The cybersecurity sector is projected to experience 10% CAGR over the next 3 years, fueled by the increasing volume and complexity of cyber threats. As security technologies emerge at a rapid pace, there is a race among incumbents to acquire specialized expertise to address the ever-evolving threat landscape and remain competitive. This technological convergence has created high demand for M&A as a strategic avenue for innovation in cybersecurity space. Historically, cybersecurity deals have been growing but saw a temporary drop during the recent market downturn, particularly in terms of Private Equity (PE) backed deals. However, M&A within the public domain has exhibited a degree of stability, with recent indications showing a renewed upswing in activity. In this blog post, we explore the changing landscape in cybersecurity and discuss how PE firms can benefit by investing in cybersecurity companies.

 

Shifting deal patterns

We analyzed private and public cybersecurity deals in 2022 and 2023. Figure 1 shows that private investments (including private equity and venture capital) dropped considerably in the second half of 2022 but have started to rise again in the past six months. Despite this, overall deal volume remained relatively constant at around 100 to 125 deals per quarter, primarily driven by higher public M&A activity. In fact, we have noticed considerable increase in the number of public deals starting 2023.

Within the private investment category, PE-backed deals saw a more significant dip in deal volume (Figure 2). We also found that PE firms appear to remain cautious, primarily focusing on smaller deal values in 2023. We believe this trend will ultimately prove temporary as the sector is attractive for investment given the factors outlined below.

 

Key drivers of cybersecurity deal momentum

The cybersecurity industry has witnessed significant M&A activity in 2023, despite economic uncertainties and conservative spending trends. In our previous article (Value generation in cyber: Growth, margins, and moving targets), we discussed how cybersecurity investors have prioritized revenue growth over profitability. This trend is clearly demonstrated by the emphasis on inorganic growth through M&A activities. Following key factors are fueling this trend:

  • Growing importance of cloud security. With the widespread adoption of cloud, the demand for cloud-native security solutions has surged. As organizations run their workloads in multi-cloud, managing security and performance across cloud environments becomes challenging. This trend has sparked a surge in M&A activity, as cybersecurity companies race to acquire or merge with firms specializing in cloud security, identity, and access management. Notable acquisitions include Google's $5.4 billion purchase of Mandiant, CrowdStrike’s acquisition of Bonic, and Cisco's acquisitions of Lightspin and, most recently, Splunk for a staggering $28 billion.
  • Importance of emerging tech. There is an increasing demand and adoption of emerging technology like AI-driven threat detection and response, Data Security, Zero Trust, Operational Technology (OT) / Internet-of-Things (IoT) and Identity Access Management (IAM).  As a result, there is a surge in M&A activity especially with incumbents acquiring startups to stay innovative and competitive. Recent examples include Cisco's acquisition of Armorblox and Check Point’s acquisition of Perimeter 81. 
  • New market entry. Beyond product and tech focused M&A, companies are looking to expand their presence in new markets to increase their customer base, which is driven by a global phenomenon of cybersecurity concerns.  Recent examples include Accenture acquiring Brazil-based Morphus, French company Thales purchasing Australian firm Tesserent, and Veridos becoming the majority shareholder in Serbian company NetSeT. 
  • Government Initiatives. A spending tailwind from the Federal government to protect infrastructure is driving demand across the stack. The federal government is expected to ramp up its cybersecurity investments, having spent over $10 billion in 2022 alone. Companies like SailPoint, Tenable, Rapid7, and CyberArk are benefiting from government contracts, reinforcing the sector's stability.

 

Opportunity areas for expected future deals

Following the growing interest from public companies, PE firms are slowly recognizing the potential in cybersecurity investments. Firms such as Thoma Bravo, TPG, KKR, and Vista Equity Partners have actively engaged in deals within the sector in 2023, which signal growing focus and commitment. We believe the cybersecurity industry will see increased PE deal activity in the following areas. 

Cloud security solutions. There will be continued consolidation in cloud security as the market is projected to grow to an estimated $63 billion by 2028, underscoring the importance for private investors to seize opportunities in this rapidly evolving landscape before they become scarce. Cloud security solutions are gaining additional traction due to AI technologies, solutions, and services going mainstream. Cloud giants have the capacity and resources to not only store massive amounts of data but to also process it, transmit it, manipulate it, and the list goes on. Since AI/ML models not only utilize existing data but they also generate a significant amount of data, which is stored in the cloud. Thus, companies want to continue enhancing the security of their cloud environments, since sensitive data, which may give companies a cutting edge are located in the cloud. Investments into cloud security should consider factors like data sovereignty, data security and protection, multi-cloud adaptability, and security certifications. Value-creation post-acquisition involves economies of scale with hybrid cloud security, managed services support, and maintaining long-term competitive moat sustained innovation and product customization.

AI-powered security solutions.  AI’s current use cases primarily include augmenting security tasks, detecting and responding to threats, and improving overall security posture. This market is expected to reach $61 billion, with 22% CAGR. Investments into this sector presents challenges like GDPR, CCPA, and HIPAA compliance, integration complexities, and talent retention. Additionally, operational benefits of using AI-powered security solutions include 1) accelerated security incident response resolution times to return the business to normal operations faster, 2) easily prioritized vulnerability remediation, and 3) increased security breach risk identification and predictions. Organizations are looking for advanced cybersecurity solutions to preserve the value of their companies by preventing or quickly identifying a breach. 

IoT security solutions. The IoT security market is forecasted to grow at 23% CAGR to $59 billion by 2028, driven by the number of connected devices, network vulnerabilities, and data protection concerns. IoT security demands scrutiny of device diversity, vulnerability management, and scalability. Cost efficiencies can be achieved through automated device management, cloud-based monitoring, and predictive threat mitigation. Additionally top-line expansion can be driven through security industry specialization, consulting services, IoT-specific security hardware and seamless integration into the IoT ecosystem. 

Cybersecurity training and awareness solutions. Employees are often the weakest link in the security chain. Recognizing this, in 2023, Vista Equity Partners acquired security awareness training and simulated phishing platform KnowBe4, and Accenture purchased Morphus, a cyber defense, risk management, and cyber threat intelligence services provider. This market requires a thorough evaluation of content quality, delivery methods, and compliance. Revenue stability can be achieved through staying relevant with changing content, nature of attacks, offering tailored solutions by industry combined, and considering potential gamification and partnerships, all of which will bolster competitiveness.

Cybersecurity consulting services. Organizations need help to assess their security posture and implement security solutions, and cybersecurity consulting firms can help organizations with these tasks. Acquiring cybersecurity consulting firms involves portfolio expertise and market positioning. Achieving operational excellence in this space requires effective knowledge management, talent acquisition and retention, remote consulting capabilities, security specializations, and industry partnerships.

 

A golden juncture for private equity investment in cybersecurity

Now is a critical moment for PE firms to increase investments in the cybersecurity sector, given the industry’s critical function within our ever-expanding technological age. Wise investments made today have the potential to yield substantial returns in the future. The recent surge in deal activity is likely just the beginning of a continuing trend.