A strong professional services organization requires good people and strong knowledge. This is no big surprise to anyone. What they also need is scale and expertise. Many mid to large-sized cybersecurity firms have the people, the knowledge and some even the scale, but many lack the deep expertise in high-demand industries like financial, insurance, utilities, etc. As Generalists, it makes sense that they maintain a broader expertise as they were constructed to service the many, not the few. These larger providers simply have too many moving parts, with personnel usually thinly located at multiple locations, with at times presenting conflicting solutions, and face operational challenges to focus on, as well as all requiring their ongoing attention.
This lack of vertical industry expertise is leading many mid to large-sized cyber firms to engage in M&A activity to fill their vertical knowledge gaps by acquiring smaller providers who have the deep and wide subject matter proficiency they need to service their current and future customers.
Other challenges facing larger cyber providers include a mere trickling of qualified cyber professionals coming out of college. Many of these same firms are also approaching maturity and need to make some big moves to maintain upward sales trajectory. In fact, “Cybersecurity professional services almost exactly meets the definition of a mature industry segment…”1
In fact, we are already seeing significant M&A activity in the cyber space. “Forty-five2 cybersecurity-related merger and acquisition (M&A) deals were announced in June 2022” alone. Intense competition and margin pressures are other contributing factors to this industry consolidation.
“There are nearly 715,0003 cybersecurity job openings in the U.S. right now.” This issue has prevailed ever since 2011. Good cybersecurity professionals are hard to find and keep. What’s more, schools aren’t doing what is necessary to ensure a recurring crop of new cyber professionals. Up until recently, cybersecurity has been largely absent from university curriculums. Fortunately, things are now looking up.
“Meanwhile, higher education institutions, both big and small, have used internal and external funds to create new cybersecurity and IT career programs to produce the professionals needed in today’s digital workforce. (In early 2021 alone,) the University of Hawaii announced new cybersecurity internships, Benedict College in South Carolina added a master’s degree extension of its cybersecurity program, Maryland’s Frostburg State University received grant money for cybersecurity workforce training, and New York’s LaGuardia Community College announced accelerated education courses in cybersecurity.”4
These educational programs are certainly a good sign for the cyber industry, but this does not solve the immediate personnel and expertise many mid to large-sized cyber firms face today.
Globality is a similar issue. Many cyber clients today have needs spanning multiple countries. While the big providers may have the arms and legs in these regions to put on projects, they may lack the specific regional regulatory expertise needed to really service/protect these clients effectively. According to United Nations Conference on Trade and Development, 1565 countries (80 per cent) have enacted cybercrime legislation (to date).
Successfully providing Cyber consulting and managed IT services to clients requires a deep security and infrastructure knowledge, as well as expertise. All providers obviously strive to be the strongest they can be in this area. But again, there is a staffing/skills shortage in this industry segment. Many larger firms position themselves as generalists for mass appeal. That can backfire if the clients the firm is serving are complex or highly regulated and require elevated subject matter expertise. This supports the saying that you should not try to ‘’be all things to all people.’’
By partnering with (or acquiring) a smaller cybersecurity firm, they can dig into the highly regulated industry sectors with their new-found vertical expertise. They can offer vertical-industry specific cyber solutions that cater to individual sectors and provide all the IT security and consulting needed to meet those businesses’ unique requirements and challenges. Clients will favor solutions designed for their particular industry. This helps the bigger firms establish a growing presence in financial services, healthcare, insurance, utilities, and so on, leading to increased revenue.
Vertical industry expertise/technologies can also be tailored or splintered to other industries as well as provide cross support to other established verticals.
Niche cyber players can also add immediate value to some of the larger firms’ existing clients. Once acquired or partnered with, smaller firms can offer customers strategic and proactive cyber recommendations based on their vertical experience and expertise, having successfully serviced others in their industry sector. Some mid to large-sized cyber providers may take the domain expertise from their past lives or from their first client and run with hit. With a history in the financial services IT space, for instance, or with an initial client in that industry, they tend to continue to walk down that path as they have the mindset and inside understanding of what companies in that specific industry likely face. It’s what they know best, and it can be easier to secure new business from companies in that known vertical.
These firms need to engage smaller firms that can fill in their vertical gaps with working knowledge in complementary industries. Moreover, when two mid-sized firms come together with strengths in different verticals, each provider can take its specialty services and start making their mark in the other firm’s target industry. Other derivative advantages of acquiring vertical expertise include cost efficiencies, budget sharing, increased purchasing power, solution diversification, value creation, and more.
The cybersecurity marketplace is maturing. Larger firms need to acquire specialized industry expertise in order to thrive. Smaller niche firms have the expertise but need the scale and global footprint. Now is the time to consider aligning your mid to large-sized cybersecurity services business with a smaller, niche, complimentary provider who can help you accelerate growth by forging deeper into select verticals, meeting greater needs of existing clients, and successfully servicing businesses on a global-local scale.
 “An Intro to Consolidation and Aggregation in Cybersecurity”, May 11, 2022, Security Boulevard.
 “Cybersecurity M&A Roundup: 45 Deals Announced in June 2022”, July 7, 2022, Security Week.
 “Cybersecurity Supply/Demand Heat Map”, Oct. 2022, Cyber Seek.
 “Cybersecurity Studies Increasingly Popular at US Colleges”, Apr. 28, 2021, Government Technology.
 “Cybercrime Legislation Worldwide”, Dec. 14, 2021, United Nations Conference on Trade and Development (UNCTAD).