From an Australian CISO’s perspective: Why the Carbon Black acquisition is potentially good news and the Symantec one is not.

Matthew Gardiner, Director, Enterprise Security Campaigns considers the implications.

The recently announced acquisitions of Symantec by Broadcom and Carbon Black by VMware offers a great opportunity to compare and contrast the motivation behind these acquisitions and to explore how they might impact their existing customers. My takeaway is that the Symantec acquisition is generally bad news for customers, while the Carbon Black deal holds promise.

CISOs and other cybersecurity leaders have a lot on their plates: managing security budgets, technology evolution, the security of cloud applications, staffing, upper management and the Board, compliance, and of course defending against the attacks by cybercriminals both petty and sophisticated.  But, increasingly, they must also contend with managing the impact of cybersecurity vendor mergers and acquisitions (M&A) – which analyst firm 451 reports has already broken annual records just eight months into 2019.

Symantec vs Carbon Black Acquisition

Beyond being 100% cybersecurity-focused vendors, Symantec and Carbon Black are positioned quite differently from a products perspective. For the purposes of this article, I will also gloss over their market focus differences. I consider them similar in that they are both well-established security vendors highly critical to their customers. So, even at this early stage, how should CISOs be thinking of the impending acquisitions?

I think it is best to attempt to predict the future impact of these acquisitions by starting with the stated strategies of the buyers – VMware and Broadcom. For VMware it is quite clear that this is primarily a strategic product acquisition to help accelerate the build-out of their build, run, manage, connect, protect cloud platform strategy.  As the world moves to cloud deployed applications it makes total sense that Carbon Black’s Predictive Security Cloud™ platform and suite of applications – including endpoint detection and response (EDR) – allows VMware to clearly position this acquisition as a way of helping to address the fragmentation and lack of integration with security technologies. Of course, VMware wants to make a financial return on this investment, but they are doing so from a customer-driven strategy perspective first.

Good for investors, but what about customers?

In contrast, the acquisition of the Symantec Enterprise business by Broadcom is clearly driven by financial considerations first and last — not how it fits into their security strategy or better addresses the security needs of customers. Broadcom couldn’t be much clearer that their focus with Symantec is on cutting costs across the board, focusing on their most profitable products (DLP, endpoint, SWG) and not their lesser products (email security, network security, cryptology etc), and prioritizing their most profitable customers in the Global 2000.

Forrester’s take on the acquisition is that it’s good news for Symantec investors but less favourable for Symantec customers, on the basis of its recent track record on acquiring CA Technologies in 2018:

“Broadcom has moved aggressively to slash CA’s operating costs. This benefits Wall Street, but also means that customer support, innovation, and product development often grind to a halt.”

Citing the 2010 acquisition of McAfee by Intel as “a cautionary tale”, the analyst warns:

“Broadcom is wading into the tricky waters of a hardware company buying a cybersecurity software company … Current and potential future Symantec customers should monitor the situation for signs of a brain drain among rank-and-file employees, slow silent exits of executives as two-year stays on clauses expire, and any slowdown in improvements in products and services as the company integrates with its new parent, adjusts strategies, identifies “synergies” and cycles in new talent with new perspectives.”

The implications for us Downunder

Because the threat landscape we face as cybersecurity professionals is constantly evolving, we are highly dependent on constant technical innovation. If the vendors we rely on to deliver that innovation don’t invest, they put us as their customers at risk. Given that few ANZ businesses are part of the Global 2000 Broadcom is targeting, we have less leverage and risk being left out in the cold.

CISOs of Symantec subscribers will need to consider the implications of this acquisition very carefully to ensure that what they signed-up for is protected in the future , including:

• How does cost cutting help my organisation become more secure?

• How will this help drive technical innovation at a pace to keep up with the cybercriminals?

• How will it address migration of IT and security to the cloud?

• What if my organisation isn’t in the Global 2000?

Security leaders are tasked with leading the security charge within their employers by effectively working with a set of security vendors and service providers with whom they can truly partner and depend on. Not all M&A scenarios are the same. It is incumbent on us to evaluate each on its own merits and to frame our analysis with “what’s in it for my organisation?” In some M&A situations the possible future, while not guaranteed, is bright. In others, existing customers’ well-being is forgotten.