Security managers are asking pure-play vendors questions about their viability.
It was difficult to tell whether Art Coviello's tan was from the sun or whether he was just flush with cash. It was the dead of February in San Francisco and there was the leader of RSA Security telling attendees at his company's namesake conference that the standalone security market would be extinct by the end of the decade. "The value of security as a standalone solution is diminishing," he said from the keynote pulpit.
Almost immediately from more than one corner of the vast auditorium hall you could hear snickering: "Easy for you to say, Art, since you've just been acquired."
EMC's $2.1 billion acquisition of RSA in June 2006 epitomizes the type of consolidation in the security market that continues today. Security companies are attractive acquisition targets for large infrastructure players like EMC, which plans to integrate RSA's authentication and encryption capabilities horizontally across its storage and data management portfolio.
It's not a stretch to think Coviello may be correct about consolidation on some levels. With 700 companies scratching and clawing, sometimes in the smallest niche spaces, for every available dollar, there isn't room for all of them. Innovative standalone security vendors are turning into sitting ducks for bigger buyers. Will best-of-breed, point-solution protection eventually dissolve into a mashup of suites and services by the EMCs, IBMs, Microsofts and HPs of the world?
Some security managers hold out hope that isn't the case.
"A lot of the startups are venture-funded, and innovation is really with smaller companies," says Patrick A. Cote, information security officer for educational publisher Houghton Mifflin. "I think, the more mergers that happen, the more startups you'll see because the money is there; it's VC-backed. [Venture capital firms] have a better understanding of the marketplace than some of the big companies."
Big is the New Small
Security managers are often put in precarious corners, many times by emerging threats, but more times than not, it's by their budgets. Information security isn't a tangible; it's like buying insurance, CISOs are wont to say. Justifying new investments is difficult, and in the majority of cases, security managers are asked to do more with less.
"My expectation is if I spend the money on a product and it gets gobbled up by a larger company, the parent company would maintain the product and the client base long enough that the solution would still be viable," says Sander Silvera, security manager with a financial services organization. "If IBM purchases my vendor, for example, I'm hoping IBM doesn't have a competing product and it's gobbling up my vendor just so it doesn't compete with an internally grown product. If that happens, I don't know what to tell you."
Determining the long-term viability of a small security company, no matter how innovative and important its technology, is a make-or-break exercise for many organizations. Security technology isn't cheap, and if you've got an established relationship with a giant infrastructure provider that has scooped up a bevy of security assets in a flurry of M&As, you may be inclined to lean that way.
"They throw off a big shadow," Cote says of the bigger players. "Theirs is not always the best solution. One of the decision points is ease of deployment, and if you've got the infrastructure in place, it definitely influences your decision. I could definitely see situations where people would roll out less-than-perfect technologies on the assumption that the total deployment piece of the puzzle is that big and that compelling."
To that end, M&A has been A-OK with some vendors that make their bread primarily outside the security industry (see "Getting Into Security," PDF). EMC made a loud splash with its RSA pickup, and IBM continues to dive deeply into the security pool. In June, IBM acquired Web application security specialist Watchfire for an undisclosed amount. The Watchfire purchase came 10 months after Big Blue spent $1.3 billion on network security company Internet Security Systems. ISS will beef up IBM's services offerings, while Watchfire's AppScan technology is likely destined for inclusion in IBM's Rational development platform. HP, meanwhile, made what some are calling a reactionary move less than two weeks after the Watchfire announcement, when it bought Web app security firm SPI Dynamics, leaving just one major player in that important niche, Cenzic (see "Is Cenzic on Borrowed Time").
|Getting Into Security|
Traditional IT companies have been scooping up some big information security vendors in the last 15 months.
Click here for a a sample of those acquisitions. (PDF).
|Is Cenzic on Borrowed Time?
The standalone Web application security market has been pared to one.
Cenzic, essentially the remaining standalone Web application security company, says its position has never been stronger and assures its customers that it's not in play.
