The last couple of years have seen a growing trend for larger tech players acquiring cybersecurity startups. The founders of these smaller businesses are often offered lifechanging amounts of money by more established enterprises looking to buy their technology exclusively, and keep it in house as part of their own wider offering.
For many founders, this can represent something of an ethical quandary. Quite often - especially within cybersecurity - a personal passion will have driven them into the industry. Whether it’s a burning desire to tackle the impact of cyber-crime or a talent for coding or software development, plenty of security founders will have strong individual reasons for launching their particular business.
So, as tempting as the money may be, serious consideration must be given as to how they proceed. Should they retain their independence and, by allowing more people to use their technology, contribute to the wider good? Or do they choose to go forward with the acquisition and risk their technology only being used by one organisation?
A commercial logic
Cybercrime is on the rise. A recent global study found a 17 per cent annual growth in the volume of attacks and a 30 per cent increase in their severity. It’s perhaps unsurprising, therefore, that the same study reported a 24 per cent increase in spending on cybersecurity.
Given the need to tackle an ever-evolving threat landscape, the cybersecurity market is becoming increasingly crowded. The wealth of solutions and technologies on offer can mean smaller companies will find it harder to cut through the noise. At the same time, larger organisations need to grow, and remain relevant in order to remain competitive. Doing so requires them to constantly innovate and develop new solutions. It’s here, then, that the mutual advantages of acquisitions can be seen.
The buyers, for example, are able to offer their customers a wider range of innovative and up-to-date options, with the ultimate aim of becoming a preferred vendor, or even diversify beyond their original offerings. And the startups themselves, of course, will enjoy exposure to a larger audience, and the reputational benefits that come with being associated with a larger, more established brand.
This commercial logic, as well as the growing need for cybersecurity, is what lies behind the raft of recent high-value acquisitions in the sector.
A year of acquisitions
2019 has seen a number of cybersecurity startups being acquired by some of the world’s largest tech players.
In October, Alibaba Cloud, a subsidiary of the Chinese e-commerce giant, announced its intention to buy cybersecurity startup Chaitin Tech. The startup will continue to operate independently, using Alibaba Cloud’s technology, capital, and businesses to expand, while the larger company will use the purchase to enhance the capability of the services it provides to its own clients.
Earlier in the year, global cybersecurity leader Palo Alto acquired serverless security firm PureSec to extend its Prisma cloud security strategy. Professional services company Accenture acquired Canberra-based cybersecurity consultancy BCT Solutions to enhance its defence, national security and public safety services in Australia and New Zealand, and Cisco Systems acquired Sentryo, intending to merge its industrial IoT platform with its own networking technology to help companies in the manufacturing, oil and gas, and transportation sectors become more resilient in the face of cyberattacks.
The founders of each of these acquired startups have two things in common - extensive backgrounds in cybersecurity, and a desire to tackle cybercrime head-on. These, combined with an entrepreneurial drive to expand the reach of their vision - and of course, the sums of money involved - likely led them to pursue their respective acquisitions. But this isn’t always the case.
Opportunities and risks
Deals such as the examples above are generally considered to be successful when the acquired company is able to continue developing new products. After all, their innovation and forward-thinking is what would have made them so attractive in the first place.
There is a risk, however, that once a startup has been absorbed into an acquiring company’s wider operation, the talent responsible for its initial innovation might leave for another startup opportunity. Both the acquired company and the acquirer are then left where they began, looking for an opportunity to prove their competitive edge. And so the cycle begins all over again.
Becoming subsumed by a larger enterprise might therefore not be for every entrepreneur, however tempting the money on offer. Instead, they might consider white-labelling their product, selling the IP under licence. This way, they can contribute their passion to a wider world while maintaining their independent identity.
When the decision is out of their hands
There’s also another situation whereby decisions around acquisitions can be made without the founders’ input; when they are owned by venture capitalists (VCs). For any start-up, accessing funding can be complex and challenging, but when innovative new companies are predicted to achieve hyper-growth (a real possibility within the thriving cybersecurity industry), they attract the interest of VCs. With the promise of funding, as well as better market access through the VCs’ expertise and contacts, founders may agree to give up their controlling stakes in order to realise their ambition more quickly, if at all.
However, VCs always aim to make returns on exit, so they are consistently analysing how best to reach the IPO phase quickly or sell onto another organisation. So, when a suitable offer is tabled, startups and their technology can change hands with the founders having very little say in terms of monetary valuation or ethical quandaries. This can pose a risk to national security as there’s no guarantee where the new acquiring organisation may be based or what their intentions are. For instance, a VC fund or organisation originating from countries known for cyber-espionage could purchase a startup, perhaps offering far more than its market or projected valuation, simply for deeper access into foreign market.
Delivering on a vision
In the current climate, where cyberattacks on businesses and individuals are expanding in scope and sophistication, the demand for cybersecurity is continuing to grow. Large tech companies are absorbing smaller security businesses as they look to become players in the space. While many of the deals can be very attractive, not every founder will see a potential acquisition as an opportunity, and can face some very tough decisions as to the future of their companies.
It’s vital, therefore, that cybersecurity companies make business deals that work for them; they need to cut through the noise of a crowded marketplace and achieve their commercial objectives, while remaining true to their original vision. They must consider the pros and cons, and ultimately take the path that will best allow them to deliver on their vision for their business.
Martin Rudd, CTO, Telesoft Technologies