2020 Tech M&A Outlook: Information Security

Last year, overall information security (infosec) M&A was up for the fourth straight year to a total of 141 deals, which eclipsed the all-time record of 132 transactions set in 2015 and was up from 131 acquisitions in 2018. Aggregate deal value of $23.2bn blew through 2018's $14.9bn tally and the all-time high of $15.3bn set in 2016, largely due to the massive boost from Broadcom's $10.7bn purchase of Symantec's enterprise security business. All in, there were four billion-dollar-plus cybersecurity transactions in 2019, up from three in 2018.

As we have noted in previous M&A Outlooks, there have been three distinct phases of infosec M&A dating back to 2002. The first 'wave,' from 2002-04, averaged 50 deals per year. The second phase, from 2005-13, averaged 76 transactions annually, and we saw another upward step in deal volume starting in 2014. Last year, activity topped the 100-deal mark for the sixth consecutive year, with the five-year average increasing to 120 acquisitions per year.

Private equity (PE) is still a major force in cybersecurity M&A, with 43 PE-led transactions in 2019, up slightly from 41 PE-backed deals in 2018. Although its influence appears to have plateaued in 2019, PE still accounts for nearly one-third of all cybersecurity M&A (31% in 2019), and there is still enough 'dry powder' available to suggest that PE will remain a driving force in infosec consolidation.

Much of the strength in infosec M&A in recent years has been driven by 'non-security' strategic vendors – i.e., non-financial buyers whose main revenue sources come from businesses outside of infosec, such as cable MSOs and telcos (Comcast, Orange SA, Verizon), content management suppliers (Open Text), financial services firms (City National Bank, Fair Isaac, MasterCard, Visa) and CDNs (Akamai). By our count, fully 43 of the 141 total infosec acquisitions were from non-security strategic acquirers, matching exactly the 43 PE-led transactions.

This implies that just 53 of the 139 targets (38%) were kept 'in the family' by traditional security vendors. In years past, the most prolific security acquirers were Symantec, Cisco and McAfee, which have inked 55, 37 and 29 deals, respectively, since we started 451 Research's M&A Knowledgebase back in 2002. Last year, however, Palo Alto Networks assumed the mantle of most-acquisitive security provider, scooping up five companies (Aporeto, Zingbox, Twistlock, PureSec and Demisto), after consummating three deals in 2018 (RedLock, Secdo and evident.io).

Check Point had one of its most-active years ever, purchasing application security (appsec) specialists Protego Labs and ForceNock as well as IoT security startup Schwifty (Cymplify). Akamai inked three transactions of its own, nabbing identity and access management (IAM) vendors Janrain and KryptCo, along with ChameleonX, while Sophos acquired Avid Secure, Rook Security and Darkbytes. Fortinet, Proofpoint, SailPoint, VMware and Zix all printed two deals apiece in 2019. However, the overall title goes to private equity (PE) firm BGH Capital, which picked up 11 managed security service providers (MSSPs) in a single day as part of an apparent rollup strategy. Fellow buyout shop Sunstone Partners also purchased three MSSPs last year.

IAM remains the most-active sector for M&A (32 deals) for several reasons. First, the sheer size of the IAM segment consists of at least five subcategories and several hundred vendors. There is also a breadth of use cases for identity, spanning authentication (e.g., 'Who are you?'), access controls, provisioning and deprovisioning, access controls for privileged users, etc. Lastly, the decline of the traditional network perimeter is making identity a common control point as an alternative to network-based security approaches: Identity is the new perimeter.

MSSPs were the next-most-active at 28 transactions, the largest year-over-year increase of any sector, largely due to the 11 deals by BGH Capital referenced earlier. Threat protection again made the top three with 26 purchases, up from 23 in 2018. Aside from MSSPs, the biggest jump was IoT security (up from three to 10), while security management (down from 15 to seven) and appsec (from 12 to six) showed the most notable decreases from the prior year.

Sector preference among buyout shops mirrored overall consolidation activity, with MSSPs leading the way in terms of PE investments, followed by IAM and threat protection. The infosec market is once again expected to be the most-active segment for M&A in 2020, according to 451 Research's Tech Banking Outlook Survey. The survey compiles responses from bankers on where they expect to spend most of their time in the coming year, among 15 different segments. This year's survey marks the fifth consecutive year that infosec has topped the charts.

