SailPoint Technologies Holdings Inc. /zigman2/quotes/208922889/composite SAIL||32.1%||62.0%||$2,062|
|Tenable Holdings Inc. /zigman2/quotes/203199150/composite TENB||43.7%||-27.3%||$2,065|
|Carbonite Inc. /zigman2/quotes/205010412/composite CARB||42.1%||-0.6%||$873|
|VeriSign Inc. /zigman2/quotes/205260150/composite VRSN||16.1%||29.6%||$17,926|
|Secureworks Corp. /zigman2/quotes/202179762/composite SCWX||10.7%||90.4%||$1,380|
|NetScout Systems Inc. /zigman2/quotes/201011529/composite NTCT||25.6%||-22.4%||$1,836|
|Verint Systems Inc. /zigman2/quotes/209184374/composite VRNT||19.3%||1.1%||$2,762|
|Booz Allen Hamilton Holding Corp. /zigman2/quotes/203977398/composite BAH||14.8%||18.2%||$6,415|
|Zscaler Inc. /zigman2/quotes/203585803/composite ZS||18.7%||18.8%||$4,793|
|F5 Networks Inc. /zigman2/quotes/209237881/composite FFIV||18.9%||23.5%||$9,823|
|Okta Inc. /zigman2/quotes/210420951/composite OKTA||15.5%||149.1%||$7,046|
|Everbridge Inc. /zigman2/quotes/202832262/composite EVBG||9.9%||91.0%||$1,683|
|Rapid7 Inc. /zigman2/quotes/203905856/composite RPD||20.9%||67.0%||$1,475|
|Radware Ltd. /zigman2/quotes/201355321/composite RDWR||20.3%||17.1%||$1,029|
|ManTech International Corp. /zigman2/quotes/207993719/composite MANT||23.2%||4.2%||$2,078|
|Carbon Black Inc.||61.7%||-43.9%||$911|
|Leidos Holdings Inc. /zigman2/quotes/202902477/composite LDOS||27.1%||-18.4%||$7,895|
|Mimecast Ltd. /zigman2/quotes/202578603/composite MIME||28.3%||17.3%||$2,020|
|OneSpan Inc. /zigman2/quotes/201429622/composite OSPN||49.1%||-6.8%||$521|
|Varonis Systems Inc. /zigman2/quotes/204126818/composite VRNS||36.3%||9.0%||$1,559|
|ForeScout Technologies Inc. /zigman2/quotes/205654246/composite FSCT||36.6%||-18.5%||$1,114|
|KEYW Holding Corp.||33.5%||14.0%||$334|
|Zix Corp. /zigman2/quotes/208005056/composite ZIXI||19.2%||30.8%||$311|
|A10 Networks Inc. /zigman2/quotes/206808991/composite ATEN||20.2%||-19.2%||$460|
|MobileIron Inc. /zigman2/quotes/205635377/composite MOBL||19.6%||17.7%||$484|