How AI and geopolitics are reshaping cybersecurity
13:59 Share

Amid a relatively soft deal-making environment, one bright spot this year has been the surge in cybersecurity deals. So what's fueling activity in the space and how are factors such as AI and rising geopolitical tensions affecting the industry?

I'm Allison Nathan, and this is Goldman Sachs Exchanges. To discuss the forces shaping cybersecurity, I'm sitting down with Marco Pelletti, Global Head of Security Software within the Technology, Media, and Telecommunications Group in our investment banking business. Marco, welcome back to Exchanges. It's great to be here.

So Marco, the cybersecurity sector is one of the few that's actually seen a pickup in M&A activity this year. We've seen a number of deals, including Google's largest ever acquisition to purchase cybersecurity startup Wiz for $32 billion. What are some of the drivers behind deal activity in the space? You know, it's a good question. I would say the reality is security is just really important. And because it's really important, it's really important to a lot of potential buyers.

And so when I look at what's been going on in the last few years, the universe of buyers that we have in cybersecurity has really expanded. Last year, for example, we also advised Mastercard on their acquisition of Recorded Future, which was a threat intelligence company. And so when I think that's going on, it's really, I would say, two or three main factors. The first one is it's just a much more dangerous world. When you think about the number of cyber attacks

there's just more and more of them and it just keeps on coming. And so that means we need better security. I think the second thing is cybersecurity is really viewed as a competitive advantage now. And so if you're Google, if you're Microsoft, if you're those big tech companies, being viewed as focused on security is really critical to keep winning in your core markets.

And the third thing which I would say, which we have seen in cybersecurity is the idea of platformization, meaning having one vendor that does a lot more of things. And that means usually doing that through M&A, which has been a fuel to our business.

And so are there certain sectors that are seeing more activity and what's driving that activity? Yeah, I would say when you look at the activity in M&A and cybersecurity, you kind of have to follow innovation. And so where we've seen a lot of activity in the last few years and in the last few months is everything on cloud security. You were talking about the Waze transaction. I would say everything on security operations. So security operations, meaning how you help companies actually deal with security issues.

and remedy them. That's been a really important theme. Lots of M&A that we've already seen, a lot more that I expect to come. And another big thing has been AI. Obviously, as you may expect, AI is transforming everything in tech and in software, and so it's also transforming security. It's interesting because there's a couple of themes there. The first one is how you can use AI for better security outcomes, but then also how security needs to adapt to secure AI. That's a very new theme, but I do expect you'll see a lot of M&A coming out of that.

And the other topic I would highlight there is cybersecurity is an industry where we have seen a lot of financial sponsor and private equity activity. And that's really a cycle that I expect will keep on going, given how critical, sticky, and irrelevant the industry is. And that will just fuel more M&A going forward. Right. And so do you see the pace of these transactions picking up? How do you view the pipeline from here?

I mean, look, the pipeline is as high as it's ever been. Again, when you look at dry powder from private equity firms, it's as high as it's ever been. And so they need to deploy that capital. They also own a lot of assets today that will need to find a home, be that in the public markets or through M&A in the next few quarters and years. And when I look at the large strategic environment we were talking about earlier, I think there's a ton more to do. I think there's a ton more to do to keep being relevant to customers. And so the pipeline just keeps on growing.

MELANIE WARRICK: And is that also the case for IPOs? What is the IPO market looking like? FRANCESC CAMPOY: It's a good question. It is a moment in time where I would say normal market conditions, the IPO pipeline for security looks really good. We have a number of really high quality companies that have really great characteristics around durable growth,

really disrupting their markets that we think public investors will love at the right time. But look, we live in an uncertain period. And I was talking about this earlier. I think it's going to be the next few quarters, it's harder to predict your own business, right? I think it's harder to figure out what will work and not work with public investors. And a lot of the companies that were planning to go public in the next few quarters are maybe putting a bit of a pause on and seeing, well, what's happening in the macro, what's happening to the economy?

How does that translate to my business? And therefore, when is the right time to go public? Now I'll tell you, when the IPO market is not working, the M&A market is working very well. And so I think it will be interesting to see in the next few quarters what happens and how long this uncertainty we're in continues, because it could actually end up resulting in more M&A, because those really great companies will need to do something.

And if we think about that uncertainty and how it's impacting the industry more broadly, is it affecting companies' willingness to spend on cybersecurity? What are you seeing on the ground?

As of April 2025, from talking to a lot of my clients, I don't think the impact is widespread, at least yet. And I think there's a couple of reasons for that. The first one is, frankly, if you look at what happened in 2022, 2023, when we already had a recession, cybersecurity actually fared better than other industries and even other software verticals. And the reason for that is

If you think about it, the reality of the cybersecurity spend is you're spending to protect yourself. And if you decide to not spend into something and suddenly you have a breach, that's a really bad day for you as an employee of any type of company. And so it tends to be a lot more sticky than other categories.

I think that will continue in the new period that we're in. It will be harder to go into new markets, to go into new products, just because it's going to be a lot harder for your customers to decide to spend more with you. But I do think they'll keep the spend that they have with you. - If we're talking about the current environment for the moment, are the government funding cuts,

Are they having an impact here? When you look at the typical targets of cybersecurity, by targets I mean from a customer perspective for the cybersecurity companies, governments across the world have always

always been a very important customer base. And they're not only an important customer, but for a lot of the cybersecurity companies, they're actually a partner because you need to partner with the government to find out what the bad guys are doing. And that's really the way you protect not just companies, but also national security. And so the long term relationship between cybersecurity and the government is going to continue. I have a few examples of some of our clients who have really great customers,

that are going to remain customers for years, but there's no budget right now and no one really knows where the budget is. So I think it goes back to the theme of having temporary uncertainty that's weighing on near-term growth. But I don't think any of that, at least for cybersecurity, will really impact the long-term relationship with the government as a customer. Right. And as you said, there is

and a growing need for cybersecurity. If you think about the trends that you're seeing in terms of things like cybercrime, how are they evolving? And how do you think about that in the context of the geopolitical tensions that we have today? - Yeah, look, sadly, more conflicts, more geopolitical issues typically means more attacks.

