The wave of mergers and acquisitions sweeping through the cybersecurity industry shows no sign of slowing in 2018, according to Jim Reilly of Stonepine Advisors

In the fourth quarter of 2017, two billion-dollar deals capped another year of high-profile mergers and acquisitions in the cybersecurity space, as Thoma Bravo snapped up Barracuda Networks for $1.6 billion and French multinational Thales purchased Gemalto for a total consideration of around $6.6 billion.

Although the Barracuda and Gemalto acquisitions were notable for their jaw-dropping valuations, they were just two among a raft of some 200 cybersecurity M&A deals that took place last year – many of which passed the $100 million mark.

With global spending on cybersecurity expected to top $1 trillion over the next four years, The Daily Swig caught up with Jim Reilly, founder and managing partner of Stonepine Advisors, to hear his thoughts on the industry in 2018.

2017 was another banner year for acquisitions in the cybersecurity space. Do you expect to see a continuation of this M&A activity in 2018 and beyond?

Jim Reilly: Absolutely. There are a host of reasons why I think this is going to continue to happen. First, for every company that is acquired, two or more companies get started.

Since 2010 there have been 1,300 M&A deals, and there have been something like 2,500-2,800 new companies.

The larger players need the innovation provided by these small guys to keep their product offerings fresh and to deal with an ever-changing landscape of threats.

The second driver of M&A activity is that the game is changing constantly. In other sectors, there is no active protagonist on the other side, changing the game every day.

In security this is exactly what’s happening, so you’re constantly having to adapt to new threats, and new approaches to threats. This is going to drive consolidation for many years to come.

New developments and consolidation will also be driven by new areas of focus within security.

The obvious example here is the Internet of Things, but other examples include autonomous cars; transaction security and anti-fraud for eCommerce activities; and how the blockchain is applied in the security world. These will all drive continued new developments and continued consolidation in the space.

Which cybersecurity acquisitions stood out to you last year? Are you noting any trends that might indicate the future direction of the industry?

JR: There are two that I would say surprised me. With most deals, you look at the target and the acquirer and you say: ‘Yes, that makes sense’. But there were two that kind of shocked me.

One was the roughly $7 billion deal that Thales did with Gemalto, topping a bid from Atos. I looked at both of the acquirers and thought this was a fairly odd combination, but I think the deal is indicative of non-software companies wanting to get into this dynamic space.

The other acquisition that surprised me, for somewhat similar reasons, was a publisher buying ThreatMetrix in an $800 million deal. ThreatMetrix is an anti-fraud identity-oriented company. I don’t see the synergistic benefits to the acquirer of owning ThreatMetrix – and they paid an enormous price.

More generally, we are seeing large industrial companies – such as Honeywell and General Electric – setting up venture arms. And interestingly enough, many of their initial acquisitions or investments have been in the security space.

It’s surprising that the traditional (non-software and non-security) industrial guys like Honeywell are looking at their own product suite and seeing that things like the IoT is going to be huge, so they are investing in it.

Although acquisitions often allow smaller companies to expand their reach, some say the process of being absorbed into a larger organization can stifle innovation. What are your thoughts on this issue?

JR: I agree with both of these statements. Yes, inevitably a larger company buying a smaller company can stifle the potential innovation coming out of that small company.

On the other hand, what these large companies bring to these smaller companies is a huge distribution channel and an opportunity for the existing technology to enjoy a much broader audience.

Moreover, the capital that’s released through these acquisitions – which generally goes back to the venture capitalists – provides new ammunition for the VC to find new companies to fund and continue the innovation cycle.

If you take a holistic view of what’s going on in the industry, I don’t think that M&A stifles innovation. In a narrow sense, maybe, but in the broader picture of what’s going on, it’s a virtuous circle – and this applies to other industries, not just security.

Stonepine Advisors is a California-based, software-focused investment bank providing financing, M&A advisory and strategic consulting services to emerging and mid-sized growth companies, particularly in cybersecurity, mobile, and healthcare. Click here for more information.