Category: security

Broadcom broadens into security

Mark Fontecchio

by Brenon Daly

What began last summer as a head-scratching novelty has now become a consistent strategy at chipmaker-turned-software vendor Broadcom. A year after the semiconductor giant inked the second-largest software acquisition in history, Broadcom has made a big splash in information security (infosec), paying $10.7bn for Symantec’s enterprise security business.

Although the transaction is ‘just’ an asset purchase, it nonetheless stands as the largest infosec acquisition in history, according to 451 Research’s M&A KnowledgeBase. Another way to look at it: Broadcom’s massive bet on Symantec basically equals a full year’s worth of M&A spending for the entire infosec market. (The M&A KnowledgeBase shows annual spending across the infosec sector over the past two decades has ranged widely from $2bn to $28bn, depending on blockbuster deals.)

By virtually any measure, Broadcom is paying up for Symantec’s castoff business. Divestitures, particularly those involving low- or no-growth businesses, invariably garner a discount to broad-market M&A multiples. Depending on the segment and the assets, divestitures can get done at 1-2x sales, or half the prevailing prices in outright acquisitions.

At a purchase price of more than $10bn, Broadcom is valuing the enterprise security division at 4.5x sales. (In the most-recent fiscal year, Symantec’s enterprise group posted sales of $2.4bn, a level that hasn’t really changed in three years.) That’s even slightly richer than the 4.3x that Broadcom paid in its landmark acquisition last summer of CA Technologies.

The most-significant portion of Symantec falling into the portfolio of a financially minded consolidator comes after a prolonged slump at Big Yellow, which has served – not entirely fairly – as a company caught on the wrong side of disruption. As one indicator, consider that its stock price has basically been stuck in place for the past half-decade. During that same period, other business-focused security vendors have emerged and created somewhere in the neighborhood of $100bn – or 10x the terminal value of Symantec’s enterprise business – in both the public and private markets. We’ll have a full report on this transaction for subscribers to 451 Research’s Market Insight service later today.

What might have been (and what may still be) for Symantec

Mark Fontecchio

by Brenon Daly

If not for a last-minute snag in talks to sell itself, Symantec would be headed to this week’s Black Hat not as the single-largest vendor in the information security (infosec) market, but as a subsidiary. Negotiations with chip giant Broadcom reportedly broke down over price (what else?), meaning Big Yellow will be unattached and unchaperoned as the hacker’s ball opens in the desert. We wonder, though, how many more industry confabs will Symantec be attending in its current standing?

A public company for 30 years, Symantec generates almost $5bn of sales each year. Part of the difficulty for Symantec right now is embedded in those two facts about the company. Symantec isn’t moving any closer to the $5bn. In fact, in its most-recent fiscal year it actually slipped further away, as Big Yellow got a little smaller in 2018. Declining revenue doesn’t do much for Wall Street investors.

That’s particularly true in infosec, where budgets across the board are fat and getting fatter. A stunning 87% of IT professionals told 451 Research’s Voice of the Enterprise (VotE): Information Security, Budgets & Outlook 2019 that their companies will have more money to spend on security this year than they did last year. On average, respondents to our VotE survey said their security budgets are up 22%, an enviable bump compared with GDP-like growth rates for overall IT budgets.

And yet, Symantec hasn’t been able to enjoy much of the bountiful budgets. That led to the abrupt departure of the company’s chief executive earlier this year, with an interim CEO still leading the industry giant. Symantec’s new chief, who cut his teeth in the semiconductor industry, has a reputation as a straight-talking operator, and he serves a board of directors that tips far more toward finance than technology. Fully half of Symantec’s 12 board members, including virtually all of the directors added in the previous three years, are out-and-out financial professionals.

Given the composition of Symantec’s board and executives, reports of a sale to a financially focused operator such as Broadcom shouldn’t have surprised anyone. (At least not after the chipmaker-turned-enterprise-software-provider shelled out $19bn for CA Technologies, a diversified software vendor that nonetheless shares a similar financial profile and vintage as Symantec.) Although Broadcom wasn’t able to consolidate the infosec giant, the reported negotiations did give a useful glimpse into the most likely outcome for Symantec: a full sale to a financial firm.