And so the more tensions you have in the system, the more that will translate in more attacks. And, you know, what's interesting is those attacks are not necessarily from nation states. You also have people that are just literally trying to earn a living by being cyber criminals. And so that trend, unfortunately, I think will just continue, which makes cybersecurity even more relevant than it's ever been.

Interesting, right? Of course, we always think of cyber, bad actors, political, but there's a lot of other things. I mean, when you look at all of those phishing links and everything, you know, someone telling you that you haven't paid something and asking you to click on the link, that's not coming from a nation state. That's just someone trying to scam you. Right, of course. And scams are up. We all know, personally, scams are up. Hopefully you don't click on that. Yeah, and look, that's one of the reasons why it's fascinating to, I'm really lucky to have my job, because when you think about what's going on in cybersecurity,

Innovation just cannot stop because really what cybersecurity does is protecting you in context of newer things that you use and in context of newer ways that the attackers have of attacking you. So in the personal side of things, if you start using a new messaging app, for example, that's a new attack vector.

and you need to be protected against that. And we also need to figure out that the way the bad guys use that, you also protect against that. And so, look, there was a big wave of innovation that was related to enterprises moving to the cloud. Cloud was a huge new attack surface that needed to be protected.

And so now a lot of people are talking about Gen AI as being that new platform on which the next wave of innovation in tech is going to be built. That's going to be a huge attack surface. And so again, I think that really creates more attacks, that creates more needs to protect against new things, and so that creates more need for cybersecurity.

And there's obviously been a lot of talk right now around spending in defense and innovation in defense technology. Where does spending on cybersecurity capabilities feature when you think about the

defense tech innovation? Yeah, that's a truly fascinating area because when you look at all of the innovation in cybersecurity, it's been mostly B2B. And so it's been really mostly an enterprise and commercial aspect. When you look at CrowdStrike, Palo Alto, all those companies are really protecting enterprises. But when you look at where innovation in cybersecurity is coming from, like the big market for cybersecurity is Israel. And one of the things that Israel has done amazingly well is essentially using the experience of

a bunch of people that went to the army and that went into a unit where they were essentially fighting against cyber criminals. And then they use that experience to create companies, startups like Wiz that just became amazing at what they do and amazing at protecting enterprises. And so I think what we're seeing in that new wave of defense tech and companies both in the US but also frankly in Europe that are finding new ways of just supplying the defense governments

cybersecurity is critical in that because one you actually have to make sure that whatever you build is protected like when you think about a bunch of unmanned devices that talk to each other that go and target you know very far away those things need to be protected you can't have that you know you don't want a missile to be hacked and so embedding cyber security in those things is really important but then there's also some really interesting themes about how

how you use cybersecurity in a bigger way to go against who you're targeting. And that's always been what the government has been doing. There's obviously new tools that are available now. I don't think that really impacts the enterprise business and the market value of cybersecurity, but I think it's really critical for national security. Right. And if you think about the biggest threats in cybersecurity that you're watching and perhaps some of the solutions to those risks, what do you find most interesting?

Yeah, I probably would highlight two things. The first one is Gen AI, because when you think about Gen AI, it's really more from the attacker's perspective. You don't need to know how to write code to launch an attack anymore. And so that's a really big risk. And then if you take that one step forward, true AI, meaning if you have a self-aware bot that's in a system that knows when to detonate or not detonate if you're in a sandbox, that's actually really scary. And frankly, that's the world that we're heading into. So I think that's

issue number one. Issue number two, frankly, is user fatigue. And you and I are going through many cybersecurity trainings. We know what we should click on, should not click on. But the idea of user fatigue in a world where there's so much data that comes our way,

It's really tricky sometimes to not click on something if you think it's really real. So I think those are the two big issues for companies now. And so when you think about some of the solutions, there's a lot of really amazing things being done right now around what I'd call human security or how you protect humans and what humans do rather than servers or things that sit in the cloud. So that's really interesting. And then everything around Gen.AI, look,

It's really immature in cybersecurity right now because if you think about what security protects, we don't really know what Gen-AI will mean for enterprises five or ten years from now. And I think we'll need to know really what it looks like before cybersecurity becomes real. You kind of need to know what you have to protect before you start protecting it. But the same way that Gen-AI is a big risk, Gen-AI will be great to fight those new risks that are created by the same technology.

Interesting. Thank you so much, Marco, for joining us. It's been great to be with you. This episode of Exchanges was recorded on Thursday, April 17th. I'm Alison Nathan. Thanks for listening.

Thank you.

is the property of the company to which it relates, is used here strictly for informational and identification purposes only, and is not used to imply any ownership or license rights between any such company and Goldman Sachs. The content of this program does not constitute a recommendation from any Goldman Sachs entity to the recipient,

Thank you.

which may vary. Neither Goldman Sachs nor any of its affiliates makes any representation or warranty, express or implied, as to the accuracy or completeness of the statements or any information contained in this program and any liability, therefore, including in respect of direct, indirect, or consequential loss or damage, is expressly disclaimed.