Cybersecurity Consolidation Continues, Even as Valuations Stall
As the US economy has tightened, the venture capital and acquisition landscape has quickly shifted to become a buyers’ market, with startups failing to command the high valuations that were common in past years.
While the sheer number of financing deals is on track to match the more than 1,000 cybersecurity-related investments announced in 2021, the value of those deals has dropped by more than a quarter, according to data from cybersecurity-focused advisory firm Momentum Cyber. The value of purchased companies is also on track to drop by a quarter in 2022, although the absolute number of acquisitions will only drop by about 8%.
The leaner times for startups and their venture-capital backers come as the private sector is cutting costs and refocusing on the most profitable lines of business to ready themselves for a possible recession, says Eric McAlpine, a managing partner at Momentum Cyber.
“We have already seen larger venture-backed companies consolidate significantly to cut costs and refocus on profitability,” he says. “Strategic acquirers often have a tough time justifying new acquisitions to their board and taking on companies with new employees in a time where they are already cutting resources and headcount internally.”
The worry of a downturn has spread across industries. The majority of companies — 83% — are concerned about a recession coming in 2023, with half of organizations taking concrete steps to prepare for an economic slow down, according to Spiceworks Ziff Davis’s “2023 State of IT” report. Three-quarters of businesses are planning to reduce the number of security vendors they use, a significant move toward consolidation from two years ago when 29% aimed to reduce their vendor count.
As the business landscape changes, so, too, are companies changing the way they operate. The vast majority of firms — 83% — are placing a greater focus on digital capabilities and operations, according to a survey of CEOs conducted by business intelligence firm Gartner. The analyst firm stressed in a March 2022 advisory that such efforts require cybersecurity teams to adapt and take an integrated role in protecting and enabling the business.
Companies’ security teams should “transform the security function into a true business-enabling capability by shifting away from risk-averse, control-driven security operating models toward a more agile, advisory-centric way of delivering security services,” Gartner stated.
Smaller Companies, Smaller Investments, Fewer Layoffs
Venture money is currently following these trends. Overall, the era of big valuations for newcomers has come to “a standstill,” says Momentum Cyber’s McAlpine, who sees founders not receiving the same high valuations compared with the recent past, leaving many to hold off on being acquired in the current market.
There are some exceptions, such as Broadcom’s massive deal to acquire VMware — a deal valued at $69 billion. And October saw a surge in deal-making, with two large acquisitions — KnowBe4 and ForgeRock — by private equity firms. But those were outliers, with the number of deals reaching a low point in September, according to McAlpine. Overall, smaller and more specialized firms will make up the vast majority of acquisition targets in the near future, he says.
So far, in 2022, the average (mean) financing deal amounted to $21 million, down from $28 million in 2021. , and the average acquisition price was $21 million (after dropping the deal for VMware), also down from $28 million.
The good news? Employee layoffs will not necessarily be part of the post-merger landscape, McAlpine says. Typically, general business and administration departments represent most of the duplication between merged companies, leading to cuts in employees in those departments, while the engineering and development teams at startups are sought after for their expertise, he says.
“Employee cuts aren’t very common after a merger, even in a down market,” McAlpine says. “Many smaller firms and startups are lean to begin with, and their employees are typically viewed as a valuable part of the acquisition.”
No Recession in cybersecurity?
The good news for cybersecurity companies is that the business demand for products and services is not going away anytime soon, and there are signs that the sector will continue to grow — albeit much more slowly than prior years.
Slightly more than half of companies (51%), for example, expect to increase their IT budgets, and only about 40% of those attribute the increases to inflation, according to Spiceworks Ziff Davis’s “2023 State of IT” report. The Bureau of Labor Statistics currently pegs inflation for end-user prices at approximately 9% year-over-year, but the average IT spending is expected to grow by 13% in 2023 compared with the prior year, says Peter Tsai, head of technology insights at Spiceworks Ziff Davis.
Companies are updating outdated infrastructure, increasing their focus on IT projects like digital transformation, and adding employees to critical areas — all of which represents cybersecurity risk, which requires increased spending on defenses.
“Both the size of the overall tech spending pie was expected to increase, in addition to the security slice of the pie getting a bit larger,” Tsai says. “Inflation will certainly be a factor influencing many 2023 budget increases, but it won’t be the top reason driving budget growth.”
Read More HERE