Analyst Chat

Analyst Chat #33: Vendor Consolidation in Cybersecurity

Matthias Reinwarth and Jonh Tolbert discuss the ongoing consolidation of the cybersecurity market and talk about its reasons and potential consequences.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole Analyst here in Germany. My guest today is John Tolbert. He is a lead analyst for KuppingerCole, and he works from Seattle. Hi Johnny.
Hi, nice to join you again today.
Great to have you. And we're talking today about an important topic, which is not that much technology oriented, although it might be also considered to be that as well. We want to talk about the market of cyber security, and we want to talk about vendor consolidation in that area. And the reason for that is that we, and you are observing an ongoing consolidation in the cybersecurity business what's going on there? What drives this consolidation?
Well, you know, I think there are several reasons for consolidation. You'll see oftentimes, you know, midsize or maybe even large security companies buy up some startups or, you know, smaller vendors, maybe, you know, late stage venture backed companies. And they really do that to add features and functionality to their own solution sets. You know, and I think that that gives them the feeling of being more complete, being able to offer their customers more functionality in a single product. And, you know, really it helps them in, in that market segment. You know, let's say we're talking about something like a network security, you know, picking up different bits of network security functionality, putting it into the package, makes it more attractive for perspective customers. Sometimes, you know, this can lead to what we might call functional overlap. So let's say you're a business and you've already got a couple of different networks, security products.
You may use, you know, specific functions from one vendor's product and may not be aware that another product that you already have licenses for offers similar functionality. You know, another reason why companies bigger security companies do this is to pick a market share, or even sometimes it can be something as simple as by the customers of a smaller vendor, you know, that exposes the big company to the set of customers that they may have had their eye on for a while. Anyway, and then a similar to that, I think it's also possible that vendors buy up smaller companies just to kind of get a foothold in a new territory. For example, you could have a company that's based in the us and they may want to get started in Europe. So they buy a European company that has a similar kinds of functionality or an APEC company. And that allows them to kind of get a toe hold in a new market and market share in a way that may have been much more difficult for them to do just, you know, growing organically. So there's lots of different reasons. I think why larger vendors will buy up smaller vendors, particularly in cybersecurity.
If we look at this consolidation, you've mentioned that might also change the, the feature set that an existing and already licensed product might have for user. That is the reason why we always recommend to, to execute such a kind of portfolio analysis and such an assessment to make sure that you don't spend too much money when, when you look at your own cybersecurity or in general at your architecture. But when we look at this consolidation, what does that mean for the, for the end user? Does this consolidation always have positive effect or are there also downsides?
Yeah. You know, there's, there can be both and there can be downsides to consolidation sometimes. And we've seen this mid and actually many times over the last 15 or 20 years, sometimes a competing product will buy up smaller, special product. And then unfortunately it kind of goes away. It just gets retired in place. And in a case like that maybe maybe the smaller product was purchased just for the customers or just for the territory. And the bigger company never gets around to actually taking that code and integrating it with their main line code. You know, I guess you could say, okay, the motivation was to reduce competition, pick the competitive products customers and, and move forward with that. Other times it can be just a case of, you know, it's difficult to integrate code from a formerly competitive company into the product line. It can take a long time to get it right, and that can be difficult for customers of the previously existing product. If that code base is not continued and, and features added to it, to keep it current in the market, that can be definitely a disadvantage for the customers of a, of a purchased product in those cases, you know, and what you wind up was there sometimes is stagnation of the feature set and then even weak technical support the purchased product.
In an earlier episode, we talked about upcoming new technologies, which are really just gaining traction and are gaining visibility. Like the NDR episode that we did before. What are then other reasons for vendor consolidation? Is this also something that a larger, more established vendor wants to yeah. As I said, get more competence in these new, more modern features. That's an east more modern market segments as
Well. Yeah. You know, we've seen that a few times over the last decade or more to where let's say not even a security specialist organization, but maybe maybe a large business application vendor wants to get into cyber security. So they'll buy a couple of different cyber security companies and then begin to try to integrate them. You know, that can be a good, you know, for the business application because they're buying security, they can integrate it. They can add capabilities that they needed that they didn't have. And also, you know, this can have varying degrees of success. If, if security isn't their main push in life. Anyway, it can wind up taking a long time to get an integrated, you know, that can be problematic for customers as well. Right.
I've seen in the past that there were just issues in achieving this integration and to have this all play well together between the individual components ask different origin. How does this, from your experience work for the customers of the purchase vendors in general, because that was just a one-off situation that I've seen. But so from a, from an analyst point of view, how does that usually work out for the end user?
