Where do you turn when the security vendor you've banked on gets gobbled up?
After a few installation hiccups, the firewall worked beautifully. Jeff Pentz and his IT staff with the University Health Center at the University of Georgia were pleased with their purchase. All was right with the world. That is, until another company acquired their firewall vendor.
When Pentz's team ran into problems deploying the firewall vendor's VPN software and called for support, they encountered a company in the flux of a merger. What he thought would be a simple two-day fix became a futile exchange of e-mails and phone calls with an ever-changing parade of engineers and managers over several weeks.
"It was a nightmare for us," says Pentz, the center's associate IT director.
Pentz is not alone. A crush of consolidation--more than 40 security firms have been acquired in the past four years--has caused users a number of headaches, including service, support and sometimes even obsolete technology. And there's no end in sight. Morgan Stanley reports that the pace of mergers and acquisitions in IT security will accelerate this year--an inescapable consequence in a market that's simply not big enough to accommodate all its players.
|Click here for a list of 40 acquisitions that have occurred in the past four years. (PDF).|
With all the mergers and acquisitions happening in the information security market, buyers have good reason to wonder if their vendor will be around tomorrow.
Even fairly established security players, such as NetScreen Technologies and Sybari Software, have been gobbled up by larger companies. In a span of just three weeks last November, four companies were swallowed by bigger fish: Teros by Citrix Systems; V-Secure Technologies by Radware; Trustgenix by Hewlett-Packard; and Cyota by RSA Security. In the surge of consolidation, some market segments have been absorbed almost entirely. Web access management providers Netegrity, Oblix and Securant were all acquired by larger vendors (CA, Oracle and RSA Security, respectively). The managed security space is another where acquisitions have left few pure-play providers.
But while vendors wheel and deal, where does all this consolidation leave the user? It can spell trouble, as in Pentz's case. However, an acquisition--done correctly--can make a security manager's life easier by providing integrated technology that is less complicated to manage and cheaper.
In their shopping frenzy, vendors "are trying to develop portfolios that are as comprehensive as possible to get a bigger slice of a company's security budget," says Brian Schwartz, technology specialist at IT solution provider CDW. "Sometimes that can work out well for a customer, and sometimes not."
Less Is More
For CIGNA, consolidation in the security market brings a lot of benefits. A successful acquisition can offer technology integration, which reduces the number of security products the health insurer has to manage and streamlines maintenance, says Michael McKenna, assistant vice president of engineering and standards for CIGNA's information protection department. "That lowers our TCO for security," he says.
Dealing with fewer vendors is easier, especially if those vendors are big technology firms like Symantec, Microsoft or Cisco Systems--all three have been busy security shoppers, particularly Symantec, with a dozen purchases in six years. "We have a lot more leverage with those companies," McKenna says. "We're not just buying $30,000 worth of products from them. We're buying a lot more. And when we have issues, we can call and get action."
Other security executives cite product integration and fewer vendors to deal with as key benefits of consolidation.
"I prefer working with fewer vendors," says Joseph Granneman, manager of networking and data security at Rockford Health System, a health care provider based in Rockford, Ill. "You just don't have enough staff to be an expert on everything. You have to standardize some things."
Standardizing and reducing the number of security products in an organization-- without sacrificing a defense-in-depth approach--minimizes configuration errors that can lead to a breach, Granneman adds.
Consolidation also provides interoperability, saving a user the time and pain of having to figure out how to get products to work together, says Kevin Dickey, CISO for Contra Costa County in northern California. "Eventually what happens is the industry starts to flesh out the best-of-breed."
Prices go down, and it takes fewer calls to get problems resolved with fewer vendors, he adds.
Douglas Brown, manager of security resources at the University of North Carolina at Chapel Hill, agrees that an acquisition can mean better pricing.
"The standalone, 50-person startups have a very high price point on their product because they've got bills to pay and they're trying to keep their heads above water," he says. "But when the acquisition goes through, that product is rolled into a space with a lot of other products. All of the sudden, there's a lot more wiggle room for the sales folks to work with you on pricing."
Sure, integrated technology and lower costs sound like good deals, but consolidation can have its definite downsides for the security buyer.
First off, that integration may take awhile--sometimes years--leaving users in limbo. And once it happens, it's no sure bet that it will mean better technology.
"Consolidation can bring value to security buyers as more and more security functions are managed from a single point, but the consolidated management can come at the cost of solution effectiveness," Brown says.
Certain security functions, such as IPS, require best-of-breed technology, he says: "If it's not the best solution, it could be very damaging to your network. It could do more harm than good."
Second, support can take a hit after an acquisition, as in Pentz's case. The personal touch a small company can offer may be lost.
"If you're working with a small company, there are a handful of people you can get in touch with and have the problem solved, and not have to worry about a bunch of red tape or levels of bureaucracy," Brown says. "With the big guys, it's possible to build those sorts of relationships but its certainly more difficult."
Even if support issues eventually are ironed out, there is always a period of uncertainty and downtime after a merger when a user has to learn how the new company operates and figure out who to call for service, Dickey says.
Acquisitions by strategic partners also can complicate relationships. A few years ago, McKenna says, CIGNA chose BMC for a provisioning solution, but its strategic partner IBM bought identity management software firm Access360. Now, CIGNA is migrating off of the BMC product to IBM's.
In contrast, Symantec's acquisition of Sygate Technologies is a "great marriage" for CIGNA since the company already worked closely with Sygate, McKenna says.
But, other times an acquisition can leave a customer with obsolete technology when a vendor decides to drop a product it acquires. For example, after buying Sygate, Symantec last fall decided to discontinue the Sygate Personal Firewall and Personal Firewall Pro products and gave users of the consumer firewalls discounts on replacement Symantec products.