Part of the reason that PE remains so active in cybersecurity is that there is an abundance of opportunities. Depending on whom you ask, there are somewhere in the vicinity of 3,500 security vendors, up from about 1,000 just five years ago. The overabundance of security providers is due to a combination of a growing list of problems to be solved, along with an excess of venture capital looking for a home. To a large degree, security is an arms race between the 'good guys' seeking to secure networks and data and the 'bad guys' seeking new ways to exploit them.

Assuming the VC spigots aren't turned off anytime soon, we suspect that this number will continue to mushroom. Further, if we consider an average of 120 deals per year, infosec will be a buyer's market for the foreseeable future. The paradox is that despite the glut of security firms in the sector, valuations continue to go up, or at least hold fast, which violates the basic tenets of economics. At some point, therefore, simple supply and demand would suggest that infosec M&A multiples will contract. The best explanation is that while average valuations haven't declined, exorbitant price tags for 'hot' segments have offset weaker asking prices for security neighborhoods that have lost their luster.

Locking the Doors Opened by new Technology

Information security is rife with paradoxes, one of which is that innovation itself has the perverse outcome of creating more security problems. For most technology, security is an afterthought, at least initially. That's particularly true for emerging enterprise technology, where shiny new gadgets and slick new software dazzle us with promise. Under the spell of early adoption, we focus on all of the great things the technology makes possible for us and our businesses. And then we get hacked, and realize that we just might need to put a lock on some of the doors opened by the new products.

As such, advances in mobile and cloud computing, IoT and big data have all created new security holes (and opportunities for attackers). Indeed, 451 Research's Voice of the Enterprise (VotE) surveys for cloud, big data and IoT invariably indicate security as the number one barrier to adoption, ahead of more mundane concerns like cost, performance or user experience. Newer developments like containers, DevOps and microservices promise to offer more of the same. The latest advances in containers, serverless computing and microservices have the potential to stimulate demand, which will result in yet more security startups being formed that could serve as fodder for future rounds of consolidation.

At the same time, as much as new security investment dollars flow toward anything 'bright and shiny,' there is a growing realization of the need to ensure that a certain amount of attention be paid to looking in the rearview mirror – i.e., toward our legacy on-premises estate. Although hybrid IT used to be thought of as a waystation on the path to cloud Nirvana, hybrid increasingly is looking more like an end state for many firms.

We have already seen several companies make strong moves toward supporting hybrid enterprises, particularly Microsoft, which has emphasized its hooks into on-premises estates via Active Directory, Office and Windows servers. Google is also making a big push to provide security services that work outside of Cloud Platform and G Suite. Okta has likewise introduced the ability to offer SSO to on-premises web apps.

As much as cloud was supposed to make all of our lives simpler, the reality for many security vendors will be that for the foreseeable future, they will need to keep 'one foot on the dock and another in the canoe.' We suspect that the rush to support hybrid architectures will drive both legacy-focused security providers to look to add more cloud-ready technology, a la Palo Alto's pickup of Aporeto, as well as cloud-first firms aiming to extend their hooks into on-premises resources (e.g., OneLogin-CafeSoft, Okta-ScaleFT).

Compliance

A brief General Data Protection Regulation (GDPR)-driven blip in 2018, where compliance rose to being the top determinant for security project approval and prioritization within enterprises, subsided to second behind some manner of risk assessment in 2019. Guaranteed to elicit a sigh and perhaps a 'compliance doesn't equal security' speech from security practitioners, compliance requirements, which are really anything driven by adherence to some standard from regulatory controls to PCI requirements, are nonetheless a continuous operating reality for security practitioners.

Relevant to the third-party risk trend macro-level driver, look for all manner of outside entities, from insurance firms to rating agencies and payment processors, to allot money into the quick evaluations of security capability to start creating winners among certain security technologies by identifying that their presence is associated with a lowered risk of data breach. This is similar to the push that PCI standards gave the legacy WAF space, and right or wrong will have an effect.

In some ways, GDPR and more recently the California Consumer Privacy Act (CCPA) – both disruptive and slightly clumsy attempts by government bureaucracy to catch up to the miles-ahead lead of a finely tuned industry machine set to track nearly every aspect of consumers' lives – are only precursors of what's to come. IoT proliferation, which already includes automobiles and doorbells, will continue to press a question that regulatory regimes haven't solved for the more than 20-year-old problem of website tracking and protecting nonpublic personal information.

The Growing Role of Third Parties in Enterprise Cybersecurity

Increased migration to the cloud, the rise of SaaS and hosted services, and growing reliance on third parties generally introduce their own risks to the challenges of security management. In our view, we believe organizations have yet to grasp the full extent of their dependence on these providers – but we expect 2020 to be the year in which they begin to wake up to this realization.

