This article can also be found in the Premium Editorial Download "Information Security magazine: Computer incident response teams are a new line of defense."
Download it now to read this article plus other related content.
In the middle of the last decade, SPI Dynamics was among the darlings of the security startup world. They had cool technology in a burgeoning segment of the security industry. The company’s profile was growing from modest beginnings (16 people, including three co-founders and a handful of engineers in an office behind a strip club near Georgia Tech University) to eventually to more than 150.
Investors loved the little Web app security company that could. Four rounds of funding helped the company’s engineers develop products such as Web app pen-testing tool WebInspect, which were solving real-world security dilemmas. Revenue was doubling, literally, every quarter. The good times were rolling; the company still maintained that informal, startup feel too, and innovation was still the priority despite the increasing focus on business and shareholder satisfaction.
“We were going through growing pains adjusting to being a bigger company and culture; it was crazy during our peak,” says Caleb Sima, one of the co-founders. Sima saw the handwriting on the wall; despite solid revenue, they needed more resources to hit their absolute peak and double, maybe quadruple, their business. “We had to decide: Stay small, or explode to a large company?”
The “For Sale” sign may never have been formally hung on the door, but acquisition was inevitable. This was the hey-day of consolidation in the security industry. Not only were pure-play security
Very few startups sell to have their stuff fall off the face of the planet. Developers and execs alike have an emotional attachment to the technology and the culture that helped build it. To have it spiral into the black hole of some corporate abyss was sacrilege. But Sima says that’s what happened to SPI Dynamics for a period of time after it was acquired by HP in June 2007 for an undisclosed sum. Same story for Internet Security Systems (ISS) after IBM paid $1.3 billion for it in 2006. In fact, it became IT security’s version of a drinking game to ask, “Whatever happened to ISS?”
Today, information security market consolidation continues at a rapid clip, with large infrastructure companies like IBM active players. While some say consolidation hurts innovation and customer service, others – particularly the IT giants – say in the long run, it promises better integration, more insight into an enterprise’s security posture and, ultimately, improved risk management. Fewer point products for security managers to deal with, fewer headaches. But is that really the case? What have companies like IBM, HP and EMC done with their security acquisitions?
SPOTTY TRACK RECORD
So far, the record’s been mixed, says Khalid Kark, vice president and research director at Forrester Research. A few years ago, Forrester predicted security would become a function of larger IT infrastructure management. “This was almost inevitable,” Kark says.
“In terms of the technology, a lot of these capabilities [from the acquired companies] still aren’t well integrated into the existing management or infrastructure capabilities that these companies have,” he says.
Oftentimes, acquisitions can hurt innovation and also translate to prices that are equal or even higher than before, leaving the end user with just one benefit: technology that has the backing of a big company. “IT buyers who want to play it safe and rely on a well-established, financially secure vendor are able to get that,” Kark says.
Amrit Williams, a former Gartner analyst and CTO at configuration and vulnerability management company BigFix before IBM bought it last summer, says large IT vendors historically haven’t done a good job at integrating security with their operational technologies, but are improving the way they handle security. In previous years, security at both IBM and HP was run by the brand, he says: “It was hard to find a single voice or strategy for security that spanned the brand and ensured the type of integration that would provide value to customers.”
But IBM and HP have made organizational changes so security spans their brands and EMC made RSA its own division, Williams says: “You’re seeing the large vendors recognizing the importance of security and not bury it in the brand.”
BIG BLUE CHARGES INTO SECURITY
At IBM, security has become a big business that’s core to the company’s overarching “Smarter Planet” strategy of making systems more interconnected and intelligent, says Marc van Zadelhoff, director of strategy for IBM Security Solutions.
To that end, IBM launched its security solutions group in March 2010 to give customers one place to access all of its security products and services and has made 11 acquisitions in security since 2006. Those acquisitions are driven by the IBM security framework, which outlines key risk areas organizations face, van Zadelhoff says. For example, IBM’s acquisition of BigFix was driven by the increased risk mobile devices and disparate endpoints pose to enterprises.“That company gets into a core part of our strategy, which is this whole interconnected planet and being able to manage the security on all these devices,” van Zadelhoff says.
Since 2000, IBM has acquired more than 100 companies. “We’re very good at that. We’re good at retaining key people and integrating them into the IBM fabric,” says van Zadelhoff, a former executive at Consul Risk Management, which was bought by IBM in 2007. He previously was on IBM’s security M&A team. “I would argue that a bunch of other companies aren’t as good at integration or the innovation side,” he says.