The company currently garners an enterprise value of about $16bn, or roughly 3.3 trailing sales. Even with an acquisition premium, Symantec’s LBO valuation would likely be slightly below the prevailing multiple of 4.1x trailing sales in take-privates announced so far this year on US exchanges, according to 451 Researchs M&A KnowledgeBase. Looking specifically at the infosec market, our data shows buyout firm Thoma Bravo has paid 4-5.5x trailing sales in its three purchases of publicly traded security companies in the past three years.

Source: 451 Research’s Voice of the Enterprise: Macroeconomic outlook – Business Trends Q2 2019

Dual tracks: A singular path to infosec riches

Mark Fontecchio

by Brenon Daly

Fittingly enough, there are two main types of ‘dual tracks.’ In most cases, dual track refers to a company simultaneously pursuing both the two exits available to startups, M&A and IPO. By keeping one foot on both roads to an exit, an in-demand startup can cultivate new sources of capital on Wall Street while, at the same time, pressuring any acquirer to effectively outbid the public market. Assuming the laws of economics hold, when supply remains constant, any additional demand invariably boosts pricing.

There is also a smaller-scale version of that process, which happens at a level below Wall Street. In a ‘dual track lite,’ a startup also explores an outright sale and a capital raise at the same time. But in this case, the funding comes once again from private-market sources, such as VCs, rather than the public market.

Of course, to be able to effectively – and profitably – dual-track, a startup needs strong interest from the demand side, from both potential backers and potential buyers. And right now, no other segment of the enterprise IT market has more dollars available from both investors and acquirers than the information security (infosec) market.

When it comes to M&A, the 451 Research M&A KnowledgeBase shows acquirers pay two to three times higher valuations in infosec deals than they do in the overall broad market. (Since 2017, our data shows the prevailing multiple in infosec transaction at nearly 6x trailing sales.) And for those security startups pursuing the other track (funding), there is an unprecedented amount of money available from VCs. In just the past month, for instance, we’ve seen big-money fundings for infosec startups, including:

$120m for SentinelOne. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for SentinelOne revenue from 2016-19.)

$100m for Auth0. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Auth0 revenue from 2016-18.)

$100m for Vectra Networks. (Subscribers to the premium of 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Vectra revenue from 2016-19.)

But this flood of VC money has skewed the dual track, highlighting just how inflated funding valuations have gotten recently. Consider the two different outcomes, separated by less than three years, for a pair of rival firms. At the end of May, Dashlane raised $110m. We would note that’s exactly the same amount of money that rival password manager LastPass got when it sold the whole company to LogMeIn in October 2015. All in, Dashlane’s funding valuation was roughly 5x richer than the terminal value of LastPass, according to our understanding.

Instant gratification in CrowdStrike’s IPO

Mark Fontecchio

by Brenon Daly

Other recent high-flying debutants in the information security (infosec) market have had to take some time to grow into their multi-unicorn status on Wall Street. Not so for CrowdStrike. The endpoint security vendor smashed all pricing expectations on its way to creating a stunning $12bn of initial market value in its IPO.

To put that number into perspective, CrowdStrike’s valuation is roughly equivalent to the M&A spending across the entire infosec market for any given year, according to 451 Research’s M&A KnowledgeBase. Or, sticking to comparisons in the IPO market, CrowdStrike’s debut market cap is twice the initial value created in IPOs by two other recent fast-growing cloud security startups:

Okta came public in April 2017 at a valuation of $2.4bn, and now commands a $14.5bn market cap.

Zscaler came public in March 2018 at a valuation of $3.7bn, and now commands a $10bn market cap.

In its most recent fiscal year, CrowdStrike posted revenue of $250m. Revenue more than doubled last year, helped in part by an astonishingly high dollar-based retention rate of roughly 140%. Although not yet profitable, the company showed some leverage in its model by holding its net loss at the same level over the past two years, even as it doubled revenue.

