Have You Experienced “Tool Sprawl” in Cybersecurity? | ETF Trends

By Christopher Gannatti, CFA
Global Head of Research

We know we have a diverse array of readers:

  • Individual business owners
  • Employees of large companies
  • Employees of much smaller companies
  • People who are retired or between jobs

Whatever your situation, how many different cybersecurity tools are you aware you interact with? A password manager? A single sign-on interface? A specialist tool focused on email? Another specialist tool focused on accessing cloud computing infrastructure?

The fact is, the more you learn about cybersecurity, the more you are awakened to a large number of providers, each specializing in different types of cybersecurity products. We saw the term “tool sprawl” used to describe the 2022 cybersecurity landscape—we thought it painted an informative picture.1

How Many Tools Are Customers Using?

Enterprise customers may be managing 60–80 tools, with those on the higher end of the spectrum possibly managing up to 140.Imagine dealing with all those tools in the course of normal business operation.

One reason the current environment is characterized by so many tools could relate to the progress of the chief information security officer (CISO) role. Ten years ago, the way a “good CISO” was defined largely had to do with buying and deploying tools. The CISO in 2022 is now evaluated based on outcomes rather than deploying tools, and is much more a top priority for a company’s board.3

A survey done by Gartner found that 88% of boards of directors view cybersecurity as a business risk rather than a technology risk.4

Of course, the attack surface in 2022 has also massively expanded, and companies may frequently launch around new types of artificial intelligence and machine learning techniques, to use one example.5

Dealmaking Is Already Taking Off in 2022

Through August 18, 2022, private equity sponsors and their portfolio companies have backed 162 cybersecurity deals worldwide, valued at $34.9 billion. If this pace continues, it has the potential to surpass 2021’s tally of $36.4 billion across 308 transactions.

One driver of this growth—valuations. In 2020 and much of 2021, the most newly public cybersecurity companies, many of which were focused on the cloud, experienced massive multiple expansion and therefore helped fuel valuations. The growth was strong, but the prices were not inexpensive in an environment where the cost of capital had been low for a long time.

With the rise of inflation and then the shift in policy of many central banks, going away from expansionary support of growth, many of these companies experienced dramatic multiple compression. This has helped private equity players focused on building consolidated product offerings to pick up interesting companies at much lower prices.

Thoma Bravo is one such player that has been quite active. Just in the identity space, Thoma has done deals to acquire Ping Identity for $2.8 billion and SailPoint for $6.9 billion.6

Consolidation is a big desire from customers—possibly a response to the tool sprawl that we mentioned earlier. There is a feeling in the market that there might already be too many companies, so it’s not just about more innovation but also building integrated platforms so customers can go to one place and get more baskets of services.

Option3 is an example of a firm that has shifted from funding new firms to acquiring late-stage middle-market companies for buy-and-build strategies. They are planning to raise a $250 million buyout fund dedicated to a platform acquisition strategy.7

Private equity firms are attracted to cybersecurity companies for many reasons, but they have exhibited lower churn rates than other Software-as-a-Service (SaaS) businesses. They also have tended to generate high margins.8

What about the Slowing Economic Environment?

As with many things, historical comparisons can only take us so far. If we think about the state of cybersecurity in 2007–2009, encompassing the Great Recession, it was totally different. Cybersecurity budgets are much different in 2022 than they were in 2007 heading into that significant slowdown.9

One doesn’t need to look too far to see quotes from industry leaders indicating that even if cybersecurity spending is impacted by a slower economic environment, it most likely wouldn’t be impacted as much as other areas. There are many things that are regulatory requirements or viewed as ‘table stakes’ to the ongoing operation of companies, making them difficult to cut.

The Securities and Exchange Commission has explored a rule that would require disclosure of a “material cybersecurity incident” in a public filing. Disclosure would likely have to be made quite quickly after the event—possibly a response to certain types of attacks and breaches like SolarWinds, where months after the fact the scope of potential damage was growing and growing.10

Regulations aimed to combat cybersecurity threats are likely to have that impact.

Conclusion: A Megatrend for All Seasons?

Norges Bank Investment Management, the world’s largest sovereign wealth fund at $1.2 trillion, recently indicated that cybersecurity is their biggest current concern, noting that it faces an average of three serious attacks each day. The fund sees roughly 100,000 attacks per year, and they classify about 1,000 of them as serious.11 

Firms operating in the financial industry have been increasingly targeted, and firms operating in the Nordic region feel the proximity to Russia during the Ukraine conflict quite tangibly.