He defends IBM’s handling of its acquisitions of ISS [See p. XX], which was initially put in IBM’s services group -- a move that critics say led to the ISS intrusion detection technology falling behind in the market. About a year ago, IBM moved the ISS products into its software group.
“There are phases in any company. We made the right move to keep the company together and allow the teams to collaborate until we had the integrations completed,” van Zadelhoff says. IBM’s acquisition of ISS opened up career paths for ISS service engineers, and also led to the development of IBM’s virtual server security product, he adds. “An acquisition needs to be supported by a strong integration philosophy, then by the acquiring company’s innovation that can drive and complement these technologies.”
In February, IBM released Tivoli Endpoint Manager, what the company calls its “blue wash” of BigFix technology with new capabilities. van Zadelhoff says IBM is working to extend BigFix to mobile device management and showed off prototypes at the RSA Conference earlier this year. IBM also released a blue wash version of Guardium’s database security technology, InfoSphere Guardium 8, about a year after it acquired Guardium.
Analytics is becoming increasingly important in enterprise security in order to detect security threats, he says. “Companies have bought every security product in the world and still don’t know if they have an advanced persistent threat.” IBM is integrating technology from many of its acquisitions, such as Guardium, Consul and data analytics company Cognos, with its own capabilities and producing prototypes of advanced analytics that can troll through terabytes of data to uncover threats.
HP’S SECURITY PLAY
Like IBM, HP views security as key to its broader strategy. Last fall, HP unveiled its strategy for providing tools and services, including security, to help companies address the growing use of mobile and cloud computing technologies by enabling an “Instant-On Enterprise.” The company’s security acquisitions – including intrusion detection vendor TippingPoint, SIM supplier ArcSight and application security company Fortify Software -- were intended to build security into the fabric of the network, reduce risks, and help customers detect threats early, says Rick Caccia, vice president of product marketing of HP ArcSight.
HP is developing a security intelligence and risk management framework that integrates its acquired security technologies with some of its traditional capabilities in IT operations and applications management. “We think if we tie all that together we have a strong ability to understand who’s on the network, what applications are there, where vulenrabilities might exist, and monitor to reduce risk in the business,” Caccia says.
Core to the framework is the ArcSight SIM technology. Since HP acquired the SIM vendor last fall, it’s been working to integrate the ArcSight log management product with its system management technology. That integration gives customers better context for network events, Caccia says.
HP also has been working to integrate the static code analysis capabilities it acquired when it bought Fortify Software last September with the dynamic testing capabilities from its SPI Dynamics deal. In April, the company released a hybrid analysis product, which Subbu Iyer, senior director of products and application lifecycle management at HP Software, describes as an “industry first.” Fortify, like ArcSight, is run as a standalone business within HP. It’s headed by former Fortify CEO John Jack, and combines the R&D teams of Fortify and SPI.
Iyer says the rationale behind Mercury Interactive handling the SPI deal was to add security to Mercury’s application performance testing, but he adds that HP could have done some things differently with the acquisition. [See page XX]
“We learned a lesson. That’s why we’ve been very intentional in the way we have worked with Fortify and ArcSight,” he says. “We’ve not rushed to functionalize these organizations. We’ve made sure they run as independently as possible and sell to the core security buyer.”
Caccia sees an opportunity to improve on enterprise security, where multiple point products are failing to catch intruders or malware slipping through the cracks.
“There are lots of security products [today]. They work well but are fairly narrowly focused,” he says. “We think there’s an opportunity to provide unification across those. We don’t want to replace them, but we want to provide better insight and intelligence across them because customers demand it.”
EMC BANKS AND BUILDS ON RSA
Tom Heiser led the team responsible for M&As at EMC before becoming president of the company’s RSA security division. For a year leading up to the RSA acquisition in 2006, EMC embarked on a security strategy. “We knew security was important to EMC. We didn’t know what our approach would be,” he says. After quickly deciding against building its own security business, it looked to M&A and eventually RSA, which had the “critical mass” and technology strategy that fit with EMC’s.