Consider that it's not just fundamental IT capabilities previously found only in the datacenter that organizations are shifting to third parties. Businesses look to SaaS and service providers for a wide range of functionality, from customer resource management, payments processing, supply-chain integration and HR, to the integrated communications, workflow and collaboration systems that underpin transformational drivers such as DevOps. Some of these providers offer entire platforms that integrate functionality across these requirements.

Dependence on third parties for software itself characterizes the boom in open source that has driven major deals such as Microsoft's reach for GitHub in 2018, while service providers are picking up much of the load that organizations either prefer to outsource or face challenges in sourcing and retaining their own personnel. Industrial and operational technologies, meanwhile, have high dependence on OEMs for how their technology – and its security – is implemented. Evidence of these exposures is beginning to appear in incidents going back to the 2013 Target breach and beyond, with more recent examples including breaches at British Airways and Ticketmaster disclosed in 2018. The 2017 Equifax breach in part highlights the challenges of mitigating exposures in open source packages. These incidents, however, are only manifestations of exploit. Exposures to potential exploit are likely far greater.

This has driven the rise of yet another aspect of third-party involvement, that of third parties whose role is what some refer to as digital risk management (DRM) – assessing the cyber risks that suppliers may pose to their customers in the IT supply chain as part of M&A due diligence, or among third-party technology and service providers. BitSight, CyberGRX, Prevalent, RiskIQ, RiskRecon and SecurityScorecard are examples of vendors looking at multiple aspects of this exposure. Another class of such third parties includes those in the business of rating and mitigating risk for businesses and investors – this means the insurance industry, as well as the likes of credit-risk-rating firms. FICO is a player that has a foot in both the DRM and credit-rating camps. On a different level, Moody's made headlines in 2019 by downgrading the bond rating of Equifax on account of its headline-making 2017 data breach. (Disclosure: On December 6, 2019, S&P Global announced the acquisition of The 451 Group.)

While enterprise technology providers may awaken to the opportunity to invest more in DRM, M&A momentum in the near term has so far involved the likes of MasterCard, which bought RiskRecon in December 2019 – not surprising given the role of the payments card industry in setting a bar for security management over the past several years. Moody's, meanwhile, made a minority investment in SecurityScorecard as far back as 2017. Considering that as those who assess and score business risks and mitigate them via insurance represent a sector significantly larger than the infosec market, they may become a very provocative group of investors – and potential acquirers – in this field.

One theme that has been and we expect will increasingly drive M&A in the IAM segment is convergence. For the most part, over the past 10 years or so, IAM vendors had been content to stay in their lanes. Identity-as-a-service (IDaaS) providers remained largely focused on access control via MFA and SSO, identity governance and administration firms concentrated on user provisioning and identity lifecycle management, and privileged access management (PAM) specialists stuck to managing access to critical resources by admins and other privileged insiders.

However, we are beginning to see signs that this is slowly changing, and IAM vendors are now beginning to encroach on each other's turf. For example, IDaaS provider Okta has dipped its toes into the PAM segment via the purchase of ScaleFT, while Microsoft has broadened its Azure AD franchise to incorporate identity governance capabilities. We see two main drivers that are causing IAM boundaries to collapse: The pursuit of a greater TAM to support rich valuations, and the need for the rest of the IAM industry to keep up with leaders such as Microsoft, Okta and Ping Identity.

Will the legacy IAM suite vendors (e.g., CA Technologies, Oracle, Micro Focus, and others) continue to stay on the sidelines and watch the IAM industry evolve without them? Or will they become active participants, perhaps via M&A? In our view, many of them are poorly positioned to address the onward migration to the cloud and other new architectures, and could benefit from adding some fresh blood, perhaps in the form of a modern IAM firm such as Auth0, OneLogin or SecureAuth; a next-generation PAM specialist like Thycotic, Remediant, STEALTHbits or even Centrify; or to stretch even further, an SDP-/zero-trust-focused vendor like Banyan or Axis Security, or an adaptive authentication player such as Silverfort, CallSign or Preempt Security.

We could also see more narrowly focused IAM vendors look to cross into other's areas via dealmaking. Additionally, we have noted a lot of activity recently in PAM, for example, with next-generation providers such as Remediant, STEALTHbits and Xton coming out with new just-in-time PAM offerings that look to provide an alternative to traditional static credentials and password vaults by extending access on an as-needed basis. SailPoint recently ventured into the PAM arena with the pickup of Orkus, and it wouldn't be a stretch to see IAM competitors such as Saviynt follow suit, or reach into adjacent areas like IDaaS or customer-focused IAM.