VP of marketing Mandeep Khera says HP's and IBM's respective acquisitions of SPI Dynamics and Watchfire validate the importance of Web application security, and that Cenzic will remain viable by pursuing partnerships with larger infrastructure vendors that could resell its products or offer them as services.
Cenzic products, unlike SPI and Watchfire, evaluate the security of applications already in production, Khera says, and not necessarily just those in development.
"We are determined to remain focused there; if we merged with a software development lifecycle or application lifecycle development vendor, that [evaluation] at the production cycle never takes place," Khera says.
One customer, David Escalante, director of IT security at Boston College, says he's sticking with Cenzic and doesn't let market pressures determine his organization's investments.
"The market can't sustain 700 companies pitching security products. So what do we do, wait for the market to shake out and not buy security products? We can't put ourselves in that situation," he says. "It's hopeless. We'll continue to make our investments. If we have a two-year ROI plan, and our vendor gets gobbled up three months after we make a purchase, we'll find a way to make the software work. We'll continue to use Cenzic and get good use out of it. If Cenzic gets gobbled up, we'll have to move on."
--MICHAEL S. MIMOSO
Cisco's security story is growing too. In January, it scooped up gateway security providers IronPort for $830 million, and recently announced it would integrate Iron-Port's reputational services into Cisco firewalls. Cisco also added XML security gateway company Reactivity to its ranks in February for $135 million. Symantec, meanwhile, has taken the opposite tack and gone from almost exclusively a security player, to nearly a full-fledged infrastructure provider with a range of pickups, including storage leaders Veritas (July 2005), and systems management firms Relicore (February 2006) and Altiris (January).
As Security Incite president and principal analyst Mike Rothman likes to say, "Big is the new small."
"Early on in the '90s, there was some cache to being an early adopter and getting on board with an innovative technology. But after a while when companies were getting their teeth kicked in, they were left in a situation where they have to start thinking about whom to do business with," Rothman says. "The trend is toward consolidation and a broader solution set. But in no way, shape or form do I think there is no opportunity out there for new solutions, especially for environments with unique business requirements."
Security is a haven for best-of-breed. The bigger the company, the more likely it is to invest in best-of-breed security solutions for everything from desktop protection, to network and application security. Very few vendors can secure a company across the board (see "Channel Surfing," p. 52), and those that promise to do so can't match the depth of a pure-play, standalone security vendors say.
"Network security is still so complicated; it requires a lot of domain knowledge in certain areas like what we specialize in--threats and monitoring," says Trend Micro CEO Eva Chen. "This is a very narrow space, and so many new threats are happening, it requires constant investment in this area to build up that knowledge, not to mention if you're focused on storage and other things."
Standalone vendors hedge their bets on their ability to provide specialized products, support and attention to customers to distinguish themselves.
"Our customers, our partners look for companies focused on security, not companies selling something else and security," says Check Point founder and CEO Gil Shwed. "That's something our customers are worried about. They want to see someone independent."
Reality is sometimes a little harsher for security managers, who cannot afford to be so cut-and-dried.
"It depends," says Houghton Mifflin's Cote. "I don't do stuff in a vacuum."
Cote says his company's desktops are protected by an integrated McAfee solution that includes firewall, antivirus and antispyware protection. "That sort of technology has a lot of value," Cote says. "Suites work very well. It would be nice to have a single agent on the desktop that does everything from a security perspective. When you use different agents, performance, ease of use and distribution gets to be a pain."
The crowded security market may present more choices to buyers. But that overcrowding shouldn't always be confused with a glut of innovation, Rothman warns.
"What's hot and innovative? Not a hell of a lot," he says. "There are slightly different takes on solving they same problem. In some areas, like application security, they're just catching up. Look at what they've been doing relative to what's been done on the network; application security is three-to-four years behind. It's been a while since we've seen something really innovative. Look at NAC and leak prevention; those are just slightly different takes on what we've been doing for a long time. These companies and solutions are really features of a bigger solution set."
