Breaking News Q&A: What Cisco’s $28 billion buyout of Splunk foretells about cybersecurity

By Byron V. Acohido

There’s a tiny bit more to Cisco’s acquisition of Splunk than just a lumbering hardware giant striving to secure a firmer foothold in the software business.

Related: Why ‘observability’ is rising to the fore

Cisco CEO Chuck Robbins has laid down a $28 billion bet that he’ll be able to overcome challenges Cisco is facing as its networking equipment business slows, beset by supply chain issues and reduced demand, post Covid 19.

As a leading supplier of advanced security information and event management (SIEM) technology, Splunk happens to find itself in the thick of a tectonic shift. Network security is getting reconstituted. A new tier of overlapping, interoperable, highly automated security platforms is rapidly taking shape. In this milieu, SIEM systems have emerged as the telemetry ingestion engine, of choice, to help companies figure out how to effectively monitor — and securely manage —  hyper-connected software.

Last Watchdog engaged Forrester Principal Analyst Allie Mellen in a discussion about the cybersecurity angle of the Cisco-Splunk merger. Here’s the exchange, edited for clarity and length:

LW: Why are XDR vendors hustling to add SIEM or a SIEM-alternative to their portfolios?

Mellen: As XDR matures, customers are introducing more telemetry for detection into it. Because of this, there’s more data being stored in multiple places: XDR and SIEM. Security teams are always looking for ways to cut SIEM costs and consolidate data access, and so naturally, they look to XDR to provide that alternative. XDR vendors have started to provide SIEM-alternatives through log management so that organizations can continue to store the data they need while getting the benefits of quality of detection and response that XDR brings.

LW: Will this acquisition help Cisco compete in this space?

Mellen: Splunk is one of the most ubiquitous and most frequently used security tools in enterprises today. The platform has consistently been named a Leader in the Forrester Wave™ evaluation on security analytics platforms for its flexibility and vast capabilities for alerting and compliance.


Splunk also has an incredibly loyal set of users, which, more than anything else, serve as a fanbase for the brand. Security leaders struggle, however, with Splunk’s lack of innovation over the past several years and how costly the offering can become.

Even the addition of alternative pricing models has done little to change that. These factors add up to, overall, this acquisition being a massive win for Cisco’s security business. This acquisition positions Cisco to have both sides of the coin — detection and response focus in XDR with Cisco XDR, and flexibility and adaptability in a security analytics platform with Splunk.

LW: You’ve asserted that this deal is a boon for Microsoft? How so?

Mellen: Splunk customers will be drawn to explore alternatives because of the uncertainty of the acquisition, and we expect to see experimental deployments of other smaller security analytics players as backup. This will also be a boon for Microsoft Sentinel.

Microsoft is the biggest SIEM competitor to Splunk right now, and Splunk customers will flock to or expand their Sentinel deployments as they hedge their bets between where Cisco takes Splunk and where Microsoft takes Sentinel.

LW: Are any Splunk customers losing sleep about what happens next?

Mellen: Security leaders know that Cisco has long been a case study for acquisitions that don’t live up to their initial promise and suffer from underinvestment and a lack of focus. In fact, since this was announced, many have showed concern that this pairing will affect the SIEM in the long term. That said, in recent years Cisco has maintained their Duo acquisition. To keep Splunk’s massive, loyal user base, Cisco needs to follow a similar model and let Splunk deliver what Splunk does best: a flexible, powerful SIEM offering.

LW: What does this signal about what a defacto security platform will look like 5 – 10  years from now?

Mellen: Consolidation drivers are cyclical; there’s an effort to consolidate, especially during times of financial hardship, which leads to cost savings for end users and fewer third parties to manage. However, it also often leads to innovation stagnation and vendor lock-in. Once these cons set in and the financial situation improves, users divert to best of breed offerings for their flexibility and quality, and the cycle starts over again. We will continue to see consolidation in these markets as the largest vendors look to offer the biggest and best portfolio.

LW: Where are we today on that curve?

Mellen: It’s happening constantly and we expect it will continue. As new technologies emerge and are validated by the market, new acquisitions are made and the portfolios become even larger.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone