Broadcom’s purchase of Symantec’s enterprise unit will create opportunities for other cyber security players
Listen to or download the associated podcast
Broadcom announced the acquisition of Symantec's Enterprise division, for USD10.7 billion, on 8 August 2019. The deal is part of Broadcom's strategy to expand beyond the semiconductor business, which still generates almost 80% of its revenue, and follows earlier acquisitions of Brocade and CA Technologies.
Broadcom aims to use its established sales channels to sell Symantec products to gradually increase revenue and improve profitability by drastically cutting costs. Under Broadcom, Symantec Enterprise will focus on a narrower set of products and customers, creating new opportunities for other players in the security market.
Symantec's enterprise performance has been troubled
Symantec operates in a growing market (Analysys Mason expects the enterprise security market to expand at around 11% each year during 2019–2024), but its enterprise revenue has been volatile, but with little or no long-term growth (see Figure 1). The enterprise division generated just over half of Symantec's total revenue in the most recent quarter, down from almost two-thirds of the revenue in 3Q 2017.
However, Symantec's profitability was of greater concern – the company reported that its enterprise division was generating just 10% of operating profit. Symantec would have needed to invest significantly to turn the performance around. Symantec's interim CEO Richard Hill spoke during the 4Q 2019 investor call in May 2019 (that is, well before the sale) of the need to reorganise the sales process and to hire "additional direct salespeople". Instead, Symantec has opted to sell the enterprise assets and focus on the more profitable consumer business. As Hill said when announcing the transaction in August 2019, the deal would "enable our enterprise business to grow without us having to invest in fixing our go-to-market model".
Figure 1: Symantec's enterprise revenue and its enterprise revenue as a share of its total revenue, 1Q 2017–1Q 2020
Broadcom will reuse existing sales channels and significantly reduce costs
The acquisition is part of Broadcom's ongoing move to diversify away from the semiconductor business to include more software and services. This move started when Broadcom purchased datacentre networking firm Brocade for USD5.5 billion in 2016. CA Technologies, a software development firm, was acquired for USD18.9 billion in 2018. These entities will generate just under 30% of Broadcom's total revenue when combined with annual revenue of around USD2.4 billion from Symantec's enterprise business.
The acquisitions of Brocade and CA Technologies are key to understanding the rationale behind the latest deal: Broadcom successfully improved the financial performance of Brocade, in part by increasing revenue but mostly through reduced costs, including large rounds of layoffs. It is hoping to do the same with Symantec's enterprise assets.
The new security assets will give Broadcom access to a large potential market. Analysys Mason estimates that the total enterprise security market is worth USD117 billion in 2019. Broadcom also believes that it can avoid the restructuring costs that were facing Symantec by using the sales teams and platforms developed for Brocade and CA Technologies. The strategy is to target the largest 2000 organisations worldwide.
The cost-cutting targets that Broadcom has for Symantec Enterprise are ambitious; it wants to increase annual EBITDA from around USD350 million today (a 15% margin) to USD1.3 billion (54% margin, assuming no revenue growth).
In addition, Broadcom is planning to focus Symantec's development efforts on the three areas where Symantec is best positioned today – endpoint security, web security and data-loss prevention (DLP). Investment in other areas will be reduced.
Broadcom's plans come with plenty of potential problems. It will want to increase revenue and profit while having a smaller product portfolio, after significantly reducing staff numbers (CA Technologies employee numbers were reduced by a reported 40% in the USA following the Broadcom deal). Broadcom will also deploy a new go-to-market strategy that will take time to establish – for example, existing Broadcom sales teams will need training on how to sell and support security products.
At the same time, Symantec is losing small-business customers (on the 4Q 2019 conference call, a Symantec representative said: "We've lost a lot of business in the mid- to small-business area") and losses in this market are expected to continue. Finally, Symantec is operating in a highly competitive market in which product differentiators can be hard to establish. However, churn among larger customers is low, and Broadcom will need this to remain the case if these larger customers are to act as a base on which to boost the business. It will be no easy task for Broadcom and could well generate opportunities for others.
The deal will ease competition in some areas of the market
Broadcom will hope that the impact of the deal on existing customers is limited in the near term. The Symantec name will go to the new owner, and the current Symantec is likely to become Norton, after its better-known consumer brand. Broadcom and Symantec/Norton will continue to share threat intelligence data; one of the potential benefits of having both consumer and business customers is the large base of endpoints through which new threats can be detected. Many of Symantec's consumer and enterprise products were different, and this will also limit any impact.
The deal has broader implications for the longer term though. For companies that do not target large enterprises with the same core product set (endpoint security, web security and DLP), competition will reduce as will competition for spend by small and medium-sized businesses. However, Broadcom is likely to compete more aggressively with security companies that target the same products and enterprises as Broadcom and its sales team will be better able to position its products.
Addendum: Broadcom announced that it had sold a division of Symantec, Cyber Security Services, to Accenture, on 7 January 2020. The division employed around 300 people (out of around 4000 for Symantec) and provides managed services, including threat monitoring and analysis, to large organisations. The sale of the services unit fits with Broadcom’s overarching strategy for Symantec as it helps to reduce the complexity of the Symantec’s business. We also assume that the sale will help to boost Symantec’s margin, as the managed services offered by the Cyber Security Services unit was likely to be lower margin than that of the products business.