Some interpret this granularity as an indicator of a healthy market and viability for smaller players.
"Find a niche and exploit it; there's always a new technology popping up, some of which is unique enough where it doesn't make sense for major players to go nuts," says Burton Group analyst Pete Lindstrom. "If you've got a single product and you can derive more revenue, reach more people and cost less, you'll be more viable. The question of market consolidation depends on how predatory the big players are."
Secure Computing, a gateway security provider, has been around since 1984, went public in 1995, sells to some of the biggest financial services and government agencies in the world and in the last two years has reported almost $300 million in revenue.
"We are at a size where it's a valid question," says Atri Chatterjee, senior vice president of marketing. And it's a question some customers are asking pure-play security companies. Organizations want to protect their investments in security technologies, and are asking about exit strategies, what options they have with proprietary code (see "Exit Strategy," below), and what safeguards can be inserted into contracts. But just because the questions are being asked, doesn't mean you'll get answers of value.
Storing proprietary code in escrow is one option security organizations are baking into vendor contracts.
Among the topics your organization should broach with smaller security providers is source code escrow. With 700 security companies in the market, consolidation is inevitable, and one investment safeguard is an agreement between a customer, vendor and third-party escrow agent to store proprietary code in the event of an acquisition or bankruptcy.
"From a customer's perspective, if they buy a product from you and something happens where you're not around any more, they know they can get at the source code," says Arcot CTO Jim Reno. "They can hire a consulting agency, and at least get emergency support."
Security Incite president and principal analyst Mike Rothman urges companies not to rely solely on escrowing code.
"You don't want to be in a situation where your vendor goes belly-up; you don't want to start over," Rothman says. "Have somebody ready in your back pocket. The vultures will circle [in an acquisition or bankruptcy]."
--MICHAEL S. MIMOSO
"I could ask pointed questions, but I do not believe vendors would volunteer any information," Silvera says.
And if a vendor does offer your organization an answer, take it with a grain of salt.
"They're going to lie to you, simple as that. 'Are you going to be acquired? Not today,'" Rothman says. "The reality is, if anyone comes forward with a compelling offer, it's their fiscal responsibility to look at it. There's not a lot a user can do. It underscores the need for all companies to have a Plan B. There have been some situations where companies have gone away, and organizations are left in a world of hurt. If you're doing business with a startup, you need to plan if something goes amiss."
Secure Computing, like Check Point, Qualys, ArcSight and other security vendors that have risen near the top of their particular market segments, are attractive to bigger players looking to enhance or start a security business. Or they could take another direction, as Check Point did last year, and try to acquire an up-and-comer like Source- fire, with an entrenched technology like Snort and innovation on top of it like RNA.
Others like Arcot, for example, spend their time cultivating partnerships with bigger players in an attempt to become ubiquitous in other companies' products. Arcot's best example is the integration of its authentication product into Windows CardSpace, formerly InfoCard.
"If you pick up two or three players in a space, you have two or three offerings and two or three customer bases to manage. A lot of energy and attention goes into figuring out how to do that and whether you're going to maintain all of it," Arcot CTO Jim Reno says.
It's a busy space.
First it was GreenBorder, then Postini, then speculation. That's what happens when Google spends more than $650 million in the security market.
Will Google become a security vendor? Will it integrate its acquisitions into future Google offerings? Is there a bigger shoe still to fall? No one at Google is really saying, which is leading to a bevy of theories about the road map leading out of Mountain View, Calif.
Yankee Group analyst Andrew Jaquith says Google's goal is to make the operating system irrelevant via its hosted Web applications--a shot across not just Microsoft's bow. Google product manager Rajen Sheth implied on a company blog shortly following Google's $625 million pickup of Postini that enhanced security would make enterprises less hesitant to run Google's hosted office applications.
