WisdomTree
cyber-7.png

Have you experienced ‘Tool Sprawl’ in Cybersecurity?

Published 12 October 2022

Christopher Gannatti, CFA
Christopher Gannatti, CFA

Global Head of Research

We recognise we have a diverse array of readers, probably some individual business owners, some employees of large companies, some employees of smaller companies and possibly even some people who are retired or between jobs.

Whatever your situation—how many different cybersecurity tools are you aware of that you interact with? A password manager? A single-sign-on interface? A specialist tool focused on email? Another specialist tool focused on accessing a cloud computing infrastructure?

The fact of the matter is that the more you learn about cybersecurity, the more you are awakened to a large number of providers that each specialise in different types of protection. We saw the term ‘tool sprawl’ used to describe the 2022 cybersecurity landscape—we thought it painted an informative picture1.

How many tools are customers using?

Enterprise customers may be managing portfolios of 60-80 tools, with those on the extreme higher end of the spectrum possibly managing up to 1402. Imagine managing all of these tools over the course of a normal business operation.

One reason why the current environment is characterised by so many tools could relate to the progression of the Chief Information Security Office (CISO) role. 10 years ago, the way a ‘good CISO’ was defined largely had to do with buying and deploying tools. The CISO in 2022 is now much more a top priority for a company’s board and C-suite, and now a ‘good CISO’ is evaluated based on outcomes rather than deploying tools3.

A survey conducted by Gartner found that 88% of Boards of Directors view cybersecurity as a ‘business risk’ rather than a ‘technology risk4.’

Of course, the attack surface in 2022 has also massively expanded, and frequently companies may be launched around new types of artificial intelligence and machine learning techniques, to use one example that could also lead to the proliferation of companies.

Dealmaking is already taking off in 2022

Through 18 August 2022, private equity sponsors and their portfolio companies have backed 162 cybersecurity deals worldwide, valued at $34.9 billion. If this pace continues, it could surpass 2021’s tally of $36.4 billion across 308 transactions5.

One driver—valuations. 2020 and much of 2021 saw the most newly public cybersecurity companies, many of which were focused on the cloud, experience massive multiple expansion and therefore premium valuations. The growth was strong, but the prices were not inexpensive in an environment where the cost of capital had been very low for a very long time.

With the rise of inflation and then the shift in policy of many central banks going from expansionary support of growth, many of these companies experienced dramatic multiple compression. This allows private equity players focused on building consolidated product offerings to pick up interesting companies at much lower prices.

Thoma Bravo is one such player that has been quite active. Just in the identity space, Thoma has done deals to acquire Ping Identity for $2.8 billion and SailPoint for $6.9 billion6.

Consolidation is a big desire from customers—possibly a response to the ‘tool sprawl’ that we mentioned earlier. There is a feeling in the market that there might already be too many companies, so it’s not just about more innovation but also building integrated platforms so customers can go to one place and get more services.

Option3 is an example of a firm that has shifted from funding new firms to acquiring late-stage middle-market companies for buy-and-build strategies. They are planning to raise a $250 million buyout fund dedicated to a platform acquisition strategy7.

Private equity firms are attracted to cybersecurity companies for many reasons, but it is noted that they have exhibited lower churn rates than other Software-as-a-Service (SaaS) businesses. They also have tended to generate high margins.

What about the slowing economic environment?

As is the case with many things, historical comparisons can only take us so far. If we think about the state of cybersecurity in 2007-2009, encompassing the ‘Great Recession’, it was totally different. Cybersecurity budgets are much different in 2022 than they were in 2007 heading into that significant slowdown8.

One doesn’t need to look too far to see quotes from experts indicating that even if cybersecurity spending could be impacted by a slower economic environment, it most likely wouldn’t be as impacted as other areas. There are many things that are regulatory requirements or viewed as ‘table stakes’ to the ongoing operation of companies, which make them that much more difficult to cut.

Regulators are also upping the ante. The Securities and Exchange Commission in the US has explored a rule that would require disclosure of a ‘material cybersecurity incident’ in a public filing. Disclosure would also have to be quite quick after the event—possibly a response to certain types of attacks and breaches like SolarWinds, where months after the fact the scope of potential damage was growing and growing9.

