Skip to content

2023 Cybersecurity M&A Opportunity

  • Business
  • 4 min read

Industry Overview

Cybersecurity is ripe for #mergersandacquisitions as it resembles the wild, wild West – everyone looking to score “the big one” and sell out for big bucks. The reality is that the “greater fool” theory is in play here – there are too many tools and too many fragmented service providers.

We set forth four divisions (in decreasing order of perceived value and #valuation multiples) of the cybersecurity industry:

  • Software
  • Hardware
  • Service Providers
  • Systems Integrators

NOTE even though there is cross over between the systems integrators and discrete service providers, will we keep them as distinct divisions; other discussions may classify them as services and solutions. Further subdividing the cybersecurity industry are #sectors:

  1. General #informationtechnology (IT)
  2. #operationaltechnology (OT) and #industrialcontrolsystems (ICS) (systems controlling high value network nodes in manufacturing, industrial, and commercial operations, that if compromised results in national security issues or death i.e., Colonial Pipeline incident)
  3. Government and trade associations

The Sweet Spot

The highest investment volume and highest valuation multipliers, #venturecapital (VC) and otherwise, are in the Software division and General IT sector.  The higher valuation multiples are directly related to the multiplier effect of #intellectualproperty (IP) and its ability to quickly disrupt revenue upward. This causes early-stage founders and boards to highly value dubious IP, unprotected (with patents or other “moats”) nor proven with market validation (nor any revenue), meaning there are many investors that took a flier on early-stage ideas that haven’t yielded the “hockey stick revenue curve” (rapid revenue growth, many times at 100% revenue growth quarterly) and are currently facing dwindling cash reserves to support their burn rates.

Even though all cybersecurity sectors are growing, the limited size of the OT/ICS sector at USD $17.08B total revenue and 6.9% CAGR for 2021 doesn’t compare favorably with the USD $156.30B total revenue and 10.92% CAGR for the general IT in 2022 (like year statistics not available). For our discussion, we set forth that the OT/ICS sector not only has a lower overall revenue and CAGR, but the players are constrained on their overall growth due to:

  • ICS/OT revenue for the hardware and software divisions is considered long term CAPEX.
  • ICS/OT service skills are highly specialized to the hardware and software installed in specific industries (electric, water, wastewater, manufacturing, etc.) and individual plants.
  • ICS/OT service effectiveness heavily depends upon individuals’ experience.

The Opportunity

A “perfect storm” has been presented to us:

  • a general worldwide #recession2022,
  • less investment in all sectors and divisions,
  • pullback in valuations in all sectors and divisions, and
  • dwindling cash on hand to support burn rates forcing hard decisions.

This provides an ideal environment with many failed software endeavors (including projects and whole companies) searching for a way to salvage any value. When “all boats are rising” on an overheated world economy (like late 2020 and 2021), founders and early investors hold out with the hope of vast riches that happen to drop out of the sky. When a worldwide recession roars up to the door (December 2022), suddenly everyone gets a little more reasonable – except those organizations still growing at breakneck speeds as they can just accept lower valuations on their next round of financing (if they can secure one and have an ample cash hoard to support their burn rate).

This is the ideal environment for a roll up focused on the cybersecurity general IT establishing a solid foundation for future growth of valuation as well as revenue:

  • IP purchased at attractive distressed valuations
  • Development resources retained and purchased at “fire sale” prices instead of recruited
  • Native partner networks for #crossselling products

The prospective acquisition targets for this roll up are experiencing:

  • Cash reserves not covering cash burn over 90 days
  • Multiple waves of layoffs or salary deferrals causing plummeting morale
  • Investors, founders, and employees holding Illiquid private companies company shares
  • Slashed marketing budgets suffocating nascent brand awareness and limited sales potential

Conclusion

Reviewing the conclusion of 2022 and looking toward the horizon of 2023, the cybersecurity industry looks like it is ripe for consolidation and a wave of mergers and acquisitions that will eliminate many weak competitors and overall make the industry stronger.

For investors, the #rollup consolidator would be where I put my money. If you’re already invested in a startup or #earlystage cybersecurity venture, make sure that the boards and management keep an eye on staying in business, not growth at all costs.

For individual cybersecurity companies looking at the coming 24 months, seriously review your expectations for your valuation and exit. Get realistic now and be proactive with your company’s cash flow and growth prospects without further funding.

For employees in these organizations, be realistic as to what the company’s prospects are, don’t burn any bridges with the founders and investors if you do leave, and for goodness’ sake, don’t speak poorly of #entrepenuers who are changing the world – dreamers do change the world, but hold them accountable for their decisions.

Original post published on LinkedIn on December 30, 2022 by Robert C. Rhodes.

Tags: