Caught out and now carved off, Symantec's enterprise security unit lands at Broadcom

August 9 2019
by Brenon Daly, Scott Crawford, Fernando Montenegro, Garrett Bekker


What began last summer as a head-scratching novelty has now become a consistent strategy at chipmaker-turned-software vendor Broadcom. A year after the semiconductor giant inked the second-largest software acquisition in history, Broadcom has made a big splash in information security (infosec), paying $10.7bn for the enterprise security business of industry giant Symantec. Although the transaction is 'just' an asset purchase, it nonetheless stands as the largest infosec deal in history, according to 451 Research's M&A KnowledgeBase. The most-significant portion of Symantec falling into the portfolio of a financially minded consolidator comes after a prolonged slump at Big Yellow, which has served – not entirely fairly – as a company caught on the wrong side of disruption. As one indicator, consider that its stock price has basically been stuck in place for the past half-decade. During that same period, other business-focused security providers have emerged and created somewhere in the neighborhood of $100bn of value – or 10x the terminal value of Symantec's enterprise business – in both the public and private sectors. Recent survey results from 451 Research's Information Security, Workloads & Key Projects go some distance toward putting some numbers on the phenomenon of technology disruption. Symantec is the most-cited firm when survey respondents are asked to identify their organization's current primary endpoint security vendor. The list of providers under consideration for new endpoint security deployments includes long-term incumbents like Symantec, but alongside 'next-generation' players are large businesses historically better known for their network security offerings, as well as a major OS supplier. In other words, Symantec faces stiffer competition in the core security technology segment that it is best known for among virtually every CISO and security-minded IT person. Snapshot Snapshot




Symantec (enterprise security unit)


Enterprise security

Deal value

$10.7bn in cash

Date announced

August 9, 2019

Closing date, expected

Before the end of 2019


Barclays Capital, Citigroup Global Markets, RBC Capital Markets, BMO Capital Markets and Morgan Stanley (Broadcom); Goldman Sachs (Symantec)

The 451 Take

In some ways, this transaction represents a return to its roots for Symantec. During the PC era, the company was riding high, with its yellow boxes of Norton antivirus packing the shelves at computer retailers. Times have changed since then, and Symantec has tried several different adaptions to maintain its status as the industry's largest stand-alone vendor. Today, the company's enterprise business is confronted with what Clayton Christensen so aptly described as the 'innovator's dilemma' – whether to gamble on where the industry is headed at risk of jeopardizing growth built on the past, or continue to build on a successful legacy at risk of missing the boat to the future.
In this deal, Broadcom is functioning less as a strategic product provider and more as a financial investor: this isn't in the slightest a product-synergy move. Rather, Broadcom sees Symantec's struggles in a growth market as an opportunity to optimize returns on an underperforming asset. But reducing costs and improving sales are only the tactical part of the challenge. Strategically, the Symantec of tomorrow will have to make hard choices to embrace, on the one hand, a future defined by cloud and cloud-native technologies, and on the other, the demands of far-flung yet highly available networks of an increasingly diverse – and 'smart' – Internet of Things (IoT).

Deal details

According to terms, Broadcom will pay $10.7bn in cash for Symantec's enterprise security business, as well as the brand name itself. (The remaining consumer division, which currently doesn't have a fulltime CEO, includes the Norton and LifeLock brands.) Proceeds from the sale, which are expected to total $8.2bn after taxes, are earmarked for dividends and share repurchases. The transaction is slated to close before the end of the year. Broadcom's massive bet on Symantec basically equals a full year's worth of M&A spending for the entire infosec market. A relatively small, single-digit percentage of the overall tech M&A sector, infosec is easily skewed by one or two large deals in any given year. The M&A KnowledgeBase shows that annual spending across the infosec space over the past two decades has ranged widely from $2bn to $28bn, depending on blockbuster acquisitions.

Deal valuation

By virtually any measure, Broadcom is paying up for Symantec's castoff business. Divestitures, particularly those involving low- or no-growth businesses, invariably garner a discount to broad-market M&A multiples. Depending on the market segment and the assets, divestitures often get done at 1-2x sales, or half the prevailing prices of outright purchases. Largest infosec acquisitions Largest infosec acquisitions

Date announced



Deal value


August 9, 2019

Broadcom [fka Avago Technologies]

Symantec (enterprise security unit)



August 19, 2010





December 17, 2017

Thales Group




June 12, 2016


Blue Coat Systems



February 9, 2004

Juniper Networks

NetScreen Technologies



451 Research's M&A KnowledgeBaseAt a price of more than $10bn, Broadcom is valuing the enterprise security assets at 4.5x sales. (In the most-recent fiscal year, Symantec's enterprise group posted sales of $2.4bn. That level hasn't really changed in three years.) That's even slightly richer than the 4.3x that Broadcom paid in its landmark acquisition last summer of CA Technologies.

