×

This sector is ripe for M&A

Cyber security data privacy
Maksim Kabakou | Getty Images

In the past couple of weeks, we've seen an upswing of activity in the cybersecurity space. Symantec is in the process of acquiring Blue Coat, Vista Equity Partners announced its intent to buy Ping Identity, and Cisco to buy CloudLock. Then there are the rumors that companies like FireEye are being hotly pursued by multiple potential buyers. There are several reasons for this, but most importantly, cybersecurity has become a critically important concern across every sector.

Companies, irrespective of industry, are trending toward working and transacting almost exclusively online. They're storing more data and more types of data in the cloud and often their only point of customer contact is via the internet. The exposure this has created — including the potential risk to brand and revenue that accompanies security failures — has elevated cybersecurity to being a board-level concern. This has, in turn, raised the level of spending on cybersecurity solutions to unprecedented levels in both the private and public sectors — spending is expected to increase from $75.4 billion in 2015 to $170 billion in 2020, according to research firm Cybersecurity Ventures.

Historically, many security-related start-ups have focused on inventing significant new technologies that address narrowly-defined threat exposures — suspect user behavior, ransomware attacks, or honeypot-driven deception tricks, for example. And bigger security teams selected a handful of these vendors to plug newer holes in their environments. It comes with some cost, though, as the security teams work across several consoles to manually address potential issues that have been flagged. But with the frequency and sophistication of attacks increasing and the persistent shortage of security professionals, security teams are looking for more comprehensive analyses and more integrated solutions — ideally those that go from recognizing to remediating threats without human interaction.

I'm seeing this increased demand first hand in customer feedback to almost all the security start-ups I've invested in at General Catalyst. Customers want less complicated, more comprehensive security solutions, and that will drive significant consolidation of vendors, services, and consoles in the immediate future.

We're already seeing some of this activity take place. Blue Coat bought Elastica in late 2015 to augment its own web-security offerings with Elastica's increasingly popular CASB (cloud access security broker) technology that offered continuous visibility and threat protection specifically built for cloud services. And Symantec, in turn, is buying Blue Coat, which will augment their own on-premise security services with Blue Coat's cloud security products. Cisco's purchase of OpenDNS provides a similar complement to its current offerings. IBM Security will acquire Resilient Systems, which will add incident response capabilities to its current portfolio. And the list goes on.

The collection of CyberSecurity "unicorns" (e.g. Tanium, Okta, Illumio, and Lookout) as well as earlier stage customer favorites are surely on several corporate development lists as we speak.

Demand for more comprehensive feature sets isn't the only thing that'll drive this M&A fervor. For some public companies like FireEye, the attraction could be a belief that their stock is undeservedly low. Given the macro environment around cyber-security spending, this type of company makes a great target for a private-equity buyout that could take them private, clean up some of their problem areas and get them ready for a second IPO. Proofpoint and Imperva are two companies that could follow that path or be acquired by a larger strategic vendor like HPE Security, which would augment HPE's portfolios with strong application (Imperva) and email (Proofpoint) products.

And the buyers will move beyond the usual U.S.-based technology companies; we will see some interesting international acquisitions from companies such Samsung, BAE, Checkpoint, NTT, and BT. We'll also see some non-traditional cybersecurity buyers including auto companies, retailers, and industrial stalwarts. Security is important enough to these markets that they'll want to own their own destiny rather than entrusting it to other vendors.

The security space is sitting in a perfect storm of an incredible demand for services, constrained supply of talent, and ever-evolving product needs. This makes it one of the more attractive areas for early stage investment and certainly an area where we'll continue to see big-ticket acquisitions and some lucrative IPOs in the coming months. Interesting — and active — times ahead.


Commentary by Steve Herrod, managing director at early stage venture-capital firm General Catalyst. Previously, he was the chief technology officer at VMWare. Follow him on Twitter @herrod.

Disclosure: General Catalyst's portfolio companies include Illumio and Ping Identity.

For more insight from CNBC contributors, follow @CNBCopinion on Twitter.