To Build or to Buy? Why M&A Can Be a Roadblock to Cybersecurity Innovation


By Kevin Simzer, Chief Operating Officer of Trend Micro

Companies pursue Mergers & Acquisitions (M&A) for many reasons—whether it be to remove the competition or expand by acquiring new technology. At a time when end customers are looking for ways to optimize their security operations with fewer vendors, M&As can be an attractive option: in fact, 2022 saw over 1,000 deals in the cybersecurity and technology sectors.

However, both investors and cybersecurity customers must be able to assess whether cybersecurity M&A deals have a positive or negative impact on innovation in order to make smart choices. Being able to identify what will drive security innovation forward is increasingly important as macro-economic factors are driving vendors and customers alike to realize that the growing attack surface is best protected by holistic security solutions.

Are M&As conducive to innovation?

Innovation is critical to any industry. Cybersecurity is no exception, especially when cybercriminals themselves are innovating at an alarming rate. In fact, the cybercrime economy is said to be worth trillions of dollars per year – more than the GDP of many countries. The only way for the security industry to combat this is through continuous innovation. When we spotted sophisticated new phishing attacks targeting CEOs, for example, we brought out new AI-powered capabilities designed to make it easier to spot malicious impersonation attempts.

In the name of innovation, some companies lean heavily on acquisitions to take big leaps forward with their technology stack. M&A can propel emerging technologies into the mainstream, raise awareness of new detection methods, and set new industry markers – Google Cloud’s acquisition of renowned threat intelligence firm Mandiant is a recent example.

However, M&A deals can take a long time before they realize value to investors and customers, due to the challenges that arise when different corporate cultures, technology, and people come together. An MIT Sloan study found that a third (33%) of workers who join a company through an acquisition leave within the first year post-M&A, rising to 62% within three years. The main driver? A lack of innovation focus in the acquiring firm’s culture.

The Integration Factor

Today, proper integration is increasingly valuable for companies struggling with budgetary and skills shortages. Given our macroeconomic environment, CISOs understandably want to consolidate the number of vendors and point solutions they’re running. With industry skills shortages exceeding 410,000 in the US alone, integrations can help stretched security teams by reducing the number of products and interfaces they need to learn how to manage.

However, the challenge of integrating security vendors’ products can also be an obstacle to innovation. Even if a company acquires a raft of innovative technologies, the value can go unseen by end customers if it’s all sitting in data silos. One security blind spot caused by coverage gaps between solutions could create catastrophic reputational and financial damage if it leads to a serious breach.

A resilient alternative: build, not buy

M&As are very common in the industry—but as we’ve seen, they can be a risky approach for companies of any size. This is why more investors need to be paying attention to companies that are looking inwards: choosing to build from within, and only resorting to M&A for highly integrated tech tuck-ins. This build versus buy strategy prioritizes two elements vital to the long-term success of cybersecurity vendors: homegrown innovation and homegrown integration. A build-first strategy answers the market’s desire for consolidation and holistic solutions to protect an expanding corporate attack surface, while giving a company greater agency over the direction this innovation takes. Investors looking to expand their portfolio should also see tuck-ins as a sign that companies are intentionally investing resources in areas that fuel innovation. 

Over the course of my career, I’ve seen private equity and M&A be a detriment to the growth of peer companies—motivating me to protect Trend Micro’s growth by deliberately focusing on building internally.

Promoting a culture of innovation internally also helps breed a culture of stability, which in turn has a positive impact on employee loyalty and retention. These two factors help companies stay resilient, which contributes to how a company performs on a market or whether it appears as a safe, future-proof investment.

In Conclusion

Security M&As aren’t going away anytime soon. But neither are cyber threats. For the collective good of the fight against cybercrime, we need the industry to prioritize innovation when making any business decision – whether it’s a decision to build or to buy.

For investors, the key is to determine whether the companies they want to put money into are truly innovative. In order to do so, they must look closer at how their underlying technologies were acquired, how well they’re integrated, and how they’re being used day to day.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.