Data Security

Many encryption bets have been placed over the past few years, none larger than the coming together of the two encryption giants, Thales and Gemalto. The latter was also the catalyst for another large deal last year, Entrust Datacard's reach for nCipher, which was carved out of Thales to satisfy regulatory requirements in the EU. Given the massive consolidation that has already occurred, what other areas of opportunity might there be? HSMs have seen a surprising level of interest in the past year or so, partly due to the utility of applying PKI to new use cases in DevSecOps and IoT, as well as an overall increased interest in data security.

To illustrate, Germany-based HSM specialist Utimaco purchased Atalla from Micro Focus and, as noted, Entrust obtained HSM technology from Thales. Two areas of interest could be around HSMs delivered as a service, which is a realm pioneered by players such as KeyNexus as well as new 'virtual HSMs' offered by companies such as Fortanix and Unbound. There have also been some new developments around 'encryption in use,' with vendors such as Baffle, Duality, Enveil, InPher, Preveil, Sepior and Shield IO offering various technologies to perform operations on encrypted data without ever decrypting it. These firms could be complementary to existing providers with traditional encryption offerings that focus more on data at rest or in-transit.

Heightened interest in data privacy thanks to new regulations such as GDPR and CCPA has led to a substantial influx of VC into privacy-focused startups such as TrustArc (recent $70m series D round), BigID ($100m raised in just six months) and OneTrust ($200m series A round). Not surprisingly, we've already seen purchases of privacy vendors such as Cognigo (NetApp), and suspect that they may represent interesting targets for data management, security or storage providers aiming to offer answers for data residency concerns, as well as other privacy startups like like1touch.io, Integris Software, Io-Tahoe and Prifender. Vendors historically more focused on data classification and governance, including TITUS, Varonis, Boldon James, STEALTHbits and Spirion, could also be in the mix.

Endpoint Security and Threat Protection

The endpoint sector continues to evolve and consolidate. The past couple of years have seen acquisitions of well-known vendors such as Cylance, Carbon Black and Endgame, among others. This reflects, in our opinion, the ongoing importance of the endpoint in any modern security architecture. It is often the device that is most exposed to potential threats, often moving between environments with different threat levels and operated by users that are, after all, human and fallible. The never-ending demand from customers to 'simplify, simplify, simplify' has led to several sub-trends within the endpoint security space.

Virtually all of the larger endpoint providers' offerings now include protection, detection and response, often in the form of combined agents or products that work well together. The back end is now almost expected to be cloud-based, although companies may offer on-premises options. Other trends include much more emphasis on analytics, increased overlap with server protection use cases, addition of IT systems management functionality, and a much greater importance placed on managed service offerings.

Taken together, these trends point to more activity expected in the endpoint arena. For example, as the endpoint security firms tout their own analytics capabilities, well-known analytics vendors such as Splunk or Sumo Logic, for example, may want to follow in Elastic's footsteps and have their own endpoint offering. IBM could be a potential shopper as well, as it moved its BigFix product to HCL but may still consider wading into endpoint to complement its own analytics. Targets will vary but could include well-known brands such as Bitdefender, ESET and Malwarebytes, all of which come with some customer base to begin with. For those seeking to enhance their server-based offerings, firms such as Uptycs, Capsule8, Atomicorp and Wazuh might prove attractive.

Cloud Security

Cloud-native security and the 'innovator's dilemma'

The security implications of cloud-native technology and adoption are, quite literally, top of mind for senior IT leadership at end-user organizations, cloud providers and security firms alike. According to 451 Research's VotE results, security-related topics are the top issue for customers currently working in IT.

This has driven cloud-native platform vendors to focus on cloud-native security capabilities. Platform providers have added security capabilities, either for free or as easy-to-consume premium services. Third-party firms, on the other hand, have incorporated cloud-native security functionality, either organically or via M&A. Every large platform provider, including AWS, Azure, Google, IBM/RedHat, VMware/Pivotal, and others, has added significant security functionality into its platforms. Typical features include support for workload security, network security policies, IAM, data encryption, and more. If a customer's cloud delivery team is well-versed in the technologies offered by vendors, it can achieve significant security outcomes by using what's available natively, if not for free. For many customers, this may be sufficient, although others may have requirements best met by adding third-party security functionality.

