Email security heavyweight Proofpoint has announced its acquisition, for $12.3bn, by Thoma Bravo, the private equity firm that is among the most active in the cybersecurity market.
Email security heavyweight Proofpoint has announced its acquisition, for $12.3bn, by Thoma Bravo, the private equity firm that is among the most active in the cybersecurity market. This is the highest price yet paid for a security vendor, but assuming the deal goes through (a legal challenge on behalf of shareholders is getting underway), what is its significance, and what does it say about the current state and future of the email security market?
Proofpoint makes long-term losses on a growing top line
The first point to make here is that Proofpoint has been lossmaking for a very long time, having reported quarterly net losses at least since late 2011. That said, its topline has been growing consistently in recent years:
Table 1: Proofpoint’s annual revenue
This trend has continued in 1Q21, for which the vendor reported a net loss of $42m (almost the same amount that it lost in 1Q20) on revenue up 15% at $288m.
Now, the positive spin to the Thoma Bravo move is that the private equity (PE) heavy hitter is building a portfolio of cloud businesses—and particularly cloud security firms—in response to the pandemic, driving knowledge workers everywhere to work from home; an argument perhaps supported by the 34% premium it is paying vis-à-vis the price at which Proofpoint shares were trading on the eve of the announcement.
The negative spin, meanwhile, is that PE firms generally move in when a company is encountering serious headwinds in its chosen market(s). In Proofpoint’s case, Thoma Bravo has picked up a company that is still growing (albeit not at a profit) which suggests that, with a few adjustments to the business, it could be not just a viable concern, but one that ends the year in the black. And of course, the backdrop here is the headlong rush to cloud and remote working forced on many enterprises by the coronavirus pandemic: never has the need for cybersecurity been greater.
Microsoft now offers basic SEG functionality around O365
Now let us consider what’s been going on in the email market, which continues to be Proofpoint’s bread and butter since it is there that it markets its secure email gateway (SEG) technology. The fundamental shift for business email has been into the cloud, with Office 365 and Gmail being the main contenders, and Microsoft maintaining the 800lb gorilla status it built up in the on-prem exchange days, thanks to its canny strategy in the way it migrated business customers into the cloud after launching O365 in 2011. Gmail enjoys some success with cloud-native start-ups and SMBs looking to save money, but Microsoft currently reigns supreme in enterprise email services.
The SEG have obviously all moved their platforms into the cloud to accompany this trend, so it’s not as if they’ve been left stranded on their customers’ premises. However, that brings us to the second important development in this market.
The email service providers, and particularly Microsoft, have developed their own security offerings around their email platforms (in Microsoft’s case, a lot of it via M&A activity in Israel). While Microsoft’s security tech usually starts out as “good enough” and no more, that is already a challenge for any dedicated email security vendor. This is especially the case for SEGs, as its products started to carry out a lot of the same basic functions as theirs, such as traffic inspection for malware, and URL white/blacklisting and so on. Furthermore, Microsoft continues to add more functionality to its security products/services, making the challenge ever greater.
Arise the non-SEGs, on Microsoft’s coattails
Then there is the change in the threat landscape itself. While threat actors continue to send phishing emails with dodgy URLs in them as a means of delivering ransomware (a trend that actually enjoyed a significant uptick in 2020, in fact), some of them have moved beyond bad attachments and URLs into so-called business email compromise (BEC), in which there is no malware or blacklisted URL for a traditional email security system to detect.
This trend has seen the emergence of a new generation of email security vendors, most of them still at the start-up stage or just slightly beyond it, who don’t pretend to offer all the basic functionality of an SEG (i.e., the scanning etc.), but rather focus on detecting the BEC-style attacks that thwart traditional SEGs, often using some kind of machine learning to do so. Another leading analyst firm has some complicated acronyms for these types of vendors, but so far nobody has picked up on them (one such acronym is CESS, which not surprisingly hasn’t been embraced by the vendors in that group).
Competition is now SEGs vs. non-SEGs + Microsoft
Proofpoint itself calls these vendors’ products “helper apps,” reflecting the fact that their pitch to the customer is “you’ve deployed O365 and are getting basic SEG-like services from Microsoft, so deploy our technology alongside it and get the BEC protection you need.” Omdia tends to call these new kids on the block the non-SEGs.
Of course, the SEGs haven’t sat still, adding functionality of their own to compete with the non-SEG players, but the presence of Microsoft in their neighborhood inevitably puts pressure on their bottom lines, as even SEG market leader Proofpoint’s bottom line demonstrates.
Rik Turner, Principal Analyst, Cybersecurity