Well, I think more often than not, it does work out. Like I said, it can sometimes take longer than any of us would like. And oftentimes even the purchasing vendor runs into difficulties and, and sort of slowed down the progress that they had anticipated maybe when the purchase was first announced, but you know, over the long run, I think there are definitely advantages from a customer perspective. Think about, think about maybe you're at a large enterprise, the advantages for you are you have fewer vendors to deal with. And in many cases, greater functionality after the purchase as well. I mean, you've got, you know, let's say you're a CIO at a big company when a larger company or a larger security vendor buys up a startup, the advantages you've got fewer products that you have to manage. Many large companies have internal product managers for each product.
They've got so fewer product managers, less labor, you can get more functionality in a single product suite that way. And if eventually this one seems to be tricky, if the administrative consoles that the admin users in your large organization use can be integrated, then you can kind of get closer to that single pane of glass that marketing people talk about, which, you know, is more than a marketing term. It's really something that most CIO CO's or SOC manager strive for because the fewer tools, the fewer interfaces that employees have to deal with, the more efficient they can be. And so this also leads to hopefully needing fewer product specialists in security operation centers, Sox, and then from a legal and accounting and procurement perspective. It's fewer contracts that you have to manage. So consolidation and cybersecurity can definitely be a good thing for a variety of different reasons there, once you get through some of the initial pain points that sometimes companies experience as a result of that. So, but
How does, how do these acquisitions play out? How does that
Work? Well, I think the most common scenario is let's consider a large vendor. That's already got an existing security product portfolio and are going to buy a new specialist product, something that's maybe, you know, adds new features, new functionality that they feel like it would take much longer to develop internally. You know, and we've seen this a lot in the last 10, 15 years, especially in the area of endpoint security, you know, the use of machine learning in detection models for both malware and malicious behavior. Think, you know, user behavioral analysis ML is something that offers, you know, some real benefits when properly put into products. So some of the older vendors looked at some of the startups that came along and said, you know, they've got good technology there. Let's, let's buy it and integrate it into our own. And it would be faster than trying to develop that capability in house.
And then that results in them becoming more competitive, picking up new customers. You know, I think we're going to see this in the near future with network detection and response, like we were talking about last time in the, our products. I think many of them are specialist companies right now. They are adding capability that many private sector and public sector organizations find useful. And eventually, and probably not the distance, these will be picked up by a large security stack vendors or networking. There's a likely, and you know, there's another topic we haven't really gotten into yet about deception network, deception tools or distributed deception platforms. These are another specialty area within security that are sort of designed to lure in attackers so that they can be monitored and give you advanced warning. An attack is taking place on your assets. These kinds of vendors are very, very innovative and there's a good deal of differences out there and the approaches that they take. And I think, you know, next two, three, maybe even five years, we're going to see integration of distributed deception platform, fans, or technologies into the mainstream security suite applications as well. So these
Would be really perfect candidates for taking them over because they would really add specific functionality to a product suite, which has no overlaps, but, and it's really a perfect match for them there. We've seen that before in other larger mergers. So I think the one famous example is the Oracle sun merger, where they ended up with lots of overlaps and lots of software providing the same functionality in various areas where they had to decide and to retire individual solutions, which of course also made many customers really, really unhappy there as well. But, but what happened to the traditional IPO?
Well, yeah, you know, that's, that's a good question too. I think they don't happen as often in the security world as they used to. It used to be, you know, every start-up's dream to exit with an IPO, but, you know, I think it's, it's pretty expensive. There's a rigorous process that needs to be followed to be able to get to IPO. And now it's taking quite a long time. I mean, seven of the companies that we know of that have done successful, IPO's have been working on that literally for years and along the way they've had to take in pretty large rounds of investment to be able to maintain and grow to the point where an IPO actually makes sense in the market. You know, so getting close to the level of profitability needed and having that large dependable customer base can be really difficult. That's why we see more and more startups angling for acquisition, kind of out of the gate, rather than IPA build, build something that the big vendors don't have and then get picked up, you know, 5, 6, 7 years down the road. You know, we also see cases where private equity firms are buying security and identity management companies. You know, I think it's kind of an interesting around, but we also see where often times that brings major overhauls to management personnel, and sometimes that doesn't always work out well for customers. Right. And
