{"id":1835,"date":"2025-02-07T22:30:06","date_gmt":"2025-02-07T22:30:06","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1835"},"modified":"2025-02-07T22:30:06","modified_gmt":"2025-02-07T22:30:06","slug":"the-solarwinds-4-4-billion-acquisition-gives-cisos-what-they-least-want-uncertainty","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1835","title":{"rendered":"The SolarWinds $4.4 billion acquisition gives CISOs what they least want: Uncertainty"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

When SolarWinds on Friday announced a $4.4 billion cash deal for it to be acquired by private equity (PE) firm Turn\/River Capital, it delivered the last thing that nervous enterprise CISOs want: Uncertainty, to be followed by more uncertainty.<\/p>\n

\u201cWhenever a security company gets acquired by private equity, you never want to throw a party,\u201d said Frank Dickson, group VP for IDC\u2019s security & trust research practice. \u201cIt\u2019s almost never positive.\u201d<\/p>\n

Dickson said that the formula for a successful security vendor is overwhelmingly a combination of three things: a consistent management, a consistent execution, and a consistent vision.<\/p>\n

\u201cChange doesn\u2019t do well. And private equity has a tendency to want to change direction. That typically doesn\u2019t benefit customers,\u201d Dickson said. \u201cThe issue is that private equity is not in it for the long term. Change creates uncertainty. Benefits will be realized by investors, and the people paying the price will be customers.\u201d<\/p>\n

\u00a0The problem, Dickson said, is the way private equity firms function.\u00a0<\/p>\n

\u201cWhen private equity acquires companies in security, what they are traditionally trying to do is unlock value. That means increasing profitability, which often means slashing costs and separating parts of the business,\u201d Dickson said. \u201cThese sorts of transitions are positive for the customer in a minority of cases.\u201d<\/p>\n

The deal is supposed to be completed by June 30, said the acquisition news release<\/a>.\u00a0<\/p>\n

Uncertainty bad for customers<\/h2>\n

SolarWinds has a good reputation for its security offerings<\/a>, but its brand is likely to be forever tarnished by the supply chain cyber attack in 2020<\/a> that trojanized its Orion platform\u2019s updates to deliver malware.\u00a0<\/p>\n

Douglas Brush, who runs a cybersecurity consulting firm called Brush Cyber Consulting, said the decision of what to do now is problematic for the SolarWinds installed base, which, according to the current SolarWinds homepage, includes Walmart, Amazon, McDonalds, CVS Health, and Morgan Stanley.<\/p>\n

The level of uncertainty might prompt some CISOs to consider moving to one of SolarWinds\u2019 top rivals, Brush said, but that is unlikely to be an especially viable option.<\/p>\n

That is because of two things: the pain and expense of the transition \u2014 \u201cit\u2019s a huge lift and shift,\u201d Brush said \u2014 and the practical reality that the other companies could also get acquired.\u00a0<\/p>\n

\u201cI would hold. Wait and see what happens,\u201d Brush said. He suggested asking current SolarWinds executives for future direction. It\u2019s actually a test question, he said; given the shifting ownership, senior management won\u2019t truly know the future direction.<\/p>\n

\u201cIf they are saying \u2018We don\u2019t know what will happen,\u2019 then at least someone is being honest,\u201d Brush said. \u201cYou are asking the question not because you want to see the answer. You want to see ho<\/em>w they answer.\u201d<\/em><\/p>\n

Analyst fears the worst<\/h2>\n

Brush said that with SolarWinds and Turn\/River, he fears the worst. \u201cThey are going to cannibalize it. They are going to do what private equity does with these companies: they will strip it down and sell the parts to larger companies.\u201d\u00a0<\/p>\n

\u201cThey will deliver turnover. It\u2019s right in their name,\u201d Brush said. \u201cI hope that they don\u2019t do something like send it up the river. But again, given that River is right there in the name, I have my concerns.\u201d<\/p>\n

Another concern is with the company\u2019s financial visibility as a private equity-owned firm, he said. With a publicly-held security firm, CISOs can review every SEC filing for clues about the vendor\u2019s viability and future plans, but \u201cwith a private equity firm, that is completely a black box.\u201d<\/p>\n

Richard Caralli, senior cybersecurity advisor at Axio, also said that he thinks the biggest change from this deal, assuming it eventually completes, will be the shift from public to private status.<\/p>\n

\u201cBy going private, the issues SolarWinds encountered with the SEC will largely go away. A lack of shareholders means reduced external pressures to improve cybersecurity posture, particularly in pursuit of prevention of man-in-the-middle attacks that hurt users,\u201d Caralli said. \u201cThe lack of regulatory-based disclosure requirements may mean that new issues that potentially put customers at risk may not be identified or communicated in a timely manner. Additionally, the emphasis from private investors on growth and value may deprioritize cybersecurity improvements over building the business back.\u201d<\/p>\n

This means that enterprise customers should watch carefully how SolarWinds products change, and continually re-evaluate their value, Caralli said. <\/p>\n

Will Townsend, a VP and principal analyst at Moor Insights & Strategy, agreed that the 2020 supply chain attack has continued to haunt SolarWinds, and that it is likely a key factor in SolarWinds\u2019 decision to accept the buyout.<\/p>\n

\u201cGoing private though a PE deal is no surprise. [SolarWinds] never did enough to reassure investors and customers that it had learned and implemented measures to prevent that epic supply chain hack from happening again,\u201d Townsend said in a post on X<\/a>, adding that SolarWinds didn\u2019t do much \u201cbeyond an apology tour that never reached the broader market.\u201d<\/p>\n

CISOs, don\u2019t do anything rash: Analyst<\/h2>\n

Like Brush, IDC\u2019s Dickson encouraged CISOs to wait and watch.\u00a0<\/p>\n

\u201cWhenever private equity buys a security company, the first thing to do is breathe. The last thing you want to do is something rash,\u201d Dickson said.\u00a0<\/p>\n

When evaluating alternative vendors, Dickson said to focus on the big picture.\u00a0<\/p>\n

\u201cTen percent of the value is in the tool, and 90 percent is in the people and processes around the tool. Look at what the tools are out there and give it time. Then in six months, reassess,\u201d Dickson said. For customers looking at near-term renewal issues, he said to renew, \u201cbut don\u2019t go for any more than a one-year timeframe on your renewals\u201d and focus on exit clauses. Then strategize on a 2-year to 4-year timeframe, he said.<\/p>\n

When asked for her thoughts on what the acquisition means for enterprise CISOs, Jess Burn, a principal analyst for security and risk at Forrester, was succinct: \u201cNot a whole lot.\u201d<\/p>\n

\u201cThe SolarWinds hack and resulting breaches gave CISOs two things to think about: Greater scrutiny of third and fourth parties in or connected to the enterprise, and personal liability,\u201d Burn said. \u201cSolarWinds was the beginning of a broader product security awakening for CISOs and government agencies like CISA, who launched Secure By Design in 2023 after a series of software supply chain related breaches. Third- and fourth-party risk management is still an issue, but CISOs now know what to ask their partners, including software vendors and managed IT service providers.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

When SolarWinds on Friday announced a $4.4 billion cash deal for it to be acquired by private equity (PE) firm Turn\/River Capital, it delivered the last thing that nervous enterprise CISOs want: Uncertainty, to be followed by more uncertainty. \u201cWhenever a security company gets acquired by private equity, you never want to throw a party,\u201d […]<\/p>\n","protected":false},"author":0,"featured_media":1836,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1835"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1835"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1835\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1836"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}