Cisco’s Cybersecurity Shopping Spree (Part 1)
"Cisco bought seven cybersecurity companies? In this economy?!" Yep, they sure did.
One of cybersecurity's most active strategic buyers is at it again. Cisco has been buying a company every other month this year.
Their $28 billion acquisition of Splunk in September is the largest acquisition in cybersecurity history.¹ This acquisition alone is three times larger than all cybersecurity M&A activity in the first half of 2023 ($8.8 billion). It's also larger than quarterly M&A totals for the past 22 quarters (all the way back to 2018, and likely earlier).²
Cisco's cybersecurity shopping spree should come as no surprise (okay, maybe the Splunk thing was a surprise). They've had a formidable security business for years, lurking in the shadows of their dominant networking business. In the convergence of cybersecurity and everything, Cisco is the headliner.
Diving deeper into the history and strategy for Cisco and its security business is the best way to understand why these acquisitions were made and what their next moves could be.
In Part 1 of the series, we'll take a data-driven look at Cisco's heyday through today. In Part 2, we'll evaluate where Cisco stands today (post-Splunk) and where their security business is heading.
Cisco and its security business
Understanding Cisco's security business starts with understanding Cisco's business over its 38 (!!!) years as a company.
I have always felt a special connection to Cisco. The company is almost exactly as old as I am. It's a staple (alongside Apple and Microsoft) of my earliest tech memories — the work equivalent of grandma’s oatmeal cookies.
On a practical level, Cisco started my career in technology. I had the opportunity to take their Cisco Certified Networking Associate (CCNA) classes (through a junior college) while I was in high school. This gave me both a solid understanding of networking and a running start into a better life.
The Cisco of my youth was a giant and a pioneer in the technology industry. It once reigned as the most valuable company in the world back in 2000.
We're in a different era today. BGP is still around (it's always BGP...), but this isn't my high school Cisco anymore. We're witnessing a retooling of an iconic tech brand. Cybersecurity is the driving force.
Today, Cisco is the 19th largest technology company by revenue ($56.99 billion LTM) and 16th largest by valuation ($216.59 billion). Based on revenue, Cisco is much smaller than Amazon, Google, and Microsoft, and roughly the size of IBM and Oracle.
The reporting of revenue and metrics from Cisco's security business has been fuzzy in recent years. A slide published in 2019 by a previous security leadership regime is a time capsule of metrics we haven't seen in public since:
Cisco's FY22 annual report states 7% of revenue ($3.6 billion) is driven by its End-to-End Security product category. On its Q4 FY22 earnings call, Cisco also shared the segment grew 20% during the quarter. Some cybersecurity startups don’t even grow 20% per quarter (let alone a ~$4 billion business unit).
The scale of Cisco's security business is easy to lose track of with the recent talk around Microsoft exceeding $20 billion in security revenue. Revenue for Cisco's security business unit is larger than every public cybersecurity company except Palo Alto Networks ($6.5 billion) and Fortinet ($4.7B).
The OG of strategic buyers
Cisco's voracious cybersecurity acquisition spree in 2023 might feel bizarre: "Why is a networking company buying all of these cybersecurity companies?!"
Cisco is one of the OG strategic buyers in tech. They bought their first company way back in 1991. Some people reading this weren’t even born yet!
They’re like an A-list celebrity with all the money in the world — they can buy whatever their heart desires.³ Right now, the object of their affection is cybersecurity companies.
Cisco is also one of the most prolific strategic buyers in all of tech, with 253 total acquisitions (and counting).⁴ They average nearly eight acquisitions per year. I don’t even go shopping at the mall eight times per year.
To the surprise of nobody, 206 of Cisco's 253 total acquisitions (81% of M&A activity) have been companies related to its core networking business. Over 90% of Cisco's revenue comes from networking. Acquisitions keep their bread and butter growing.