Even if regulators do not mandate spending more on cybersecurity, their pursuit of certain types of rules would be likely to have that impact.

Conclusion: a megatrend for all seasons?

Norges Bank Investment Management, the world’s largest sovereign wealth fund at $1.2 trillion, recently indicated that cybersecurity is their biggest current concern, citing that it faces an average of three serious attacks each day. The fund sees roughly 100,000 attacks per year, and they classify about 1,000 of them as serious10.

Firms operating in the financial industry have been increasingly targeted, and firms operating in the Nordic region feel the proximity to Russia during the Ukraine conflict quite tangibly.

While many investment themes might be a bit discretionary or susceptible to delays in a slowing economic environment, cybersecurity is not one of them. We may not know the exact companies or services that will grow the fastest but backing away from focusing on security is not an option.

1 Source: Alspach, Kyle. “Thanks to the economy, cybersecurity consolidation is coming. CISOs are more than ready.” Protocol. 17 June 2022

2 Source: Alspach, 17 June 2022.

3 Source: Alspach, 17 June 2022.

4 Source: “Gartner Survey Finds 88% of Boards of Directors View Cybersecurity as a Business Risk.” Gartner. Press Release. 18 November 2021.

5 Source: Shi, Madeline. “PE dealmaking thrives in cybersecurity sector.” Pitchbook. 23 August 2022.

6 Source: Shi, 23 August 2022.

7 Source: Shi, 23 August 2022.

8 Source: Alspach, Kyle. “Cybersecurity spending isn’t recession-proof. But it’s pretty close.” Protocol. 6 June 2022.

9 Source: Alspach, Kyle. “’Game-changer’: SEC rules on cyber disclosure would boost security planning, spending.” VentureBeat. 10 March 2022.

10 Source: Klasa, Adrienne & Robin Wigglesworth.” Financial Times. 22 August 2022.

Related products

+ WisdomTree Cybersecurity UCITS ETF – USD Acc (WCBR/CYSE)

About the contributor

Christopher Gannatti, CFA
Christopher Gannatti, CFA

Global Head of Research

Christopher Gannatti began at WisdomTree as a Research Analyst in December 2010, working directly with Jeremy Schwartz, CFA®, Director of Research. In January of 2014, he was promoted to Associate Director of Research where he was responsible to lead different groups of analysts and strategists within the broader Research team at WisdomTree. In February of 2018, Christopher was promoted to Head of Research, Europe, where he was based out of WisdomTree’s London office and was responsible for the full WisdomTree research effort within the European market, as well as supporting the UCITs platform globally. In November 2021, Christopher was promoted to Global Head of Research, now responsible for numerous communications on investment strategy globally, particularly in the thematic equity space. Christopher came to WisdomTree from Lord Abbett, where he worked for four and a half years as a Regional Consultant. He received his MBA in Quantitative Finance, Accounting, and Economics from NYU’s Stern School of Business in 2010, and he received his bachelor’s degree from Colgate University in Economics in 2006. Christopher is a holder of the Chartered Financial Analyst Designation.

Best Workspaces - GPTW UK 2024
Best Workspaces for Development - GPTW UK 2024
Best Workspaces for Women - GPTW UK 2024
Best Workspaces in Financial Services & Insurance - GPTW UK 2024
Important Risk Information

Jurisdictions in the European Economic Area (“EEA”): This website and its content has been provided by WisdomTree Ireland Limited, which is authorised and regulated by the Central Bank of Ireland.


Jurisdictions outside of the EEA: This website and its content has been provided by WisdomTree UK Limited, which is authorised and regulated by the United Kingdom Financial Conduct Authority.

The price of any Shares or the value of an investment in ETPs may go up or down and an investor may not get back the amount invested. Past performance is not a reliable indicator of future performance. This material is not intended to be relied upon as a forecast, research or investment advice, and is not a recommendation, offer or solicitation to buy or sell any financial instrument or product or to adopt any investment strategy.

Please click here for our full disclaimer.

© 2026 WisdomTree, Inc. All Rights Reserved