This means that, for third-party suppliers, the whitespace for offerings changes significantly. Those that have struggled to transition from traditional product- and licensing-focused strategies to as-a-service models and annually recurring subscriptions have faced varying degrees of success and failure as they tackle the innovator's dilemma of how best to balance sustaining legacy growth with investing in the future. Today, the main use cases for offerings with more of a cloud or as-a-service focus are to provide consistency across environments, handle more specific use cases, or partner with providers.

While platform vendors offer significant capabilities, customers still require products that simplify deployments or provide consistency across multiple technology platforms or cloud suppliers. This is a common use case, for example, for those seeking cloud security posture management across providers, or data security between a supplier and on-premises estate. Other security needs may include support for industry-specific compliance mandates and better integration with existing enterprise systems or datasets. Third-party vendors have been aggressively acquiring in the cloud-native security space, with Palo Alto's purchases of Twistlock and PureSec, Check Point's pickup of Protego Labs, and Trend Micro's acquisition of Cloud Conformity notable transactions as security providers aim to complement their offerings with newer cloud-native capabilities.

By now, many of the more well-known security firms have obtained some level of cloud security posture capabilities or container security support – Symantec/Broadcom, McAfee, Trend Micro, Palo Alto, Check Point, Cisco, Netskope, Aqua Security and Sophos come to mind. Missing from the list (and thus possible suitors moving forward) include the likes of CrowdStrike, Fortinet, Kaspersky and Bitdefender, among others. Possible interesting targets include Fugue, Turbot, DivvyCloud and JupiterOne.

Many of the latter have also invested significant sums in cloud access security brokers (CASBs) to help protect SaaS applications. While the number of CASB targets and likely buyers has dwindled considerably, Bitglass, CensorNet, CipherCloud and Managed Methods are still available, although we suspect that Netskope has priced itself beyond reach for most firms and is more likely to go public.

Cloud providers themselves have also been active security shoppers over the years. Google has been among the most prolific, with over 11 security transactions dating back to 2007. That said, with the exception of Postini, most deals have been tuck-ins and Google notably hasn't inked another security purchase since the 2017 pickup of IDaaS startup Bitium. Microsoft has snagged five security vendors over the past five years, most recently data security specialist Blue Talon. AWS, however, has shown less appetite to acquire security tech, with the most recent examples being its purchases of Harvest.ai and Sqrrl.

Lastly, vendors may also participate by selling security threat intelligence or capabilities to the cloud suppliers themselves. As an example, CrowdStrike and Proofpoint provide threat data to complement AWS's GuardDuty offering, while Google recently announced that it will enhance its partnership with Palo Alto to include threat data.

In recent years, much investment in technologies devoted to both proactive security management (e.g., vulnerability management, security awareness and threat intelligence) and responsive security operations (e.g., security information and event management (SIEM), security analytics, and security automation and orchestration) has been focused on enhancing sophistication, with many bets placed on forward-looking realms such as machine learning. But one of security's hardest problems is much less glamorous and has been a difficult issue for years – simply getting a handle on an inventory of assets to know where exposures are and how their remediation should be prioritized. The challenge is further complicated by the rise of a daunting new variety of operational technologies and increasingly 'smart' devices in the enterprise – several of which will approach 14 billion by 2024, according to 451 Research's recent IoT Market Monitor.

Asset inventory is just part of a larger challenge facing security operations going forward. That challenge includes the multiple aspects of coordinating visibility, policy and control across an increasingly diverse IT environment. While this does not include IAM (a significant driver in its own right), it does cover establishing and maintaining security policies for IT assets, assessing and mitigating vulnerabilities, monitoring and alerting for suspicious activity, and investigation and response for security incidents. As if that weren't broad enough, these priorities must also cover a variety of terrain – including cloud and cloud-native architectures both on- and off-premises, SaaS applications, and legacy IT. Increasingly, the demands extend to operational and industrial technologies as well, along with the billions of new devices they will introduce.

It's therefore telling that the winner of the Innovation Sandbox competition at the 2019 RSA Conference US was not a futuristic application of analytics, biometric authentication or other 'gee whiz' innovation. It was Axonius, a startup specializing in the collection and maintenance of assets across a wide range of technologies and use cases. Axonius and its rivals, including Rumble, Bit Discovery and even longtime veterans such as Skybox Security, represent just one segment drawing increased attention. The demand for visibility not only into cloud environments but also across multi-cloud and hybrid investments is another, represented by cloud security posture management, where examples noted previously include Fugue, Turbot, DivvyCloud and JupiterOne.