Have you seen also in various different aspects that we couldn't cover today in that episode, but if a smaller vendor is taken over often the staff is moving away because they're reluctant to work for a larger company, or they prefer it to be still in that more, more agile, more modern way of working. And so the, as I end up with buying a product and maybe a technology, but without the expertise around that, I think that's also a difficult aspect to think of. But as we get into the, to the end of this, this episode already, let's, let's use your experience as an, as an analyst on the one hand, but also being an advisor for our customers, let's consider ourselves being a customer of a small security vendor that is actually a target of such an acquisition. What do I need to know? Is there something how I can prepare for that? What would be your recommendations here?
Yeah, let's say you've heard on the news and tech news that this is about to happen. I think it's important to not just wait and watch and see what happens. You really need to get some background on the firing. I mean, you know, if it's, if it's a large vendor, maybe you already have some sort of relationship with them, maybe you're using them for, you know, business applications or network or, or, or, you know, another part of your security architecture portfolio. So if you are then, you know, get in touch with product and technical account management at both your current small vendor that you're using and the company where they're going find out, you know, which, which one who's going to be responsible for your account over the long haul and, and start making sure that you could build that relationship. If you don't already have it, if you don't have anybody at that company work closely with the smaller vendor that you're currently working with and find out, you know, how is account management going to change over the coming months or years?
And, you know, they may not have all the answers at the beginning, but I think it's important to begin having those dialogues, to show the vendor that you're interested in and things like what's their product roadmap kind of be, where does it fit into their overall portfolio? Do they perceive this to as maybe a key new technology that they want to focus on? If it is then I think in luck because it will probably be, you know, receive a lot of effort, it will be more quickly integrated. It's really important to keep in contact and find out what the product roadmaps are going to be. But also, I think you have to expect that outcomes may be difficult or different than, than what is at least originally anticipated. I think many times vendors are quite optimistic about the timeline on which they may be able to integrate products.
And then after they start looking at the code base, they figure out, you know, this might be a little bit harder than we thought. So it might take a little bit more time. And really as is those of us who've been working in the security software field for a while now, it's, it's really difficult at times to achieve that seamless integration that everyone says they're trying to achieve. But then, you know, I guess as let's say, you've are in the middle of an acquisition process and it's looking like it's taking a long time. You found out what the roadmap plans are, and they're really not materializing the way that was promised or the way that you need them to be, or maybe simply the new parent company isn't really executing well on that vision. It, it may be time to look for a replacement. So in that case, you know, keep in mind what your own business needs are, meeting with your internal stakeholders as a security, professional security manager. And if, if the current product set that you're using, isn't meeting the needs and it doesn't look like it's going to, you know, in a timely fashion, then it may be time to look for, you know, look at doing some sort of RFP or tools choice to replace it.
Right? You mentioned the RFP process. This is something where we accompany our customers in on a regular basis. And I think it's an important aspect also here to look at a supply chain, risk management approach that really understand, first of all, what is the risk? If you choose a larger vendor, a smaller vendor, a new vendor, maybe a startup vendor, and to deal with that. And if there is a risk or you consider that to be a risk, that there might be a takeover in the long run that you really have an exit strategy in place, or at least have already made the right first steps towards an exit strategy. So not to get to a vendor lock-in here. I think there's lots of material around at KuppingerCole dot com when it comes to cyber supply chain, risk management approaches. And this is really a new aspect to integrate into the way to do cybersecurity and to do digitalization in general. But I think it's very important in such changing market segments and such innovative market segments to deal with that adequately.
Yeah, definitely. You know, maybe that's a subject for a whole another podcast, but the cyber supply chain risk that's, that's excellent. When you think about the way enterprises, vet potential vendors, you know, there are times when it's, it's completely appropriate to let's say accept a little risk and work with a smaller vendor. You've got a really pressing need and, you know, vendor X has something that you can't get elsewhere for them. Yeah. I think you should do that a bed, like you said, you know, you should be also ready to have an exit strategy and, you know, there are things around that, you know, we can help with and talking about using standards and avoiding vendor lock-in so yeah, that's, that's very pertinent to the conversation I believe.
Okay, great. So for this episode, thank you very much, John, for giving us insight into this. Yeah. This, this complex topic and that interesting topic when we are talking about increasingly innovative markets, I think we should continue the discussion around cyber supply chain, risk management as well, but for the time being, thank you very much, John, for being my guest today.
Thanks for GS. And bye-bye .

Video Links

Stay Connected

KuppingerCole on social media

Related Videos


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

Event Recording

Cyber Warfare - A Reality Check

Cyber Warfare and Disinformation have been heavily weaponized since Russia´s full-scale Invasion of Ukraine and even before, aiming at destabilizing the free part of the world. It is the "synergy of the evil" between cyber warfare and MDM (Misinformation, Disinformation,…

Event Recording

How the Current Crisis could become a Catalyst for Various Transformations

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00