In the IPO, Wall Street is valuing CrowdStrike at nearly 50 times trailing sales. That’s a heady multiple, significantly eclipsing the current mid-30x price-to-sales multiples for both Okta and Zscaler.

CrowdStrike is, however, still looking up at the current trading multiple of Zoom Video Communications. Zoom shares have tacked on roughly 50% since debuting in April, giving the profitable and fast-growing videoconferencing startup a price-to-sales multiple of nearly 70x. If CrowdStrike could replicate Zoom’s trading in the aftermarket, the infosec startup would be tracking to nearly the same astronomical trading multiple later this summer.

A change of guard in the infosec market

Mark Fontecchio

by Brenon Daly

After an uncharacteristic half-year absence from the top end of the information security (infosec) market, a private equity (PE) shop has now put up the largest print in the bustling sector so far this year. Insight Venture Partners built on an earlier investment in Recorded Future to take a controlling stake in the threat intelligence startup in a deal valued at $780m.

Other than that, however, most of this year’s activity has been coming from newly resurgent strategic acquirers. In fact, except for Insight’s reach for Recorded Future, strategic acquirers account for all of the 10 largest infosec transactions listed in 451 Research’s M&A KnowledgeBase so far in 2019.

Already this year, Palo Alto Networks has announced three acquisitions totaling a cool $1bn in aggregate spending, Sophos has doubled up on deals, and FireEye has shelled out a quarter-billion dollars in its largest single purchase in a half-decade. Other infosec M&A mainstays such as Symantec, Akamai and Proofpoint have also been heard from this year, with all of them inking $100m+ acquisitions.

The key to many of these corporate deals getting done is that buyers are paying up. That’s particularly true for Palo Alto, which has made a practice of paying hundreds of millions of dollars for startups that measure their revenue in the tens of millions of dollars. But FireEye and Symantec have also paid double-digit valuations this year.

As strategic acquirers stretch on valuation, they have been able to elbow PE buyers aside. According to the M&A KnowledgeBase, buyout firms are behind just one of every five infosec transactions so far in 2019, down from at least one of four deals in each of the previous three years. Further, our data indicates that PE shops’ slumping market share of only 21% in infosec M&A so far in 2019 is a full 10 percentage points lower than their share of the overall tech M&A market.

Playing small ball in the big leagues

Mark Fontecchio

by Brenon Daly

Over the past two years, no single IT sector has put forward more highly valued IPOs than information security (infosec). Spurred by ever-increasing spending by CISOs, startups across the cybersecurity landscape are either big or getting big fast. As they graduate up to Wall Street, growth-hungry investors have lavished rich, double-digit valuations on infosec startups.

So what, then, to make of the recent IPO filing by Tufin Software Technologies? The security policy management vendor is heading to the NYSE on the back of a year where it did less than $100m in sales. And its growth rate, while a solid 30% in 2018, barely matches the pace of some of the recent infosec debutants, even as they put up more than three times more sales.

And then, there’s the crucial consideration of how – and when – Tufin generates those sales. In the current era of cloud-delivered software, Tufin sells its product in the conventional model of software licenses, plus maintenance and professional services. Further, those sales are heavily back-end-loaded, with a make-or-break Q4 providing about 34% of total revenue for the company.

It’s worth noting that all five of the other infosec providers to come public since the start of 2017 derive at least a portion of their sales from subscriptions, with the two richest valuations being given to the full cloud-based vendors. (Zscaler trades at an astronomical 34x trailing sales, while Okta garners 23x trailing sales.) Subscription revenue tends to be more predictable than lumpy sales of licenses, particularly when the average price tag of just the software – as it is in some cases at Tufin – climbs above $200,000.

That’s not to say that Tufin doesn’t have the opportunity for growth in front of it. In its prospectus, the company cites a 451 Research Voice of the Enterprise survey of 550 IT buyers and users in 2018 that shows that 83% of the respondents do not currently run any security automation and orchestration technologies at their company. Yet, encouragingly for Tufin and other vendors, more than half of the respondents (54%) plan to have it in place by 2020.

