In recent years there has been a well documented trend of cyber-security companies being the target of acquisitions, with the media focus particularly being on the defence sector as the acquirers (despite those organisations making up only a fraction of cyber-security related transactions). Stories such as these:
- The new cyber-industrial complex
- Defence groups turn to cyber security
- Defence groups move to cyber security
- Prices of cyber security firms soar
...have all supported this narrative.
A recent article on the topic - 'Cybersecurity Bubble Bursting for U.S. Contractors', online at Defense News - suggests that a dotcom-bubble-esque situation may have arisen over recent years, through which all cybersecurity businesses have been wearing the halo of opportunity and fast-growth, when in reality not all of them are gems.
It is guaranteed that not all the cyber security acquisitions over the last few years will work out well - but that is true of any grouping of acquisitions... If it was easy to buy and integrate companies, and create massive amounts of shareholder value through the process, it would happen a whole lot more than it does. It is hard, and many acquisitions fail. But there is nothing that currently suggests cyber security company acquisitions are any higher risk than any other inorganic entry or expansion into a related market. Just because they are highly valued, doesn't mean they are overvalued.
That said, it is worth retaining an awareness of the fact that a significant number of risks exist in the cyber security market, specifically including:
- The low number of genuinely skilled cyber security professionals, and the associated costs in recruiting and keeping those staff, and the reliance of many organisations on a few exceptional individuals to provide their competitive advantage;
- As with many new markets, a lack of clear definition and understanding about what exactly makes up the 'cyber security' market, which would allow organisations to get a better grasp on the market size, and hence the realistic opportunities for growth;
- A high likelihood of government intervention in the market in the foreseeable future: Of the over 100 bills proposed in the last two terms of the US congress with cyber security provisions, exactly zero have been passed into law. It is highly unlikely this will continue to be the case (although that depends how the latest industry - cyber-security lobbying - throws its weight and money around);
- Significant competition, with the cyber security market being targeted not just by the defence industry, but also by the global system integrators and telecommunications firms (HP, IBM, Tata, Wipro, NTT, Verizon, Telstra and others), the professional services firms (Deloitte, PwC, KPMG, EY, Accenture, Booz Allen Hamilton and others), the specialist security firms (Symantec, McAfee (now Intel), CheckPoint and many others), and many and varied other smaller providers of IT, consulting, or advisory services, who operate in specific parts of the cyber security market;
- And more specifically for the defence companies, a lack of experience in some defence primes when it comes to dealing with private sector organisations on lower value / higher volume projects, and the widely varying approaches of these clients to contractual provisions and legal terms, which often clashes with a highly constrained risk model built for long-term Government-focused engagements;
The most obvious and significant difference between dotcom-era companies, and cybersecurity companies today, is that the former were generally aiming for growth (whether in revenue, in 'eyeballs', or in members) with little interest in profit; whereas the latter have generally been run to be profitable businesses and were perfectly viable companies in their own right without being acquired.
It has also hardly been a cyber-taking-over-defence story - the FT article Defence groups move to cybersecurity references the fact that "Jane’s Defence calculates that about 14 per cent of defence acquisitions had cyber as their target last year." While 14% is a significant number given the small contribution that cybersecurity currently makes to most defence industry companies' revenue figures, the fact remains that 86% of acquisitions were in 'non-cyber' areas, the employees of which are a long way from turning out the lights and retraining as hackers. Compare that with the dotcom era and AOL's take over of Time Warner, back when AOL and Compuserve thought they could build a better Internet than the Internet, and the market thought they might have a chance, and there's a pretty significant difference. Until we start seeing cyber-security companies taking over defence companies ("Sourcefire Lockheed", anyone?), we're a long way from a dotcom-sized bubble.
And using the final - and arguably most accurate - bubble gauge, I'm yet to have a Sydney taxi driver tell me to invest in cyber security stocks. Once that happens, I'm running for the exits.