02-07-2025, 10:40 PM
News The SolarWinds $4.4 billion acquisition gives CISOs what they least want: Uncer
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>When SolarWinds on Friday announced a $4.4 billion cash deal for it to be acquired by private equity (PE) firm Turn/River Capital, it delivered the last thing that nervous enterprise CISOs want: Uncertainty, to be followed by more uncertainty.</p>
<p>“Whenever a security company gets acquired by private equity, you never want to throw a party,” said Frank Dickson, group VP for IDC’s security & trust research practice. “It’s almost never positive.”</p>
<p>Dickson said that the formula for a successful security vendor is overwhelmingly a combination of three things: a consistent management, a consistent execution, and a consistent vision.</p>
<p>“Change doesn’t do well. And private equity has a tendency to want to change direction. That typically doesn’t benefit customers,” Dickson said. “The issue is that private equity is not in it for the long term. Change creates uncertainty. Benefits will be realized by investors, and the people paying the price will be customers.”</p>
<p> The problem, Dickson said, is the way private equity firms function. </p>
<p>“When private equity acquires companies in security, what they are traditionally trying to do is unlock value. That means increasing profitability, which often means slashing costs and separating parts of the business,” Dickson said. “These sorts of transitions are positive for the customer in a minority of cases.”</p>
<p>The deal is supposed to be completed by June 30, said <a href="https://www.businesswire.com/news/home/20250207410199/en/SolarWinds-to-Be-Acquired-by-TurnRiver-Capital">the acquisition news release</a>. </p>
<h2 class="wp-block-heading" id="uncertainty-bad-for-customers">Uncertainty bad for customers</h2>
<p>SolarWinds has <a href="https://www.csoonline.com/article/566677/12-top-siem-tools-rated-and-compared.html">a good reputation for its security offerings</a>, but its brand is likely to be forever tarnished by the <a href="https://www.csoonline.com/article/570537/the-solarwinds-hack-timeline-who-knew-what-and-when.html">supply chain cyber attack in 2020</a> that trojanized its Orion platform’s updates to deliver malware. </p>
<p>Douglas Brush, who runs a cybersecurity consulting firm called Brush Cyber Consulting, said the decision of what to do now is problematic for the SolarWinds installed base, which, according to the current SolarWinds homepage, includes Walmart, Amazon, McDonalds, CVS Health, and Morgan Stanley.</p>
<p>The level of uncertainty might prompt some CISOs to consider moving to one of SolarWinds’ top rivals, Brush said, but that is unlikely to be an especially viable option.</p>
<p>That is because of two things: the pain and expense of the transition — “it’s a huge lift and shift,” Brush said — and the practical reality that the other companies could also get acquired. </p>
<p>“I would hold. Wait and see what happens,” Brush said. He suggested asking current SolarWinds executives for future direction. It’s actually a test question, he said; given the shifting ownership, senior management won’t truly know the future direction.</p>
<p>“If they are saying ‘We don’t know what will happen,’ then at least someone is being honest,” Brush said. “You are asking the question not because you want to see the answer. You want to see <em>ho</em>w they answer<em>.”</em></p>
<h2 class="wp-block-heading" id="analyst-fears-the-worst">Analyst fears the worst</h2>
<p>Brush said that with SolarWinds and Turn/River, he fears the worst. “They are going to cannibalize it. They are going to do what private equity does with these companies: they will strip it down and sell the parts to larger companies.” </p>
<p>“They will deliver turnover. It’s right in their name,” Brush said. “I hope that they don’t do something like send it up the river. But again, given that River is right there in the name, I have my concerns.”</p>
<p>Another concern is with the company’s financial visibility as a private equity-owned firm, he said. With a publicly-held security firm, CISOs can review every SEC filing for clues about the vendor’s viability and future plans, but “with a private equity firm, that is completely a black box.”</p>
<p>Richard Caralli, senior cybersecurity advisor at Axio, also said that he thinks the biggest change from this deal, assuming it eventually completes, will be the shift from public to private status.</p>
<p>“By going private, the issues SolarWinds encountered with the SEC will largely go away. A lack of shareholders means reduced external pressures to improve cybersecurity posture, particularly in pursuit of prevention of man-in-the-middle attacks that hurt users,” Caralli said. “The lack of regulatory-based disclosure requirements may mean that new issues that potentially put customers at risk may not be identified or communicated in a timely manner. Additionally, the emphasis from private investors on growth and value may deprioritize cybersecurity improvements over building the business back.”</p>
