The acquisition market for IT firms appears to be bullish once again with prices on the rise. While security firms have always achieved healthy acquisition multiples, currently things seem to be looking up quite a bit more than usual. An example is IBM’s recent purchase of banking security software firm Trusteer for a reported $1 billion. As Trusteer are our main competitor, I have been contacted by several people recently wanting to discuss the implications of the acquisition for our firm. Our private investors show particular interest in this for obvious reasons!
Traditionally, the larger InfoSec firms expand their technology through acquisition. Innovation thrives far better in entrepreneurial rather than corporate environments. Acquisition is the method through which the larger firms gain innovative technology and the mechanism whereby the innovators get their rewards. It’s a win-win symbiosis. With the looming restructure expected to take place in the security industry (the focus on more proactive rather than reactive solutions), it is expected that there will be a lot more healthy M&A activity in the near and medium-term future in InfoSec.
Security tech firms are often purchased for their strategic value rather than for their existing customer base or current revenues. When the reason is strategic, the value to the purchaser is much more than the value of the customer base or current revenues, acquirers are keen to pay a premium above balance sheet values in order to gain this strategic value. Trusteer for example, reportedly had revenues of around $50m, which makes their acquisition value around 20 times annual revenues – very high compared to non-IT firms (and many InfoSec firms too for that matter).
An InfoSec firm’s strategic value is primarily dependent upon five main factors: (1) the extent to which it operates in a growth sector, (2) technology, (3) customers and revenues, (4) people, and (5) processes.
1. Growth sector
Acquirers are obviously interested in expanding their operations in sectors which are rapidly growing. Examples are areas such as mobile, cloud, and analytics. Information security itself is a high growth sector with spending expected to multiply 10 times over the next decade.
Acquirers want to enlarge their technological capabilities – to expand the features/capabilities of existing products, or to resell a wider set of solutions, in order to drive sales. Higher value is given to aspects such as unique technology, patents, difficulty of replicating products, the extent to which products are proven in the market, and product range. Post-acquisition, the acquirer may either leave the company to largely continue operating independently, or they may integrate the new company to take advantage of existing resources such as sales and support networks, existing customer base, etc. It makes sense for example, for Trusteer to be fully integrated into IBM in order to utilise it’s vast resources where IBM can take Trusteer’s products into new markets (such as enterprise and government) as well as achieve greater penetration in Trusteer’s traditional banking market. In doing this, IBM will need to pay particular attention to retaining innovative staff who prefer a less structured entrepreneurial environment.
3. Customers and Revenues
Occasionally InfoSec firms are acquired for their customers and revenues, to provide the acquiring firm access to new markets and relationships. Geographical spread could be important here, as is the future booked revenue of the InfoSec firm. Also important is the size and reputation of the InfoSec firm’s partners and customers.
The experience, skills and reputation of the management and technical teams – this can be almost impossible for the larger firm to replicate other than through acquisition.
As InfoSec is a technical field, it takes a long time for processes to be developed and refined. Often, it is cheaper and quicker for companies to simply buy these processes through acquisition.
The mix of these features and their relative importance depends on the growth strategy and strategic positioning of both the acquirer and target – or possibly even the combination of the two as a new entity. Smarter acquirers will look to the ensuing value of the combined entities post-transaction. As the InfoSec field expands and traditional scanning methods are replaced with more innovative and effective solutions, we will see much M&A activity and new powerful forces emerging, through more healthy acquisitions in 2014 and beyond.