Cisco’s cybersecurity acquisitions get lost in their flurry of M&A activity. One of our industry’s best secrets is hiding in plain sight: Cisco buys more cybersecurity companies than anyone.
Nobody — not Google, IBM, Microsoft, Palo Alto Networks, Symantec, or any other company — does as many cybersecurity deals as Cisco.
Cisco has acquired 35 pure-play cybersecurity companies at a clip of 1.5 deals per year. They’ve also acquired 12 hybrid companies (ones with a cybersecurity component but not solely focused on cybersecurity). This means 19% of Cisco's acquisitions are cybersecurity-related.
Cybersecurity has been Cisco’s side hustle. It’s quickly becoming the main thing.
Starting the cybersecurity party wave
In surfing, a party wave is a massive wave big enough for everyone to ride.⁶ In cybersecurity, Cisco is usually the ringer: better than everyone expects, but never the center of attention.
Cisco's cybersecurity-related acquisitions have happened in waves (no pun intended):
The four big waves on the chart are Cisco's four largest cybersecurity acquisitions (before Splunk):
- IronPort, a manufacturer of messaging security appliances.
- Sourcefire, a network security and intrusion prevention and detection system.
- OpenDNS, a DNS-based content filtering solution.
- Duo Security, a multi-factor authentication (MFA) platform.
They've spent $1 billion on cybersecurity acquisitions (give or take) in four different years.⁵ That’s a lot. Microsoft has acquired a total of four cybersecurity companies, and none over $1 billion.
In 2023, Cisco is the cybersecurity party wave. A roaring, high-flying, attention-grabbing spectacle. Hop on board and have the ride of your life.
Cisco's $28 billion acquisition of Splunk is the mother of all waves. It’s over twice as large as their other cybersecurity-related acquisitions combined ($13.1 billion).
All of their previous acquisitions were just a warmup. Splunk is the main event:
Cisco is investing more in cybersecurity than ever before. They’ve hit their stride in the past decade.
Including Splunk, cybersecurity makes up 72% ($39 billion) of the money Cisco has spent on acquisitions since 2013. They’re not riding the baby waves anymore. Cisco is out at Mavericks⁷ with the pros riding the biggest and most dangerous waves in the world.
The return of longtime Cisco security executive Tom Gillis in January 2023 lit a fire under the company's cybersecurity M&A efforts. The fire is now roaring with no signs of slowing down.
Buying nearly $30 billion worth of companies in a single year is a clear signal of strategic importance — "put your money where your mouth is," so to speak.
Will Cisco keep the party wave going and bring more companies on board? Or, will it flinch and get sucked into the deep, blue ocean?
Stay tuned for Part 2, where we’ll look at the treasures Cisco has collected and explore what’s possible in the future.
Footnotes
¹Depending on how you classify Broadcom's acquisition of VMWare, and whether you consider Splunk to be a pure cybersecurity company or a hybrid of security and observability. Either way, the primary strategic driver of the acquisition was Splunk's cybersecurity products and customers.
²According to Momentum Cyber data from the 1H 2023 Cybersecurity Market Review and the 2023 Cybersecurity Almanac reports.
³With a very important difference: the things Cisco buys have ROI, unlike jewelry, cars, and Prada.
⁴Cisco has made so many acquisitions that the best M&A data platforms in the world (PitchBook and CapitalIQ) both had missing data. Cisco itself didn’t even have a full list of its own acquisitions. For this analysis, I stitched together and analyzed data from all three sources. You might literally be reading the most accurate version in existence.
⁵Disclosed acquisition dollar volume in 2007 was technically $930 million, not $1 billion. I said "give or take" to give them credit. When we’re talking billions, what’s another $30 million?!
⁶I’m from the Midwest. I don’t surf. Riding a party wave sounds terrifying.
⁷Remember Apple’s Mac OS X Mavericks? They named it after one of the most dangerous places in the world to surf — Mavericks at Half Moon Bay.