Earlier last year, F5 Networks bought the intellectual property and patents for Watchfire's AppShield Web application firewall, and then worked with Watchfire to transition AppShield customers to its own application firewall, TrafficShield. Watchfire had acquired AppShield when it bought Sanctum in 2004. Andrew Stern, F5 director of security product marketing, says it's inaccurate to say F5 discontinued AppShield because the company was never in the AppShield business.
How To Cope
So how does a security buyer deal with a market that's in constant flux? How do you know if that startup with the innovative product will be around tomorrow?
You can't know, says David Escalante, director of computer policy and security at Boston College. "It's like gambling. You can't predict when you buy one of these things if it [the startup] will go out of business, or get bought by a bigger company that decides the product isn't strategic and just drops it."
His solution is to never buy technology unless it will provide ROI in less than two years: "Our tendency is to point out to people that we don't think the product will last so long, therefore they have to give us a better price."
CIGNA also takes a short-term approach with some small startups. If one of its strategic partners doesn't provide a solution for a particular problem, CIGNA will deploy a specific product on a limited basis to address the problem.
"When we look at a tactical product, we look at a lifespan of one to two years," McKenna says.
Other security managers share that outlook, says Paul Klahn, director of consulting services at FishNet Security. These days, customers are inclined to ask a vendor right off the bat whether it's going to be bought. "There's not a lot of expectation anymore that these products will be around a long time," he says.
Wary of losing support or other changes that might accompany an acquisition, some customers are turning to VARs (value-added resellers) like FishNet to provide consistency. In the event a vendor is sold, a customer still knows that there is someone they can call for support, Klahn says.
As always, before a purchase a security buyer should try to find out as much as possible about the supplier.
"We really try to look for the best solution that's available," UNC's Brown says. "If it's a startup, we do as much due diligence as we can. We try to protect ourselves, but we're going to get the best solution out there, be it from a startup or a big guy."
After his bad experience, Pentz says he's more likely to check references supplied by the vendor and found elsewhere. He'll also research online the vendor's support quality. He even tries to find out if a company is on the block and whether the potential buyer's customers are happy, and advises others to do the same.
And when a vendor is acquired, users need to ask the buyer a lot of questions about support and plans for the acquired technology, says Amrit Williams, analyst at market-research firm Gartner.
But the best solution for security buyers faced with a changing market is interoperability, says CIGNA's McKenna.
"If we had interoperability across the industry, then it becomes vendor independent. We're seeing some of that with federated identity," he says. "It doesn't matter what product you buy, they all work with each other. We just need more of that across the whole security market. That's more customer protection than anything."
Easing the Transition
Whether an acquisition winds up painful for the customer or proves beneficial depends on many factors. In general, it's easier for a vendor to acquire a smaller company than a more substantial vendor with a lot of employees and widespread distribution, says Jon Oltsik, senior analyst at market-research firm Enterprise Strategy Group. He cites Symantec and Cisco as having perfected the way to buy and integrate smaller companies.
Richard Palmer, vice president and general manager of Cisco's security technology group, says the company's strategy--with the exception of its recent purchase of set-top box maker Scientific Atlanta--is to buy relatively small companies with established products in the market that can be quickly integrated into Cisco's offerings.
"We try to pick companies that we don't have to dramatically change their strategy and technology road- map," he says.
Cisco has developed a system for preparing its employees and channel partners to support products that come into the company's portfolio via an acquisition. "Since we've done quite a bit of acquisitions, we have a fairly well established set of things that need to be done," Palmer says.
Symantec has a team dedicated to integration of its acquired companies and a framework to analyze the acquired company's customer base, including routes to market, customer support requirements and customer overlap, according to James Socas, senior vice president of corporate development at Symantec.
"Our goal is to have continuity in customer support and to work in partnership with our acquired customers and the acquired sales team to make the transition smooth," he says.
Key for Symantec in offering integrated solutions is to retain the people who built the companies it acquires--more than 60 percent of Symantec employees have joined the company through acquisitions. This focus allows the company to retain best-of-breed expertise within a broader corporate offering, Socas says.
We surveyed 151 Information Security readers on your impressions of the shrinking vendor pool. Here's what you told us.
"If you have something that no one else has, it takes that issue off the table," says Paul Paget, CEO of Core Security Technologies, a supplier of network penetration testing software. "It doesn't go away entirely, but if you have a solution that solves a real problem on the part of the customer, and does it in a fairly immediate fashion, all the long-term arguments go away."
Breach Security CEO Marc Shinbrood says he emphasizes the standalone value of his firm's Web application security technology, which can be integrated with a variety of network devices.
"Because it is standalone, it will be valuable to an acquiring company and they won't get rid of it right away," he says. "Therefore, it will still have value to the customer and they won't be hurt by installing our product."
To be sure, the security market will continue to consolidate, leaving buyers to navigate a changing landscape. However, security professionals and industry experts are split as to what degree it will shrink."I don't see why security is any different from any other industry. The day will come when we have maybe one or two or three significant players in the space," says Liberty Mutual CISO Scott Blake. "That's the nature of capitalism."
But others say there still is plenty of room for new companies that come up with solutions to the evolving problem of security. "There are so many different areas [in security] that there will be new companies popping up all the time," CDW's Schwartz says.
"There will be innovation in security for a long time to come. ...There are a lot of problems that need to be solved," Enterprise Strategy's Oltsik says.
Whatever shape the market takes, security buyers like University Health Care's Pentz will do their due diligence and hope their vendor choices today don't leave them in the lurch tomorrow.