The need for visibility into cloud architectures highlights the requirement to expand network visibility beyond legacy network environments. This affects the realm of network visibility, detection and response (NVDR), where potential acquisition targets as well as possible IPO candidates include Awake Security, Corelight, Darktrace, ExtraHop Networks, MistNet, Netography and Vectra AI. Players adding NVDR capabilities that enhance their potential for purchase include Lastline, long familiar as a supplier of sandboxing technology. NVDR itself may be considered part of a larger trend in which vendors seek to consolidate threat detection and response across networks and endpoints as well as in datacenters and among cloud suppliers.

But are these many emerging segments truly ripe for acquisition? Given how fundamental asset management, for example, must be to building a solid basis for vulnerability management, one might expect leaders in this space to be placing bets there. Instead, we reported last year that those such as Qualys follow with their own new approaches to asset inventory, sometimes even with free offerings designed to retain existing customers and discourage wandering eyes from considering pure plays and startups. Such factors can make M&A prediction difficult. Where deals have accelerated, buyers have become better aligned with enterprise security priorities with which they were out of step – in the IoT security segment, for example, where acquirers finally seem to be acknowledging the priority that practitioners are placing on securing a growing range of devices and operational technologies.

Network Security

Security in the networking world is being transformed and the markets are taking note. Core networks are starting to take advantage of the benefits that virtualization and SDN have offered. Enhanced telemetry is creating meaningful insight and declarative controls are delivering granular isolation. As users roam ever wider, their interconnection is the place where security has to take hold. These shifts are being driven by a need to deal with the complexities that an expanding set of vendors in more complex hybrid environments creates. The network is the place where there's hope that activity and controls can be sufficiently abstracted to make the whole thing manageable.

We have written extensively about zero trust and software-defined perimeter (SDP) suppliers in the past year, and have seen several SDP vendors snapped up in the past 18 months, including Vidder (Verizon), Luminate Security (Symantec), Meta Networks (Proofpoint), ScaleFT (Okta) and Duo Security (Cisco). One interesting item about these deals is the variety of buyers – a telco, a network security giant, an IDaaS provider and an email security vendor. Thus, we anticipate that demand could come from a variety of areas.

However, to the extent that SDP offerings could be considered an existential threat to the VPN market, NGFW/VPN specialists such as Barracuda, Check Point, Fortinet, SonicWALL and WatchGuard would be logical buyers of SDP targets, which could include Axis Security (formerly known as Storm Black), Banyan, Odo Security, Perimeter 81, Safe-T, and others.

Another possibility is that the access network market will evolve in ways that echo the SD-WAN space. Early deployments were specialized DIY affairs, followed by service-provider offerings for the broad market. The idea of the 'secure access service edge' has been introduced and vendors like Cato Networks are leaning into the likes of Zscaler to distinguish themselves. Cloudflare's recent pickup of S2 demonstrates that there are options for service providers (in this case, a CDN supplier) with established, high-performance network delivery capabilities to offer these complex services in ways that are much easier for enterprises to consume. That could lead others such as Imperva or Akamai to eye the likes of OPAQ Networks or Versa Networks, a builder of SD-WAN services for telcos, to add more sophisticated user-access functionality as enterprises grow weary of managing VPN complexity themselves.

Application Security

The sector's signature deals (F5's acquisition of Shape Security and NTT Security's purchase of WhiteHat Security) represent two ends of the spectrum for application security – protection for applications in production, and hardening via assessment for vulnerabilities in the application development process. As infrastructure continues its abstraction, application development is coming more to the forefront for many enterprise IT departments, and unsurprisingly, appsec is following suit. NTT's reach for WhiteHat demonstrated that, as the buyer added appsec to an existing offering mostly around managed services.

The software composition analysis (SCA) market is attracting attention as the composition of open source components in modern applications continues to increase. Snyk received $70m in funding in September. Sonatype was acquired by Vista Equity in November. Checkmarx ended its arrangement with WhiteSource and announced a homegrown SCA product last summer, and Veracode similarly announced its integration of technology via the SourceClear buy into its appsec platform. It's clear that SCA is being integrated earlier in developer lifecycles, but more importantly from an M&A standpoint, as well as alongside other forms of appsec testing. This suggests that the remaining pure plays (think the names cited above as well as WhiteSource) are targets for buyers looking to offer more of a platform play in appsec.

In the application-protection space, Signal Sciences raised $35m last February. There were rumblings by the summer that Cisco was interested in an acquisition; while that hasn't happened, the next-generation WAF specialists represent a departure from the characteristics of original WAF approaches, and thus could be targets, along with RASP players like Contrast Security and Waratek, for any large security portfolio provider that is short on appsec capabilities. In the related bot mitigation space, F5's purchase of Space Security followed Imperva's pickup of Distil Networks and Radware's reach for ShieldSquare. WAF players are realizing that bot mitigation is an obvious area of growth.

