How Broadcom Acquiring VMware Would Shake Up CybersecuritySymantec's Plight Under Broadcom Presents a Cautionary Tale for CISOs Using VMware
The tumultuous experience of Symantec under Broadcom's control for the past 2.5 years presents a cautionary tale for CISOs currently using VMware's security technology.
Broadcom in November 2019 completed what was at the time the largest cybersecurity acquisition ever, buying Symantec’s $2.5 billion Enterprise Security business for $10.7 billion to help San Jose, California-based Broadcom diversify beyond chips. But Symantec saw massive customer and employee attrition in the year following deal close, and the company's technology doesn't fare as well in reviews by Gartner.
Although cybersecurity isn't a primary revenue stream for either Broadcom or VMware, both technology firms have sizable security businesses.
Now Broadcom has reportedly put VMware squarely in its acquisition crosshairs, with Bloomberg, The Wall Street Journal and others reporting that the San Jose, California-based semiconductor giant is in talks to acquire Palo Alto, California-based virtualization and cloud behemoth VMware. The reports come just six months after VMware was spun off from Dell, which had held 81% equity ownership.
Investors in each company have reacted very differently to the reports, with VMware's stock surging $20.10 - or 21.03% - to $115.72 in trading Monday afternoon, which is the highest the company's stock has traded since April 5. Conversely, investors sent Broadcom's stock down $18.43 - or 3.39% - to $524.76 in trading Monday, which in the lowest the company's stock has traded since Oct. 28, 2021.
Neither Broadcom nor VMware responded to Information Security Media Group's requests for comment (see: PE Firms 'on Prowl' for Take-Private Cybersecurity Deals).
Although cybersecurity isn't a primary revenue stream for either Broadcom or VMware, both technology firms have sizable security businesses. Broadcom first got into cybersecurity in November 2018 through its $18.9 billion purchase of CA Technologies, which brought CA's authentication, single sign-on, identity management and governance, and directory services capabilities under Broadcom's control.
But it wasn't until a year later when Broadcom bought Symantec that the company became a formidable presence in the cybersecurity market. After some divestitures, the Symantec business under Broadcom today is focused around endpoint, network, information, identity and email security. Broadcom last disclosed annual revenue of $1.61 billion for Symantec for the fiscal year ended Oct. 31, 2020.
VMware's Security Surge
VMware, meanwhile, has long had some intrinsic security elements built into its virtual networking, end-user and compute offerings but really stepped up its security game through its $2.1 billion acquisition of Waltham, Massachusetts-based endpoint detection and response firm Carbon Black in October 2019. That purchase allowed VMware to reach the milestone of $1 billion of annual security revenue by early 2020.
The virtualization giant has not rested on its laurels since then, scooping up Kubernetes security startup Octarine in May 2020 to enable cloud-native environments to be intrinsically secure from development through runtime and application security startup Mesh7 in March 2021 to boost VMware's Kubernetes, microservices and cloud-native capabilities.
In the past year, VMware has debuted a cloud web security offering to fill out its Secure Access Service Edge portfolio as well as the industry's first application security edge, which enables networking and security infrastructure at the data center or cloud edge to flex and adjust as app traffic changes. The company's core security products today are focused on safeguarding endpoints, workloads and containers.
VMware's networking and security business contribute roughly $2 billion of revenue annually and are led by Tom Gillis, who joined the company through its May 2018 acquisition of Bracket Computing, which Gillis founded. Longtime Carbon Black CEO Patrick Morley led VMware's security business unit following the acquisition until he departed the company in December 2021.
VMware and Broadcom also take different approaches to being visible on the industry stage. VMware is one of just three top-level diamond sponsors at next month's RSA Conference - alongside Cisco and RSA - and has tasked Gillis with giving a keynote address on security beyond the network and endpoint. The company also drew 23,000 attendees to its annual VMworld event prior to the COVID-19 pandemic.
