Consultancy PricewaterhouseCoopers has released the first-ever report on merger and acquisition activity in the cyber security industry. Paul Fisher talks to the report's author and analyses some of its key findings.

Until a few years ago, SC Magazine published an annual guide to the biggest players in the information security industry in an attempt to gauge its size. We stopped because we felt we no longer had the resources to compile an accurate and credible list against the background of a rapidly changing market.

Late in 2011, PwC, an organisation with access to researchers and number crunchers on tap, produced what is probably the first in-depth look at the financial health of the cyber security market by focusing on M&A activity.

The report, Cyber Security M&A, was authored by Barry Jaber, a security industry specialist with the consultancy. It looks at the underlying forces and trends driving the industry. What's clear is that the wider world is waking up to cyber security, and businesses from outside traditional tech areas are looking to either invest in or acquire cyber security firms outright, with conventional defence companies an important part of this trend.

“It's a healthy picture. There is genuine and underlying spending growth – ten per cent over the next three to five years – and that's what's attracting investment. But the underlying drivers are also why organisations need to spend in this area. It's much more resilient than other areas,” says Jaber.

Global cyber security spend reached $60bn in 2011, while the percentage of people who think that information security spend will increase stayed above 50 per cent. This compares with a low of 38 per cent in 2009.

The way cyber defences are being procured is also changing. According to Jaber, while it is still predominantly the traditional CISO, CTO or CIOs making the final purchase, more regular business managers are becoming actively and willingly involved in the decision and risk-assessment process.

“They are getting involved and understanding the risks, looking at where they want to spend their investments. That's what's driving some of the budget growth and investment. The purchasing decision hasn't shifted so much, but there's just a broader array of influences now and much more alignment with business objectives,” says Jaber.

“The degree to which this is happening varies across industry sectors. Financial services and pharma are much more mature; a catch-up is needed by other verticals. But what we are seeing is a lot more information-sharing across sectors. That is being driven by government in the UK and US. They are stimulating awareness and best practice,” he adds.

According to the report, the key drivers of cyber spend and investment are the growing number of defined threats, vulnerabilities of new computing technologies (cloud) and greater awareness of security among the wider enterprise. Expanded and stricter compliance requirements are also having an impact.

In terms of M&A activity, the sector is bucking global economic trends. According to the report, deal volume in 2010 increased in both volume and value by nearly 40 per cent on 2008, following a marked slowdown in value in 2009.

Also, total deal value was 70 per cent higher in the first half of 2011 than for the whole of 2010, rising to $10.2bn, driven primarily by Intel's $7.8bn acquisition of McAfee, which was completed in February 2011.

“We will continue to see consolidation. Bluecoat is the most recent example, with private equity firm Thoma Bravo doing a roll-up play. It already has assets in the space [including SonicWall, LANDesk Software, Tripwire, Entrust and NetIQ]. IBM and Symantec will continue to do that too. But on the other hand this is an industry that badly needs innovation, and we will continue to see small entrepreneurial start-ups,” says Jaber.

The market continues to be dominated by US players. The top ten cyber security deals made between 2008 and 2011 involved eight US-based acquirers, and only two from the UK.

Interested parties
Defence contractors are seeking to diversify away from core defence markets as spending on conventional defence continues to decline, especially in Western Europe due to deficit pressures. They have also targeted acquisitions that provide access to new customers (primarily government agencies such as the CIA, FBI, GCHQ and MI5/6), new capabilities and scarce security-cleared personnel, according to Jaber.

Meanwhile, Jaber reports that IT companies view cyber security as a “necessary capability to have in-house in order to provide customers with end-to-end solutions”. As threats and incidents proliferate, cyber security is increasingly being seen as a source of differentiation for their products and services.

Private equity investors are attracted to the high-growth potential of the cyber security sector and, as deals continue to flow, the clear path to future exit opportunities. Venture capitalists have been active and are making smaller investments, particularly in the US, according to the report.

Margins very much vary depending on where vendors operate. In the security software market there are high gross and net margins still to be had. There is much more pressure in the services area, but forensics, being so specialised, returns healthy margins, according to Jaber.

Long-term drivers
Looking ahead, the report lists a number of drivers and trends that it predicts will promote further growth in the cyber security market. These are: infrastructure revolution, data explosion, the “always on, always connected world”, financial industry changes, tougher governance, multiple internets emerging and new identity and trust models.

The last is probably the most intriguing in that it foresees “new models of trust to develop for people and infrastructure, including devices around data”.

In other words, the ongoing techno-sociological revolution is such that cyber security will need more and better solutions in the future. Overall, then, it is not hard to understand why cyber security is seen an as a major growth area and a market that many businesses are seeking to enter. For many reasons, and whatever side you sit on, right now it's not a bad business to be in.

PwC's ‘Cyber Security M&A' report is available at http://pwc.to/wzD9tL.