<p>This means that enterprise customers should watch carefully how SolarWinds products change, and continually re-evaluate their value, Caralli said. </p>
<p>Will Townsend, a VP and principal analyst at Moor Insights & Strategy, agreed that the 2020 supply chain attack has continued to haunt SolarWinds, and that it is likely a key factor in SolarWinds’ decision to accept the buyout.</p>
<p>“Going private though a PE deal is no surprise. [SolarWinds] never did enough to reassure investors and customers that it had learned and implemented measures to prevent that epic supply chain hack from happening again,” Townsend said in a <a href="https://x.com/willtowntech/status/1887927980992700476?s=46">post on X</a>, adding that SolarWinds didn’t do much “beyond an apology tour that never reached the broader market.”</p>
<h2 class="wp-block-heading" id="cisos-dont-do-anything-rash-analyst">CISOs, don’t do anything rash: Analyst</h2>
<p>Like Brush, IDC’s Dickson encouraged CISOs to wait and watch. </p>
<p>“Whenever private equity buys a security company, the first thing to do is breathe. The last thing you want to do is something rash,” Dickson said. </p>
<p>When evaluating alternative vendors, Dickson said to focus on the big picture. </p>
<p>“Ten percent of the value is in the tool, and 90 percent is in the people and processes around the tool. Look at what the tools are out there and give it time. Then in six months, reassess,” Dickson said. For customers looking at near-term renewal issues, he said to renew, “but don’t go for any more than a one-year timeframe on your renewals” and focus on exit clauses. Then strategize on a 2-year to 4-year timeframe, he said.</p>
<p>When asked for her thoughts on what the acquisition means for enterprise CISOs, Jess Burn, a principal analyst for security and risk at Forrester, was succinct: “Not a whole lot.”</p>
<p>“The SolarWinds hack and resulting breaches gave CISOs two things to think about: Greater scrutiny of third and fourth parties in or connected to the enterprise, and personal liability,” Burn said. “SolarWinds was the beginning of a broader product security awakening for CISOs and government agencies like CISA, who launched Secure By Design in 2023 after a series of software supply chain related breaches. Third- and fourth-party risk management is still an issue, but CISOs now know what to ask their partners, including software vendors and managed IT service providers.”</p>
</div></div></div></div>
https://www.csoonline.com/article/382004...ainty.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>When SolarWinds on Friday announced a $4.4 billion cash deal for it to be acquired by private equity (PE) firm Turn/River Capital, it delivered the last thing that nervous enterprise CISOs want: Uncertainty, to be followed by more uncertainty.</p>
<p>“Whenever a security company gets acquired by private equity, you never want to throw a party,” said Frank Dickson, group VP for IDC’s security & trust research practice. “It’s almost never positive.”</p>
<p>Dickson said that the formula for a successful security vendor is overwhelmingly a combination of three things: a consistent management, a consistent execution, and a consistent vision.</p>
<p>“Change doesn’t do well. And private equity has a tendency to want to change direction. That typically doesn’t benefit customers,” Dickson said. “The issue is that private equity is not in it for the long term. Change creates uncertainty. Benefits will be realized by investors, and the people paying the price will be customers.”</p>
<p> The problem, Dickson said, is the way private equity firms function. </p>
<p>“When private equity acquires companies in security, what they are traditionally trying to do is unlock value. That means increasing profitability, which often means slashing costs and separating parts of the business,” Dickson said. “These sorts of transitions are positive for the customer in a minority of cases.”</p>
<p>The deal is supposed to be completed by June 30, said <a href="https://www.businesswire.com/news/home/20250207410199/en/SolarWinds-to-Be-Acquired-by-TurnRiver-Capital">the acquisition news release</a>. </p>
<h2 class="wp-block-heading" id="uncertainty-bad-for-customers">Uncertainty bad for customers</h2>
<p>SolarWinds has <a href="https://www.csoonline.com/article/566677/12-top-siem-tools-rated-and-compared.html">a good reputation for its security offerings</a>, but its brand is likely to be forever tarnished by the <a href="https://www.csoonline.com/article/570537/the-solarwinds-hack-timeline-who-knew-what-and-when.html">supply chain cyber attack in 2020</a> that trojanized its Orion platform’s updates to deliver malware. </p>
<p>Douglas Brush, who runs a cybersecurity consulting firm called Brush Cyber Consulting, said the decision of what to do now is problematic for the SolarWinds installed base, which, according to the current SolarWinds homepage, includes Walmart, Amazon, McDonalds, CVS Health, and Morgan Stanley.</p>