IoT Security

In terms of 2019 deal volume, IoT security experienced one of the biggest increases in dealmaking of all security segments, with the number of transactions tripling compared with both 2018 and 2017, according to the M&A Knowledgebase. Yet this activity accounts for less than 10% of overall IoT deals in the past year, as most acquirers sought to add primary IoT capabilities to their portfolios to capture market opportunity.

But that could change in 2020. Following the acquisition in September of ZingBox by Palo Alto and Tenable's purchase of Indegy in December, the first week of the new decade kicked off with Insight Partners’ acquisition of Armis at a unicorn valuation, with Rockwell Automation buying Avnet Data Security only a day later to bolster its IT/OT security offerings. These could mark a turning point in IoT security M&A, if this year's deals better reflect enterprise priorities. According to 451 Research's VotE: Internet of Things, Budgets and Outlook 2019, 'improved security' is the single biggest factor respondents cite for their increase in overall IoT spending. Acquirers may finally be waking up to this reality.

That would be good news for the likes of Ordr, SecuriThings and others coming to market with an IoT security emphasis. Many organizations are still largely unprepared to deal with environments where, for example, a single factory may be running thousands (if not tens or hundreds of thousands) of devices. Legacy endpoint security may not be well equipped to handle the specific – and often nonnegotiable – requirements of industrial OEM technologies. The data these devices will generate, the network bandwidth they will consume, and the security their network links will require are additional factors to weigh. Then there's the matter of identifying each of them, and ensuring that they – and perhaps their users – may require not only authentication but also authorization to perform specific functions and limit their susceptibility to exploit.

If IoT security consolidation does accelerate, two factors in particular are expected to contribute. One is the sheer growth in the number of devices: As noted, 451 Research expects this number to reach nearly 14 billion by 2024. The other is the rise of 5G connectivity, which promises to extend to the wider world of wireless bandwidth and availability heretofore only available from physical networks in the brick-and-mortar enterprise (but perhaps with some limitations, such as challenges in penetrating difficult physical environments that may limit the range and reach of 5G). But it's still early days for the latter. Only in the past few weeks, Amazon Web Services announced its AWS Wavelength initiative to embed the company's compute and storage services at the edge of telco's 5G networks. We would expect emerging security capabilities to follow this trend, however, to deal with scale by pushing security functionality such as authentication and access control much closer to the edge.

Security Services

As the demands and importance of enterprise cybersecurity continue to grow, leveraging security services is becoming an attractive option for many organizations. Enterprises are increasingly turning to managed security services to fill gaps, meet compliance demands, secure a hybrid and complex IT ecosystem, and accelerate the adoption and deployment of advanced security technologies. Enterprise trends such as the rapid adoption of emerging technologies and the increasing risk of industrial and operational networks are outpacing the ability of most security teams, creating ample opportunities for MSSPs.

To capitalize on these opportunities and capture a larger portion of enterprise security spending, MSSPs are rapidly expanding the range of their capabilities. One of the major trends in security services is the move toward a broad, integrated portfolio of services that provide an increasingly larger percentage of the functionality and capabilities that organizations require to secure their expanding environments and manage risk. While we anticipate further M&A surrounding similar types of security services firms as they seek to expand, boost market share and gain expertise, this shift toward a platform approach is driving acquisitions of ancillary startups and security service specialists as MSSPs aim to grow the boundaries, scope and scale of their services and capabilities.

The managed detection and response (MDR) segment is a prime example of this trend. MDR suppliers are increasingly expanding the scope of their offerings by acquiring and integrating capabilities such as asset discovery, attack simulation, security tool efficacy monitoring, and industrial and operation network threat detection. At the same time, security service providers in other sectors are looking to expand their portfolio with MDR services, while newcomers to the security services space, including professional services firms and traditional hardware and software vendors, are aiming to capitalize on the growing opportunity of security services.

Many consultancies and SIs that have been successful in moving into the provisioning of digital transformation services around cloud-native, agile development for both infrastructure and apps have spotted a gap in their portfolios that needs urgent remedial work and that lies with the delivery of secure services over cloud infrastructure. For this reason, the large global firms, along with the tier two and three providers, have been investing in developing cybersecurity offerings.

