Cyber-Security Transactions - Buyer Analysis (or "who is buying all these cyber-security companies?")

At Delling Advisory, we believe that we can provide the best advisory services to our IT security industry clients, through having an unsurpassed understanding of the market, both from first-hand experience having started, built and run IT security companies, as well as from access to unique data and analytics.  

This year, we have collated the data on about 650 cyber-security related transactions around the world, dating back to 2004.  A significant amount of work has been completed to categorise each transaction based on the 'company type' of the acquiring firm, as well as the security-related services that the acquiring firm previously provided and that the target firm provided (professional services / hardware / software / managed services), the country of origin of the acquirer and target, as well as the financial details of the transaction where that information is available (either publicly or via our industry contacts).  An early version of this data set is graphically represented in the map at the start of this post - blue being the acquirer and yellow being the target of the acquisition.

Over the next few weeks, we will start presenting snapshots of this information, to provide a high-level picture of the trends and directions that have taken shape over the last decade, with respect to the cyber-security market.  Obviously there is a significant amount of proprietary data that we have compiled through this process, and we use this information in our advisory roles to better understand and communicate the state of the market, as well as valuation trends and trends in the 'buyer universe'.

To get started, a couple of initial data sets.

Q. Who is buying all these cyber-security companies?

In short, many different companies (and 'company types') are acquiring cyber-security companies.  The defence industry has been in the media for the last few years as one of the most significant buying groups, but back to 2004 they only account for about 12% of all transactions.  Just taking the years 2010 to 2012, when transaction volume was highest in the defence sector, those firms still only accounted for about 18% of transactions (since although their transaction volume went up significantly, so did everyone else's).

The most prevalent acquirers of cyber-security companies are now (and have been every year since 2004), other cyber-security companies, and other IT companies seeking to expand their security-related offerings.

(As an aside, I'm sure people will wonder what 'other' contains.  'Other' contains a mix of companies buying capability to build into their own products, or for diversification.  Some example transactions in the 'other' bucket:

The heavy acquirers - as can be seen from the transaction map at the start of this post, have tended to be companies such as Cisco, McAfee, Oracle, CA Technologies, Symantec, IBM, Microsoft, EMC Corporation and Dell - although the defence primes Raytheon and BAE Systems have also made a dent.

Q. Are transaction volumes sky-rocketing?

Not really.  There are certainly many more cyber-security related transactions now than there were in 2004... but there are many more cyber-security businesses now than there were in 2004.  In broad terms, from 2009 onwards, transaction volume has been about 50% higher than in the period 2006 to 2008.

Cyber-security has become very important to a lot of companies, very quickly.  As a result, and given the difficulties in recruiting cyber-security professionals, adding this capability by acquisition continues to be very attractive.