Symantec similarly had a very large presence at RSA Conference prior to being acquired by Broadcom, renting out much of Hotel Zetta and having one of the major booths on the show floor in San Francisco's Moscone Center. But after being bought by Broadcom, Symantec's presence at RSA Conference 2020 was cut to a bare minimum and the company doesn't have a sponsorship or booth at this year's show.
Here's a deeper look at how Symantec fared after being acquired by Broadcom.
Symantec Under Broadcom: A Case Study
Broadcom CEO Hock Tan told investors in August 2019 that the company planned to focus on selling the Symantec portfolio to Global 2000 organizations since business with smaller enterprises and SMBs tends to be less sticky. Broadcom said at the time that it planned to achieve $1 billion of cost synergies by November 2020 through cuts to Symantec's sales, marketing, and general and administrative functions.
Tan told investors in March 2021 that he expects Symantec's revenue growth to stabilize at mid-single digits going forward. Broadcom didn't break out its security or Symantec revenue for the fiscal year ended Oct. 31, 2021, and the company hasn't mentioned its security or Symantec business on earnings calls since March 2021.
"The business and financial model we expect them to follow is about focusing on core customers and truly uplifting capacity, entitlements, and products to those core customers across our portfolio," Tan said in March 2021. "We do see a manageable level of attrition in the noncore, but that's offset by an improvement in the core."
Much of Symantec's appeal to Broadcom came from its $4.65 billion acquisition of Blue Coat Systems in August 2016, which brought Symantec into the secure web gateway and cloud access security broker spaces. Symantec was subsequently recognized by Gartner as a leader in both SWG and CASB as recently as fall 2019, when the Broadcom acquisition was announced but hadn't yet closed.
But Gartner felt the quality of Symantec's technology began to wane under Broadcom's purview, with Symantec falling to a visionary in SWG and challenger in CASB by fall 2020. Gartner in 2022 folded CASB, SWG and zero trust network access into a new Magic Quadrant category called Security Service Edge, where Broadcom is only a niche player due to poor integration and continued technical support issues.
Broadcom ultimately spent $174 million on Symantec employee termination costs in the year following deal close, and 10 high-ranking Symantec executives left the company during that time. These exits were capped off by Symantec Senior Vice President and General Manager Art Gilliland departing in November 2020 after overseeing the development, delivery and support of all Symantec products and services under Broadcom's control.
Gilliland in January 2021 became CEO of privileged access management vendor Centrify, which merged with PAM competitor Thycotic to form Delinea. The Symantec business has been led since October 2021 by Rob Greer, who joined the company from Forescout in June 2019 and ran the company's network and infrastructure security division for the year following Gilliland's departure.
Longtime leader Adam Bromwich became Symantec's CTO and vice president of engineering in October 2021 after leading Symantec's endpoint security division since its acquisition by Broadcom in November 2019. The identity business has been led since the close of the Symantec deal by Clayton Donley, who came to Broadcom through its 2018 acquisition of CA Technologies, where he oversaw the security practice.
Racing to the Exits
Broadcom has a track record of selling off security assets it inherited as part of broader acquisitions but isn't interested in running itself. Two months after buying CA Technologies, Broadcom in January 2019 sold its Veracode application security testing assets to Thoma Bravo for $950 million. Thoma Bravo in March 2022 agreed sell a majority stake in Veracode to TA Associates at a valuation of $2.5 billion.
In April 2020, Broadcom sold Symantec's 300-person Cyber Security Services business to Accenture for a reported $200 million to help organizations anticipate, detect and respond to cyberthreats. Then in May 2020, Broadcom sold the majority of Symantec's enterprise consulting team to HCL Technologies to gain more expertise across endpoint security, web security services, cloud security and data loss prevention.
Tan said in August 2019 that Broadcom planned to boost its investment around the Symantec enterprise security endpoint, web and data loss protection products while scaling down investment in other areas where the return may not be as profitable. Those three areas contributed $1.7 billion of revenue in the fiscal year prior to Broadcom's acquisition of Symantec.
What, if any, VMware security assets would be sold if the company falls under Broadcom's control? Only time will tell.