Today, Cisco announced that it has acquired Ann Arbor, Michigan/California-based Duo Security for $2.35 billion in cash. Founded in 2010, Duo Security has been growing rapidly over the last few years with its multifactor authentication (MFA) offering and has raised over $120 million in venture financing to date. Based on Forrester’s estimates of Duo Security’s annual revenue, this acquisition price is more than a 20X revenue multiple, which is considerably higher than most other SaaS company revenue multiples.
This acquisition reflects the growing need and requirement for MFA to replace dated password policies that can be compromised for data exfiltration. The stated intention behind the merger is to meld the Duo Security platform with Cisco ISE (Identity Services Engine) to deliver cloud-based access control.
These are my main takeaways from the Cisco/Duo merger:
- Strong authentication matters more than ever. Phishing remains one of the common successful threat vectors; this is clear in industry surveys and from individual Forrester inquiries. MFA solutions are a very effective way to mitigate this risk. And despite the maturity of the MFA market, many organizations have still not deployed MFA. This explains Duo’s strong growth rate and growing customer base.
- The deal is about customers and higher revenue growth, not technology. MFA solutions have existed in the market for 20-plus years. While the market has evolved from the traditional single-purpose dedicated hardware tokens to embedded apps in mobile devices, the ability to generate one-time codes for authentication have existed for a long time. Many platform vendors like Microsoft (PhoneFactor) and Salesforce (Toopher) acquired MFA technologies many years ago or else built it themselves (IDaaS vendors such as Okta and Centrify). While the Cisco acquisition brings MFA capabilities into the Cisco fold, the maturity of MFA technologies and the high purchase price suggests this deal is more about getting access to Duo high revenue subscription growth and Duo’s 10,000+ customers to upsell them on Cisco’s broader network and cloud security portfolio.
- Secure cloud access is emerging as the next security battleground. While cloud security gateways and IDaaS offerings are experiencing high growth rates, these solutions have focused on primarily on capabilities such as shadow IT detection and cloud SSO with MFA not always being core to the solution. The Cisco/Duo deal, following on previous Cisco acquisitions such as Cloud Security Gateway vendor CloudLock suggest the long term direction is about solutions that can manage access policy to cloud apps, secure the network connection to the cloud, and provide MFA for cloud workloads. This could lead other larger cloud or network security vendors to follow similar strategies.
- Deal is a win for Zero Trust eXtended (ZTX) Principles. This deal, along with Okta’s acquisition of ScaleFT last month are a validation of Forrester’s ZTX Principles. Zero Trust and ZTX require that organizations have insight, analytics, and control of disparate assets across the organization. This is only achievable with the use of next-generation technologies that are included in the ZTX framework. Forrester launched ZTX for exactly this type of thing (to drive integrations and acquisitions and for the industry to move along the lines of our forward looking Zero Trust work). Two large acquisitions in less than a month reflect the growing vendor and enterprise interest in ZTX principles (and vendor solutions that support them).
- The success of the acquisition will depend on corporate culture and ecosystem integration. While Cisco has a long track record of acquisitions in IT security, this is one of its first in a core IAM capability. Forrester expects that the success of Cisco’s acquisition will hinge on the following factors:
- How well can Cisco integrate its existing Cloud Security and ISE platforms with Duo?
- How well can Cisco maintain Duo’s existing integrations with vendors in ways that support the continued the growth of the Duo MFA business without increasing competitive pressures?
Special thanks to our resident Zero Trust maven Chase Cunningham for his input on this blog