<p>The level of uncertainty might prompt some CISOs to consider moving to one of SolarWinds’ top rivals, Brush said, but that is unlikely to be an especially viable option.</p>
<p>That is because of two things: the pain and expense of the transition — “it’s a huge lift and shift,” Brush said — and the practical reality that the other companies could also get acquired. </p>
<p>“I would hold. Wait and see what happens,” Brush said. He suggested asking current SolarWinds executives for future direction. It’s actually a test question, he said; given the shifting ownership, senior management won’t truly know the future direction.</p>
<p>“If they are saying ‘We don’t know what will happen,’ then at least someone is being honest,” Brush said. “You are asking the question not because you want to see the answer. You want to see <em>ho</em>w they answer<em>.”</em></p>
<h2 class="wp-block-heading" id="analyst-fears-the-worst">Analyst fears the worst</h2>
<p>Brush said that with SolarWinds and Turn/River, he fears the worst. “They are going to cannibalize it. They are going to do what private equity does with these companies: they will strip it down and sell the parts to larger companies.” </p>
<p>“They will deliver turnover. It’s right in their name,” Brush said. “I hope that they don’t do something like send it up the river. But again, given that River is right there in the name, I have my concerns.”</p>
<p>Another concern is with the company’s financial visibility as a private equity-owned firm, he said. With a publicly-held security firm, CISOs can review every SEC filing for clues about the vendor’s viability and future plans, but “with a private equity firm, that is completely a black box.”</p>
<p>Richard Caralli, senior cybersecurity advisor at Axio, also said that he thinks the biggest change from this deal, assuming it eventually completes, will be the shift from public to private status.</p>
<p>“By going private, the issues SolarWinds encountered with the SEC will largely go away. A lack of shareholders means reduced external pressures to improve cybersecurity posture, particularly in pursuit of prevention of man-in-the-middle attacks that hurt users,” Caralli said. “The lack of regulatory-based disclosure requirements may mean that new issues that potentially put customers at risk may not be identified or communicated in a timely manner. Additionally, the emphasis from private investors on growth and value may deprioritize cybersecurity improvements over building the business back.”</p>
<p>This means that enterprise customers should watch carefully how SolarWinds products change, and continually re-evaluate their value, Caralli said. </p>
<p>Will Townsend, a VP and principal analyst at Moor Insights & Strategy, agreed that the 2020 supply chain attack has continued to haunt SolarWinds, and that it is likely a key factor in SolarWinds’ decision to accept the buyout.</p>
<p>“Going private though a PE deal is no surprise. [SolarWinds] never did enough to reassure investors and customers that it had learned and implemented measures to prevent that epic supply chain hack from happening again,” Townsend said in a <a href="https://x.com/willtowntech/status/1887927980992700476?s=46">post on X</a>, adding that SolarWinds didn’t do much “beyond an apology tour that never reached the broader market.”</p>
<h2 class="wp-block-heading" id="cisos-dont-do-anything-rash-analyst">CISOs, don’t do anything rash: Analyst</h2>
<p>Like Brush, IDC’s Dickson encouraged CISOs to wait and watch. </p>
<p>“Whenever private equity buys a security company, the first thing to do is breathe. The last thing you want to do is something rash,” Dickson said. </p>
<p>When evaluating alternative vendors, Dickson said to focus on the big picture. </p>
<p>“Ten percent of the value is in the tool, and 90 percent is in the people and processes around the tool. Look at what the tools are out there and give it time. Then in six months, reassess,” Dickson said. For customers looking at near-term renewal issues, he said to renew, “but don’t go for any more than a one-year timeframe on your renewals” and focus on exit clauses. Then strategize on a 2-year to 4-year timeframe, he said.</p>
<p>When asked for her thoughts on what the acquisition means for enterprise CISOs, Jess Burn, a principal analyst for security and risk at Forrester, was succinct: “Not a whole lot.”</p>
<p>“The SolarWinds hack and resulting breaches gave CISOs two things to think about: Greater scrutiny of third and fourth parties in or connected to the enterprise, and personal liability,” Burn said. “SolarWinds was the beginning of a broader product security awakening for CISOs and government agencies like CISA, who launched Secure By Design in 2023 after a series of software supply chain related breaches. Third- and fourth-party risk management is still an issue, but CISOs now know what to ask their partners, including software vendors and managed IT service providers.”</p>
</div></div></div></div>
https://www.csoonline.com/article/382004...ainty.html