Cybersecurity has an M&A problem. CISOs should be wary.


The cybersecurity market is chaotic. New players frequently emerge, hyped as the next panacea for security woes, while incumbents are often acquired or merged with other businesses. While hype and rapid change is nothing new in any industry with the prefix “cyber” attached, it can be particularly troubling in cybersecurity, where finding the right partners is critical. Unfortunately, the rapid formation of startups, and the speed with which they are acquired makes it hard to know who to trust.

In this market, managing the chaos and selecting the right security partner can be challenging, but it is not impossible as long as you keep two tenets in mind. The first: it’s quite often worth kicking the tires when a new vendor comes around. Smaller companies and startups can offer excellent service, and IT is still an industry where good solutions are invented every day. The second: the acquisition of a vendor can lead to headaches down the road, like a degradation in service or technology quality.

Considering these two tenets, here’s how you can manage the constantly changing cybersecurity market.

If you find a new company you may be interested in, take a look at the founder. If the CEO has the title “serial entrepreneur’ on their LinkedIn page, it could be a red flag. That description is a mark of success to many. It could also be a sign that the firm was started for the sole purpose of selling it. That shouldn’t necessarily disqualify a vendor, there are a lot of good reasons to sell a company. But if the CEO doesn’t have a strong track record in cybersecurity, pay special attention to what drives their business and why they are qualified to be your partner. Ask about the company’s five year plan, and see if it makes sense.

Make sure new solutions are right for you. A hot new startup comes knocking with lots of venture capital backing. You’re thinking to yourself, ‘If they earned serious VC investment, their service must be important.’ Don’t assume that because a security solution has marquee investors, that it is compatible with your security regime. Some solutions play well together, but some don’t. When working with a startup, be wary of compatibility issues. 

If your vendor is bought, look at the track record of the buyer. The industry is full of cautionary tales of large players snapping up rivals, only to fail when it comes time to integrate the new technology into its system. There are even some firms with a reputation for failing to integrate acquisitions well. Be prepared for change, and act accordingly.

Understand the reasons behind an acquisition. There are lots of good reasons for an acquisition. Companies buy other companies as a fast way of gaining market share, or gaining entrance into a new vertical or territory. Sometimes, the buyer has complimentary technology, and the two companies together create a better offering. All of these are solid reasons for an acquisition, and don’t necessarily portend a decline in service or quality, but you should be ready for either outcome.

There’s a significant talent shortage in cybersecurity. That means most companies are going to have to hire outside experts, rely on vendors, or deploy automated solutions for security. Many of them will be startups. In this environment, the constant churn of mergers and acquisitions is unavoidable. CISOs likely will not be able to eliminate the headaches that come with it. But it can be mitigated and managed. Good luck. 

Contact Us

Related Posts