The significant time, resources and expertise required to build out a security services offering and capture market share, along with the need to offer a broad, integrated portfolio of services, will drive a significant part of the acquisition activity in the security services space in 2019. This year kicked off, for example, with Accenture buying Symantec's cybersecurity services business, adding to the company's acquisitive approach to developing Accenture Security, which has seen it snare Déjà vu Security, iDefense, Arismore, Maglan, Redcore and FusionX over the past few years. Similar transactions include Sophos' purchases of Rook Security and DarkBytes, EY's pickup of ElevatedPrompt Solutions, Orange's reach for SecureData, and ConnectWise's acquisition of the Sienna Group – all of these moves illustrate the broad and diverse dealmaking that will continue in the security services space.

The ability to manage cybersecurity requirements for clients is an expanding opportunity, hence the interest in firms that can help service providers demonstrate competency here. We expect this trend to continue in 2020 with a range of global service providers like Atos, Fujitsu, EY, Accenture and DXC looking to further enhance their managed cybersecurity capabilities. Possible targets based in the US include Anomalix, Foresite, IntrustIT, ScienceSoft, SecureWorks, TrustNet and TSC Advantage. Cybereason, SentinelOne, ThreatStack, Defendify, Digital Defense, ForeScout, Orca Security and Cimcor may be attractive targets for MSSPs looking to build out their security services stack with a broader range of capabilities.

IPO Candidates

Last year was another healthy one for infosec IPOs, with four companies crossing the public threshold (Cloudflare, CrowdStrike, Ping Identity and Tufin), matching the four debutants from 2018 (Avast, Carbon Black, Tenable and Zscaler) and 2012 (AVG, Palo Alto, Proofpoint and Qualys).

As we enter the new decade, the current pipeline remains quite healthy, with more than 20 candidates that could arguably have a shot at going public in the next few years. The list below includes the 10 vendors we think have the best shot at a public debut in 2020, with apologies to those providers that were on the list in the past (e.g., Alert Logic, Bitdefender, Centrify, Darktrace, Forcepoint and ForgeRock) but for which we think need more time.

• Exabeam: The company has parlayed its beginnings in user behavior analytics into a strong position in the SIEM space, challenging incumbents and expanding its portfolio with security automation and orchestration for response. A $75m funding round in May brought its total to $193m.
• Checkmarx: As part of Insight Partners' portfolio following an $84m investment in 2015, the Tel Aviv-based appsec vendor has established itself by integrating into DevOps processes, offering a largely Checkmarx-developed (as opposed to acquired) set of AST tools to aid developers in writing more secure code.
• Cybereason: The firm raised an additional $200m in 2019 and is now eyeing an IPO in the next couple of years, so a public presence in 2020 is quite possible. Cybereason has been aggressively developing capabilities based on its endpoint security footprint and tying it with professional services.
• Illumio: The vendor has settled on agent-based micro-segmentation as its key offering, using it as a basis for providing secure connectivity and visibility between workloads. In early 2019, Illumio raise a series E round, bringing its total funding to $333m.
• KnowBe4: From an emphasis on SMBs, KnowBe4 has built a strong customer base among organizations of all sizes and a solid data set informing its security awareness-training platform. A $300m funding round at a unicorn valuation was led in June by KKR (which had already led a $50m tranche for KnowBe4 only three months prior), bringing the company's total financing to $393m.
• McAfee: With recent reports indicating that it has hired underwriters, McAfee is expected to go back to the public markets in the near future in what is expected to be a large raise by infosec standards. The vendor has revamped its strategy to better support a device-to-cloud approach to security.
• Netskope: The CASB pioneer has raised $400m, a princely sum for an infosec provider that underpins a valuation likely too rich for many strategic infosec suitors. Recent moves into web security and SDP/zero-trust network access could help Netskope tap into new revenue streams needed to support a public price tag.
• Sentinel One: The firm has landed $230m in funding, including a $120m round in 2019, looking to fuel growth beyond traditional endpoint security. Sentinel One has been raising the profile of its platform approach, including support for additional IoT security and cloud workload security use cases, with a go at the public markets a distinct possibility in 2020.
• Sumo Logic: The SIEM contender that began with the disruptive impact of search and deployed it in an equally disruptive as-a-service model raised a late round of $110m in May at a $1bn-plus valuation, bringing its total funding to $345.5m.
• Venafi: The certificate and key management provider has taken in a total of $167m, the most recent a $100m round in 2018 intended to help finance its growing emphasis on offering certificates for code signing, managing machine identities for DevOps, IoT, containers and other machine-driven use cases.