The fragmented identity and access management subsector of cybersecurity needs consolidation, and private equity firms are taking the opportunity to combine vendors and create players that can compete better in the marketplace.
Deal activity in 2022 by Thoma Bravo LP is an example, according to Garrett Bekker, principal research analyst at 451 Research. The software-focused private equity firm completed its approximately $6.9 billion acquisition of SailPoint Technologies Holdings Inc. on Aug. 16 and is now in the process of acquiring Ping Identity Holding Corp. for $2.8 billion.
"You could see some private equity activity following an example of, say, Thoma [Bravo] picking up Ping and SailPoint," Bekker said. "There's a very high chance that they will look to combine those two companies."
Identity and access management is a group of technology that deals with managing digital identities and controlling access to enterprise resources. There are at least five subsegments within the space, including authentication, identity governance, access management, privileged access management and customer identity access management, Bekker said.
"Those silos are starting to break down, and part of that is driven by just market forces. The vendors in these categories are looking for new market opportunities. They're also being forced to compete with bigger vendors that span multiple categories now like Microsoft and Okta."
Global private equity and venture capital transactions in the identity and access management sector amounted to $12.37 billion across 77 deals in the year to Aug. 12, according to data from S&P Global Market Intelligence.
* Download a spreadsheet with data featured in this story.
* Click here to read about global private equity and venture capital entries in July.
* Click here for more private equity coverage.
The year-to-date value and volume of private equity-backed deals do not appear to be on track to match 2021's $34.44 billion, which was driven by McAfee Corp.'s sale to a group of private equity investors for about $12 billion in cash, excluding debt.
"I don't know if we'll see the $12 billion deals again, but there's still a fair amount of private equity capital out there, and there's still, more importantly, a lot of viable targets," Bekker said.
Total M&A in the subsector is forecast to surpass the 2021 level, with strategic acquisitions expected to more than make up for the drop in private equity acquisitions. Private equity-backed transactions fell to roughly 20% of total M&A so far in 2022, compared to over a third, even going as high as up to 38%, in the past few years, Bekker said.
The rise of cybersecurity interest
Cybersecurity M&A, particularly for the identity and access management sector, is strong largely because cybersecurity is a relatively safe harbor in a down market and relative to other sectors of technology, media and telecommunications, according to Bekker.
"That's even become more so over time because we've got a lot more regulations now than we did 20 years ago that really pushed for cybersecurity. There's more awareness at the board level that security is a critical thing to spend on, whereas 20 years ago on the dot-com crash, it was really hard to make that point."
Bekker added that the move to a new security paradigm called "zero trust" in the last few years has made identity critical to online interaction. Zero trust requires verification, authentication and checking of permissions and policies before anyone is allowed access to certain resources.
In the larger security industry, a lot of companies are prime targets for private equity, Bekker said. "By our count, there's probably about 4,000 security vendors. There are maybe at least several hundred identity and access management vendors. ... If we look at the various sectors of cybersecurity that have been most active in terms of M&A, identity and access management has been in the top three for at least the past five years, if not number one."
451 Research is part of S&P Global Market Intelligence.