Amid general concerns about the macro and corporate spending outlook, it appears that cybersecurity remains an area of strong growth and resilience, as illustrated by the latest Morgan Stanley survey of Chief Information Officers that found that spending on security software was the least likely to be cut among the whole Tech categories (software and hardware).
It should then come as no surprise that many Tech companies and notably Tech giants have been making a major push in cybersecurity in recent months. While Microsoft was already a security powerhouse with a leading franchise in identity and access management, the Seattle-based company has made a number of bolt-on acquisitions and is now gaining traction into the extended detection and response (XDR) market, providing detection and response for endpoint email, data and cloud applications.
Interestingly, Microsoft has also disclosed for the first time $15 billion revenue in cybersecurity, with the obvious target to position itself as an industry leader (for comparison purposes, Fortinet’s revenue in 2021 was $3.4 billion).
Meanwhile, Google is also trying to position itself as a security brand following the acquisitions this year of leading threat intelligence company Mandiant (formerly FireEye) for $5.4 billion and that of Siemplify in security orchestration, automation and response (SOAR).
Aside from the secular growth story (increasing economy digitization = proliferating cyber-attacks), it’s obvious that Tech giants are also enticed by the strategic nature of cybersecurity for their cloud operations and that building comprehensive security offerings will allow them to differentiate their cloud from rivals. As cloud computing is relentlessly eating away corporate on-premises infrastructures, IT security, which was stacked on existing infrastructure and provided by niche players specialized in firewalls, email security or identity and access management, is now increasingly being delegated to hyperscalers (Amazon AWS, Google Cloud, Microsoft Azure…) which must offer top-notch, cloud-native cybersecurity solutions in order to attract and retain the most demanding customers.
And for Tech companies with a hardware-driven business such as Cisco, cybersecurity represents the opportunity to accelerate the transition to software and cloud-based revenue. Cisco just announced the development of a unified platform for end-to-end security across multi-cloud environments that seeks to deliver on the Zero Trust promise/framework, which requires all users and devices, each time they connect, to be authenticated, authorized, and continuously validated before being granted access to applications and data.
Importantly, this fast-paced expansion into cybersecurity is not raising any antitrust concerns as the cybersecurity industry is highly fragmented. As an illustration, Mandiant’s stock price is currently trading very close to the Google bid price, while another ongoing takeover, this time in the video gaming business (the acquisition of Activision by Microsoft), shows a discount above 20% as it is likely to face antitrust hurdles.
Hence, M&A should remain a major topic going forward as it is the easiest and fastest way for Tech giants to offer the necessary set of cybersecurity products/services amid resource scarcity. Chances are then high that the cybersecurity spending commitments announced last year by Google and Microsoft ($10 billion and $20 billion over the next five years, respectively) include an aggressive acquisition policy. Note that other cloud providers such as Amazon and Meta Platforms are likely to follow that path as well in order to quickly beef up their own security capabilities and better compete with their cloud rivals.
For the cybersecurity pure players, the implications are two-fold. In the short term, they could benefit from commercial partnerships and takeover speculation, keeping in mind that cloud giants have massive M&A ammo and can afford high price multiples for businesses that have strategic importance. The 57% premium paid by Google for Mandiant is telling.
Longer term, they could be at risk of being marginalized in an industry dominated by giants should they fail to strike partnerships or M&A deals.