In addition to Tufin, we suspect that at least one other company will likely be paying very close attention to the upcoming IPO. Rival Skybox Security, which we understand is roughly the same size as Tufin, is thought to be tracking to an offering of its own. The difference being, as we heard it, that Skybox is targeting a debut in 2020, when it will be north of $100m in sales.

Mixed buyers harvest security targets

Mark Fontecchio

by Scott Denne

In making its latest security purchase, BlackBerry joins a pageant of infosec acquirers chasing after ballooning budgets. With BlackBerry’s $1.4bn pickup of Cylance, there have now been 15 acquisitions of infosec vendors valued above $250m this year, according to 451 Research’s M&A KnowledgeBase. Only three of those were printed by buyers who make infosec their primary business.

To be sure, BlackBerry isn’t new to the security market. Since its mobile device business began its decline earlier this decade, it has focused on mobile device management software and expanded on its reputation for secure communications since the purchase of encryption specialist Secusmart in 2014. Still, this deal marks its most significant dive into cybersecurity. (In fact, it’s the company’s most significant acquisition in any category as it’s three times the size of its previous organizational high – the $425m pickup of Good Technology in 2015.)

Many of this year’s acquirers resemble BlackBerry in being on the edges of infosec and looking to go deeper. Splunk, for instance, printed its $350m reach for Phantom Cyber just as its security revenue was expanding to 50% of its topline. Others had little presence in cybersecurity: TransUnion and Reed Elsevier, both already in the risk business, got deeper into digital risk by nabbing antifraud firms. Also, AT&T moved into the market with the acquisition of AlienVault. And, of course, reflecting the broader trend in tech M&A, private equity (PE) firms are the largest category of infosec acquirer.

Whether from telecom or PE, expanding budgets are the draw for most buyers. Across all of our surveys, security budgets have risen steadily and dramatically. Among respondents to 451 Research’s VoCUL: Corporate IT Spending survey, at least 18% have indicated rising security budgets in each of the past five quarters. In that same time, no other single software segment garnered higher than 12%. And in our security-focused panel, the responses have been more dramatic. In 451 Research’s Voice of the Enterprise: Information Security report, 80% anticipate rising budgets in 2018, compared with just 6% forecasting a decline.

Buying a lot, selling a little

Mark Fontecchio

by Brenon Daly

Less than two months ago, we speculated that Broadcom would be cleaning out the closet at CA Technologies once it owned the enterprise software company. On cue, the semiconductor giant announced Monday that it had closed its $19bn purchase of CA and, in virtually the same breath, said it had divested one of the just-acquired businesses. The unwinding of Veracode almost certainly won’t be the last pruning of the CA portfolio done by the financial hawks at Broadcom.

But first, on the announced deal: Thoma Bravo said it will spend $950m to carve application security provider Veracode out of the now-Broadcom-owned CA. The transaction effectively unwinds CA’s pickup of Veracode two and a half years ago. In a reversal from most of these moves, CA’s exit price is significantly richer – nearly 50% higher – than its entry price. (451 Research subscribers can look for our full report on the deal on our website tomorrow.)

While not unexpected, Broadcom’s divestiture nonetheless comes at a time when corporate castoffs are running at a multiyear low. According to 451 Research’s M&A KnowledgeBase, publicly traded tech companies like Broadcom are on pace in 2018 to print the second-fewest divestitures of any year since the recent recession. Further, our database indicates that this year will see listed tech vendors shed roughly one-quarter fewer business than the average year over the past decade.

Broadly speaking, the surge in earnings this year at tech giants and, until recently, their record-high equity prices has blunted the need for most companies to radically overhaul their businesses. Growth masks a lot of flaws. In any downturn, we would expect the pace of divestitures to pick up.

In the case of Broadcom, however, its move wasn’t so much macro-driven as it was just a case of hitting an internal target. Specifically, the chipmaker, which runs a tight ship, laid out the goal of ‘long-term adjusted EBITDA margins’ above 55% once it fully integrated CA.

