Thales announced its agreement to acquire Imperva from private equity firm Thoma Bravo for $3.6 billion, expecting to add $500 million of revenue and expand its data and application security offerings as a result. The overall cybersecurity portfolio will then be structured across three key areas: identity (Thales), data security (Thales and Imperva), and application security (Imperva). Thales and Imperva are no strangers to growth by acquisition from their prior experiences.
Building A New Dream House
Application security is hot, with 63% of security leaders planning to increase their AppSec budgets as applications remain one of the top attack vectors. Thales wants in, and buying Imperva starts to open that door wider, as the majority of Imperva’s revenue comes from this market. Connecting to developers has already been on Thales’ radar. For example, it added enhancements to its data protection solutions for developers, including launching a free-forever downloadable version of CipherTrust Manager for DevSecOps teams.
Thales’ CipherTrust Data Security Platform, built on Thales’ acquisitions of Vormetric and SafeNet, is an encryption-centric data security platform. Imperva’s data security platform, also referred to as its Data Security Fabric, expands Thales’ portfolio for data security in areas and capabilities that it did not play in before, most notably with database activity monitoring and data risk analytics. Both share a vision for simplification of data security in multicloud environments.
Further into the future, a coupling of Thales capabilities in identity and data security is a possibility that we cannot rule out. In the near term, the significance of the acquisition on the identity product area may be less directly impactful but has the potential to bear fruit with longer-term business and technical strategies. Thales is still working through the integration of its 2022 acquisition of OneWelcome for customer identity and access management.
Actually Building A Dream House Together Is Complicated
On the surface, all appears complimentary with this pairing. But what happens when you have two companies that have grown major parts of their portfolio via acquisition now coming together via another acquisition? Each brings a moving truck (or two) full of furniture, accessories, and friends. Configuring the dream-house layout, mode, and lighting is not straightforward. Thales and Imperva will have much work to do to make this work.
Imperva brings to the table two web application firewalls (WAFs) that are still very different and have yet to be integrated. Imperva has also acquired a number of application security specialists in recent years, from Distil Networks (bot management) to Prevoty (RASP) to CloudVector (API security).
It is also still early days in Imperva’s vision with its data security platform capabilities: protecting all data as organizations move their workloads to the cloud. To Imperva’s credit, it has focused strongly over the last few years on its data security capabilities, expanding its coverage from structured and semistructured data to unstructured data, and pushing heavily into cloud environments. Imperva’s technology partnership and integration strategy, as well as its 2020 acquisition of jSonar (database security and risk analytics), was key to this transformation.
Imperva’s aggressive plans to unify its WAFs and consolidate the platform will need to stay focused through the distractions of a large acquisition. Imperva will also need to double down on its focus more effectively to enable customers on their data security fabric journey with its data security platform. With the sorting of pieces post-acquisition, customers may not necessarily see the anticipated synergies and benefits until 2025 or later.
For Thales’ part, a foray into application security requires getting to know a brand-new set of stakeholders. Developers play a strong role in application security tooling purchasing, serving as major influencer, decision-maker, or even the budget holder. An Imperva acquisition will push Thales into new routes to market and introduce the firm into stakeholder communities that it will need to get to know quickly — across application security and data security.
Security leaders, we’d love to continue the conversation with you. If you’re looking to take a deeper dive into what we see with the evolving application security, data security, and identity markets, please reach out.