While many investment themes might be a bit discretionary or susceptible to delays in a slowing economic environment, we believe cybersecurity is not one of them. We may not know the exact companies or services that will grow the fastest, but backing away from focusing on security is generally not an option. For investors seeking to implement an investment strategy focused on the future of cybersecurity offerings, consider the WisdomTree Cybersecurity Fund.



1 Source: Kyle Alspach, “Thanks to the Economy, Cybersecurity Consolidation Is Coming. CISOs Are More than Ready,” Protocol, 6/17/22.
2 Source: Alspach, 6/17/22.
3 Source: Alspach, 6/17/22.
4 Source: “Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk,” Gartner, Press Release, 11/18/21.
5 Source: Madeline Shi, “PE Dealmaking Thrives in Cybersecurity Sector,” Pitchbook, 8/23/22.
6 Source: Shi, 8/23/22.
7 Source: Shi, 8/23/22.
8 Source: Shi, 8/23/22.
Source: Kyle Alspach, “Cybersecurity Spending Isn’t Recession-Proof. But t’s Pretty Close,” Protocol, 6/6/22.
10 Source: Kyle Alspach, “’Game-changer’: SEC Rules on Cyber Disclosure Would Boost Security Planning, Spending,” VentureBeat, 3/10/22.
11 Source: Adrienne Klasa & Robin Wigglesworth,” Financial Times, 8/22/22.

Originally published on September 8, 2022. 

For more news, information, and strategy, visit the Modern Alpha Channel.

U.S. investors only: Click here to obtain a WisdomTree ETF prospectus which contains investment objectives, risks, charges, expenses, and other information; read and consider carefully before investing.

There are risks involved with investing, including possible loss of principal. Foreign investing involves currency, political and economic risk. Funds focusing on a single country, sector and/or funds that emphasize investments in smaller companies may experience greater price volatility. Investments in emerging markets, currency, fixed income and alternative investments include additional risks. Please see prospectus for discussion of risks.

Past performance is not indicative of future results. This material contains the opinions of the author, which are subject to change, and should not to be considered or interpreted as a recommendation to participate in any particular trading strategy, or deemed to be an offer or sale of any investment product and it should not be relied on as such. There is no guarantee that any strategies discussed will work under all market conditions. This material represents an assessment of the market environment at a specific time and is not intended to be a forecast of future events or a guarantee of future results. This material should not be relied upon as research or investment advice regarding any security in particular. The user of this information assumes the entire risk of any use made of the information provided herein. Neither WisdomTree nor its affiliates, nor Foreside Fund Services, LLC, or its affiliates provide tax or legal advice. Investors seeking tax or legal advice should consult their tax or legal advisor. Unless expressly stated otherwise the opinions, interpretations or findings expressed herein do not necessarily represent the views of WisdomTree or any of its affiliates.

The MSCI information may only be used for your internal use, may not be reproduced or re-disseminated in any form and may not be used as a basis for or component of any financial instruments or products or indexes. None of the MSCI information is intended to constitute investment advice or a recommendation to make (or refrain from making) any kind of investment decision and may not be relied on as such. Historical data and analysis should not be taken as an indication or guarantee of any future performance analysis, forecast or prediction. The MSCI information is provided on an “as is” basis and the user of this information assumes the entire risk of any use made of this information. MSCI, each of its affiliates and each entity involved in compiling, computing or creating any MSCI information (collectively, the “MSCI Parties”) expressly disclaims all warranties. With respect to this information, in no event shall any MSCI Party have any liability for any direct, indirect, special, incidental, punitive, consequential (including loss profits) or any other damages (www.msci.com)

Jonathan Steinberg, Jeremy Schwartz, Rick Harper, Christopher Gannatti, Bradley Krom, Kevin Flanagan, Brendan Loftus, Joseph Tenaglia, Jeff Weniger, Matt Wagner, Alejandro Saltiel, Ryan Krystopowicz, and Brian Manby are registered representatives of Foreside Fund Services, LLC.

 WisdomTree Funds are distributed by Foreside Fund Services, LLC, in the U.S. only.

You cannot invest directly in an index.