There’s a fair amount of wiggle room in both the timing and financial measure of that target. But it suggests that more divestitures are coming. Most of CA’s enterprise software business doesn’t run anywhere close to the margins Broadcom has modeled. In contrast, CA’s mainframe business, which is roughly half of total revenue, throws off a ton of cash.

If we had to guess at another acquired business that Broadcom is likely taking a hard look at right now, we wonder if CA’s mid-2015 acquisition of Rally Software Development might also get unwound. (The business is now known as Agile Central.) The Agile software development shop relied on a fair amount of professional services (mid-teens percent of total revenue), which pressured margins and kept the business running in the red. Unless CA has dramatically improved the business, Rally may not make the cut.

Not wrong, just early?

Mark Fontecchio

by Brenon Daly

Call it a case of mistaken identity in the identity security market. In our exclusive report last week that BeyondTrust was nearing a sale, we speculated that One Identity would be the buyer for the often-in-play company. Instead, Bomgar has announced the purchase of BeyondTrust.

We regret missing the mark, which can be an occupational hazard while working in the opaque regions of the information economy. (Subscribers to 451 Research’s M&A KnowledgeBase can see our proprietary estimates for Bomgar’s acquisition of BeyondTrust by clicking here.)

In our defense, however, we were close. We had the correct family (private equity firm Francisco Partners) albeit the wrong sibling (Francisco-owned One Identity rather than Francisco-owned Bomgar). And, for the record, we have heard from numerous sources that One Identity and BeyondTrust have held in-depth M&A discussions ever since Francisco carved the software business out of Dell, which included the assets that became One Identity.

And while we didn’t necessarily get the right buyer for BeyondTrust right now, it may be a bit academic as far as Francisco is concerned. Longer term, we could well imagine that the PE shop will ultimately combine Bomgar, which it bought in April, with One Identity.

Buyout firms often consolidate holdings as a way to cut expenses and boost all-important cash flow. Admittedly, we’re speculating again. But there’s a lot of financial sense to making the move. If that does come to pass, then we like to think we weren’t wrong about the buyer for BeyondTrust, just early.

For now, though, 451 Research subscribers can look for our full report on Bomgar’s pickup of BeyondTrust on our site later today.

For more real-time information on tech M&A, follow us on Twitter @451TechMnA.

Snapping up smarts

Mark Fontecchio

by Brenon Daly

Having gotten a little richer in its mid-March IPO, Zscaler is now looking to get a little smarter with some M&A. In its first-ever acquisition, the cloud security vendor has reached for TrustPath, a startup that Zscaler plans to use to help speed and sharpen its analysis of the billions of transactions that flow over its platform each day. Not much is known about TrustPath, which is still operating in stealth mode.

Zscaler’s inaugural print continues the trend of information security (infosec) providers emerging as some of the busiest buyers of machine learning (ML) startups, a market that itself is pretty busy. In fact, for the past two years, tech investment bankers we have surveyed have forecast ML to be the single biggest driver for M&A in each of the coming years, ahead of other notable themes such as the Internet of Things and cloud computing.

More importantly, that sentiment is coming through in the actual deal flow. According to 451 Research’s M&A KnowledgeBase, the number of overall ML transactions is on pace to top 120 deals in 2018, three times the number announced just in 2015. Infosec is playing a key role in the record number of ML transactions, with Zscaler joining Amazon Web Services, Splunk and even PayPal in the parade of recent security-focused ML acquirers.

Collectively, infosec buyers are punching well above their weight in the emerging field of ML M&A. Look at it this way: Infosec accounts for roughly 15% of total ML deals in the M&A KnowledgeBase, despite security acquisitions making up less than 5% of all tech transactions we record in any given year.

The main reason for infosec’s outsized role in the ML market is that there’s actually business to be done there. In fact, in a recent survey by 451 Research’s Voice of the Enterprise: AI & Machine Learning, Adoption, Drivers and Stakeholders 2018, infosec emerged as the second-highest rated use case for ML, trailing only ‘business analytics.’ Importantly, the rankings in our survey came from folks who actually have ML technology up and running or are nearly there. With that kind of demand from customers, it’s no wonder infosec suppliers are leading the charge in snapping up smarts.