Impact: secure web gateway

The core business of the former Blue Coat forms the nucleus of Symantec's secure web gateway line. This proxy-based approach continues to be a centerpiece of Big Yellow's strategy for protecting enterprises from threats arising from cloud and web applications, social media, and a variety of web-borne content. It is also the centerpiece of the company's competitive strategy against next-generation firewall (NGFW) vendors such as Palo Alto Networks. An advantage of a proxy is that it can inspect and log traffic where an NGFW, for example, may adopt a more rules-based approach or take a performance hit for tasks such as content inspection. Proxies also support the addition of security services to web traffic such as data-loss prevention (DLP), sandboxing and risky content isolation. Palo Alto, however, is an example of a rival that has seriously challenged Symantec for the future of enterprise security, having built on its NGFW foundation to target more forward-looking security spending via purchases that emphasize cloud and cloud-native assets.

Impact: email security

Email has long been a pillar of Symantec's portfolio, dating back to its acquisitions of Brightmail in 2004 and hosted email security provider MessageLabs in 2008. Today, Symantec's email strategy embraces on-premises as well as hosted email included with Microsoft Office 365 and Google G Suite. Filtering and analytics supported by global insight combine with more recent additions to the company's portfolio such as DLP, sandboxing, content isolation and link protection. Email-fraud defense includes sender authentication techniques such as DMARC and DKIM. Anti-phishing and user-awareness offerings further support email security, while desktop and gateway email encryption are part of Symantec's larger encryption portfolio that includes endpoint and file encryption as well as 'information-centric' encryption that complements DLP.

Impact: endpoint security

Symantec has long been one of the key players in the endpoint security arena: it has expanded its set of capabilities over the years, starting with what is now called traditional signature-based antivirus and then constantly adding a barrage of features – including, but not limited to, endpoint detection and response, anti-exploit, anti-ransomware, application isolation, and more – across a variety of environments such as Windows, Mac, Linux, mobile and IoT. The company's product portfolio for endpoint security alone – independent of its consumer-based offerings – now includes approximately 20 different products, led by Symantec Endpoint Protection. Looking at response data from 451 Research's VotE program, Symantec is cited most frequently in questions around endpoint security incumbency. With such a presence also comes competition: other vendors in this space frequently target Symantec's installed base, looking to use its strong brand recognition as a key antivirus provider in years past as a handicap in a more modern environment. Big Yellow has made significant updates to its offering over the years but, as with other firms with large installed bases, it often has to spend significant resources helping that installed base update to newer versions. Moving forward, we expect Symantec to continue to provide endpoint as a key offering. We anticipate technology improvements around streamlining its offerings and, given the separation from the consumer business and all of the telemetry data that this business supplied, a strong focus on better integration with the rest of its enterprise portfolio.

Impact: cloud security

Symantec's offering for securing cloud-based infrastructure is centered around its Cloud Workload Protection (CWP) product. The company also recently released Cloud Workload Assurance, which is an additional component for managing cloud security posture. These products are available from the cloud supplier marketplaces and are aimed at AWS and Microsoft Azure environments, although CWP also supports Google Cloud Platform. Additionally, both products can integrate with Symantec's other cloud-centric offering, CloudSOC CASB, which is aimed at protecting access to SaaS-based resources that a customer may consume. Given the increased adoption of cloud-based workloads and rivalry from both established and niche security vendors, we expect a more enterprise-focused Symantec to be more aggressive in this space in the future.

Impact: data security

Symantec remains a key player in the data security segment, and its Information Protection unit includes DLP, MFA (VIP), encryption, DRM, UEBA and compliance. The company's market-leading DLP business remains the crown jewel of this sector, and was reportedly generating about $400m in annual sales, competing mainly with the likes of Forcepoint, McAfee and Digital Guardian. As noted, recent development efforts had centered around extending its DLP footprint to the cloud, as well as the development of Information Centric Encryption, which leverages classification and DRM from its Watchful Software buy to offer more accurate use of encryption. Recent efforts have involved integrating DLP with Big Yellow's CASB and endpoint security.

Competition and outlook

After months of wrangling, Broadcom is obtaining a sprawling but struggling enterprise security behemoth that spans much of the infosec landscape, including endpoint security, cloud security, email security, secure web gateways (SWGs) and data security. As arguably the largest enterprise security player in terms of product breadth, Symantec effectively competes with a sizable swath of the nearly 3,000 vendors that specialize in infosec. However, in its core markets, Big Yellow vies with the likes of McAfee, Sophos, Trend Micro, Kaspersky Labs, Webroot and others, as well as newer entrants like CarbonBlack, Crowdstrike, etc. On the data security side, Symantec mainly encounters ForcePoint, McAfee and Digital Guardian, as well as smaller firms like GTB Technologies, CoSoSys and Code42. Via the Watchful Software buy, it could compete with data access governance providers like Microsoft (Azure Information Protection), Varonis and STEALTHbits. In terms of cloud security, Big Yellow will contend with offerings from the likes of Palo Alto, Netskope, Bitglass, Cisco, Forcepoint, CensorNet and Managed Methods. The SWG market includes vendors such as Zscaler, Fortinet, Forcepoint, Cisco, McAfee and Barracuda. And in the email security space, Symantec will likely encounter the same list, in addition to Clearswift, Mimecast and Proofpoint, among others.