"On-demand applications are clearly where Google wants to stake its claim," Jaquith says, noting Google's current array of apps enables it to compete at the low end the office market. "They will go up-market over time. I think they will also do the same in the security arena with message hygiene [Postini] and browser security [GreenBorder]."
More speculation: Google could get into antimalware with a Webroot-type acquisition--though Jaquith believes Webroot is "probably far too expensive." He also wouldn't rule out a security apps suite or appliance.
--MICHAEL S. MIMOSO
"If there are 700 security companies, 80 percent are doing less than $10 million in revenue. How viable is a company in the $15 million to $20 million niche? What happens if it goes out of business?" Chatterjee asks. "The beauty of it is, it's important to be in a space no one else is in and give companies the right solution. In security, organizations are still willing to take a chance; they don't want to mess with security. They'll buy from a small company as long as the solution is unique and solves a problem no one else solves."
That argument is not unlike other standalones. "Sometimes I refer to our strategy as the Starbucks strategy," Chen says. "We sell coffee. We sell very good coffee. We don't sell fried chicken or pizza."
Blinded by Size
Houghton Mifflin's Cote says security organizations have to be strategic about their investments and not necessarily flinch every time an IBM snaps up a security stalwart.
"If you come up with a better mousetrap, people pay; it's a function of the free market," Cote says, offering the example of the antispyware market, which was dominated by smaller security companies like PestPatrol, Webroot and even open source projects like Spybot Search & Destroy. "Bigger companies completely dropped the ball, and smaller companies, they were there. They were better products and were supported. You're going to continue to see that entrepreneurship. Big guys don't have that vision."
Big guys do have buying power, but even then, there's also a certain amount of leverage to be gained when your organization's pure-play vendor is acquired. Take the EMC-RSA purchase; customers with an existing EMC investment can wheel and deal with the infrastructure provider to add RSA security products to their environments; over time, those products could be integrated into existing EMC collaboration and document management products, for example.
"It's a function a standalone cannot provide," Rothman says. "For a company looking to consolidate vendors and simplify purchasing and management, they may be better served dealing with a bigger company."
Leverage is something that can be gained from a relationship with a smaller vendor as well.
"If the solution comes from a smaller company, that is fine with me," Silvera says. "Smaller companies are always interested in new sales, and go out of their way to work with you. Since they're smaller, we'd get a closer touch from them. At the same time, I will always be concerned a smaller player with a successful product might be absorbed by a larger organization and then we go right back to the question of the viability of smaller vendors."
Houghton Mifflin is a Qualys customer and relies on its software delivered as a service (SaaS) over the Web to manage network vulnerabilities. Qualys chairman and CEO Philippe Courtout says his company recognized the disintegration of network perimeters long ago and gambled on moving his company to the SaaS model. Rather than innovating on technology, the change in the delivery mechanism helps maintain Qualys' viability as a pure-play.
Cote, meanwhile, doesn't anticipate the market to shrink; if smaller vendors are bought, another will pop up like a weed to take its place. But that doesn't mean he's not watching his pure-play vendors--like Qualys.
"Qualys is something I've thought about. They've got a good reputation," he says. "Quite frankly it surprises me they have not been purchased."
Don't talk to Trend Micro CEO Eva Chen about infrastructure players being the great aggregators of technology. Her vision is skewed in another direction--one that enables companies like hers to maintain their viability as a standalone provider of security technology.
"The user sees the whole network as one solution, but no one vendor can provide for the whole network," Chen says. "Although we say security should be inside the network, the network includes the ISP, routers, switches, OSes, applications and security. No vendor can provide all those. The only one who can aggregate that for the end user is the VAR."
Chen sees a new channel that unites once separate hardware and software providers.
"They used to be separate resellers, now one is emerging. Network and application providers are merging," Chen says. "Some customers want best-of-breed solutions, so for a pure-play like Trend Micro, it's important for us to be ahead of our domain, and second, our technology and offerings need to be customizable and easy for integrators to integrate into the network."
--MICHAEL S. MIMOSO