Identity security company CyberArk signed a deal to acquire machine identity management company Venafi for $1.54 billion, CyberArk announced Monday.
Click for more special coverage
The acquisition agreement is expected to enable CyberArk to integrate Venafi’s machine identity and access management (IAM) expertise with its own human user IAM offerings, as machine identities are now estimated to outnumber human identities by 40 to 1 and growing.
“This acquisition marks a pivotal milestone for CyberArk, enabling us to further our vision to secure every identity — human and machine — with the right level of privilege controls,” CyberArk CEO Matt Cohen said in a public statement. “By combining forces with Venafi, we are expanding our abilities to secure machine identities in a cloud-first, GenAI, post-quantum world.”
Fragmented identities in the cloud era are one IAM challenge recently discussed at the RSA Conference, and the need to consolidate security providers was cited as a priority by 98% of respondents to Palo Alto Networks’ 2024 State of Cloud-Native Security report published Wednesday.
CyberArk Chief Strategy Officer and Head of Corporate Development Clarence Hinton told SC Media the companies plan to leverage their “strong alignment” to improve offerings for existing and new customers, and that acquisition of Venafi will accelerate the company’s vision to “secure every identity.”
“By bringing together Venafi’s best-in-class certificate lifecycle management, private PKI and certificate authority, IoT identity management and cryptographic code signing with CyberArk’s secret management capabilities, we will create meaningful customer benefits through offering complementary solutions,” Hinton stated. “In addition, Venafi and CyberArk both have deep relationships with CISOs in similar large enterprise organizations making the synergies easier to realize.”
The purchase deal includes $1 billion in cash and approximately $540 million in shares, and is expected to close in the second half of 2024 pending regulatory clearances. CyberArk said its acquisition of Venafi is expected to add approximately $150 million in annual recurring revenue (ARR) and expand its total addressable market (TAM) from $50 billion to $60 billion.
CyberArk-Venafi acquisition signals transformation in identity security market, experts say
Cybersecurity market experts who spoke with SC Media noted the benefit of consolidating human and machine identity security solutions and said CyberArk’s acquisition of Venafi could be part of a trend toward acquisition-driven growth in the security space.
“The companies that are doing the acquiring have basically rationalized their business, their businesses stabilized and they’re now looking for growth again. They’re turning to the innovation ecosystem to identify the most promising growth opportunities, and they’re acquiring them,” commented Bob Ackerman, founder and managing director of AllegisCyber Capital.
Identity management in particular continues to be an enormous challenge — and opportunity — in the security sphere, noted Ackerman, who expected to see “a lot more” merger and acquisition activity in the future due to “recalibration” after several years of somewhat “indiscriminate” capital funding for cybersecurity.
“Massive amounts of money has gone into identity, and we haven’t solved the problems, yet the Achilles heel in cyber is identity. How do you authenticate that someone or something is what he or she or it says it is? This is one of the fundamental problems in cybersecurity, which is why so much capital has gone into that space,” Ackerman said.
Consolidation will likely benefit customers facing “confusion” over a range of different “buzzwords” and machine identity definitions that have come out of the “IAM category explosion” over the past few years, said Will Lin, co-founder and CEO of AKA Identity and former venture partner at ForgePoint Capital.
“This is a smart acquisition by CyberArk for many reasons. For one, certificate managers like Venafi tend to integrate really well with secrets management tools like CyberArk, and certificate management was not a core strength of the CyberArk platform. Whenever we can add more features under one platform, it’s a net positive for customers,” Lin said. “But I also see an added benefit for clearing up some of the complexity within the identity space.”
Like Ackerman and Lin, Nadav Lev, CTO of YL Ventures, also expected consolidation to continue in the IAM space.
“CyberArk is now establishing itself as a holistic platform for all identities — not only human, but machine as well — and we believe that this will generate interest from other large security vendors who will follow suit, acquire smaller identity vendors and compete to offer comprehensive identity platforms against human and non-human threats,” Lev said.