Since then, its layered in more security acquisitions to its RSA business, based on a strategy that looks at market dynamics, growth opportunities, and customer needs, says Ted Kamionek, vice president of business development at RSA who leads security M&A for EMC/RSA. EMC’s purchase of GRC software vendor Archer Technologies last year and its April acquisition of network monitoring company NetWitness are deals that allow EMC to grow while providing integrated technologies that give customers better visibility into their infrastructure, he says.
Startups have a hard time scaling and reaching a lot of customers, Heiser says. “Companies don’t want to buy point products, they want to buy solutions. …When we acquire companies, customer expectations go up substantially in terms of customer responsiveness, service, product quality and functions down the road,” he says. “Many customers rely on us to buy these smaller companies to make sure they’re hardened for mission-critical applications.”
In the case of Archer, EMC/RSA capitalized on the company’s loyal user community. Archer gave its customers the ability to design and prioritize features and functions through online forums and an annual user conference, and RSA has invested heavily in sustaining that Archer user community, Kamionek says.
“Now we’re taking that community and rolling it across other products to leverage that powerful input. …That’s an example of how we’ve taken what worked for a small company and brought that into RSA to help accelerate and prioritize innovation here,” he says.
FALLOUT ON THE FRONTLINES
That rosy picture is at odds with the more common scenario in the wake of an acquisition, in which the customer experience changes and not usually in a good way. “The simplest way to think about it is products disappearing without a good migration strategy. Post sales degradation. All the usual things when you have a company that’s too big and distracted,” says Andrew Braunberg, research director at Current Analysis.
While Williams says acquisitions -- when handled strategically rather than just filling a portfolio gap -- can sustain innovation, Rene Bonvanie, vice president of worldwide marketing at Palo Alto Networks, an independent provider of enterprise firewalls, says innovation is always hampered in large companies. “The challenge for large companies is to stay focused on something as specific as security,” he says.
Innovative or not, though, it’s easier to sell security to executive management when it comes from a large company rather than a niche player, says Brian Engle, director of information security at Temple-Inland, a manufacturing firm based in Austin, Texas. If a company is already a customer of a large IT provider, it’s easier to approach the C-suite with a security component from that provider. “It’s like adding a line item rather than formulating something from scratch,” he says. “It doesn’t mean what you’ll get will be the best thing there is, but sometimes you have to make that sacrifice.”
If the promised technology integration from consolidation actually happened, security would improve by no longer being bolted on after the fact, Engle says. “As long as we have this separate security industry, we’re going to have difficulties in providing top-to-bottom security,” he says. “If consolidation was working, we’d be better for it, but I don’t think the integration is working as good as it could.”
However, Chris Ipsen, CISO for the state of Nevada, is wary of the consolidation trend leading to what he calls a monoculture. “As soon as we become overly reliant on one way of thinking, we become less secure.”
Going forward, a layered approach to security that mixes new ideas and established technologies will be critical for resilience, he says. “It requires us to go back to basics in terms of rigorous controls, separation of duties, layers of defense and enforceable policies. All those things that represent good hygiene in a network become more important with consolidation.”
Every vendor can be acquired and companies should be prepared, Williams says. He advises getting contractual commitments to roadmap items that are critical to your company, especially during license renegotiations. Security managers also should look at the vendor’s competition for potential alternatives.
“What gets people into trouble is when it’s difficult to switch, especially if the technology has a lot of integration including customization specific for your organization,” Williams says. “That’s a situation where you want to be candid with the acquiring company and say, ‘I need to make sure commitments that were made to me by the company you acquired are kept.’”
Forrester’s Kark cautions against getting locked into long-term commitments as a vendor gets acquired. “It might sound easy to lock into three years and get a great deal, but there’s a reasonable amount of uncertainty with this transition, so you want to make sure you’re not in a situation where you signed a three-year contract and after a year, 40 percent of the people you dealt with are gone,” he says.
For Sima and SPI, the experience of being swallowed by a big company was rough, but he sees improvement. Since then, HP has continued to invest in security and has had integration success stories folding in Fortify and ArcSight, he says.
“Looking back, it was unfortunate we were the example. We fought hard inside of HP when they were doing the acquisition of Fortify to make sure the same things didn’t happen to them that happened to SPI,” Sima says. “They learned a lot of lessons. Things are much better. SPI has a foothold working inside HP now. It took a long time and a huge amount of mistakes.”
Marcia Savage is editor of Information Security. Michael S. Mimoso is editorial director of the Security Media Group at TechTarget. Send comments on this article to firstname.lastname@example.org.
This was first published in June 2011