Wednesday Big Blue announced it is scooping up the Atlanta-based security vendor to strengthen its position in the growing managed security services market. Following the acquisition, which is expected to close in the fourth quarter, IBM said ISS will operate as an independent business unit within IBM's global services organization. The current ISS management team will remain intact.
Andrew Jaquith, a senior analyst with Boston-based Yankee Group, said both vendors benefit from the acquisition because ISS has created a capable and well-known managed perimeter security service that will be augmented by IBM, while Big Blue customers win because the combined product set will be able to scale up to meet the needs of the largest enterprises.
Zenobia Austin, associate analyst for Memphis, Tenn.-based brokerage and investment banking firm Morgan Keegan & Company Inc., said the IBM/ISS deal reflects a larger trend where tech companies are finally understanding the necessity of security.
"We've seen some large security acquisitions recently, and I think we'll see more," she said. "Companies like IBM realize that security is now a must-have. You don't get to the table unless you have it." Customers have identified security as a top priority, she added.
She agreed that the acquisition is a good deal for customers on both sides.
"IBM customers will get a new security service, one that ISS is well regarded for, and ISS customers will benefit from IBM's resources," she said. "One of ISS's challenges has been customer service, and this is an area where IBM can help."
However, Jaquith said he is concerned that once it becomes part of IBM, ISS may lose its edge over time.
"Managed security and vulnerability management vendors like ISS live and die on the strength of their staff's research," Jaquith said. "Now that ISS is being taken off the board, defections from their X-Force and managed services teams could hurt them over the long run."
He added that IBM must ensure it does all it can to retain existing talent, and customers should ask IBM tough questions about its staff retention plans.
Jaquith said this and other recent purchases along with the ample venture capital flowing into security companies during the past few years illustrates that information security is now a mainstream business and a focus of all major tech vendors. "If you're a big player," he said, "you've got to have a security story."
Paul Stamp, an analyst with Cambridge, Mass.-based Forrester Research Inc., agreed the acquisition reflects the fact that people want to go to the same vendor to buy security along with the IT infrastructure they're protecting.
That doesn't mean security vendors in general are destined to be gobbled up by the big IT infrastructure vendors. But those who want to remain independent will need to keep innovating, he said.
"ISS struggled in recent years to maintain its early momentum," he said. "You could argue that they invented intrusion defense and vulnerability management. But as other vendors popped up with similar products, ISS struggled to find other areas where they could innovate."
Santa Clara, Calif.-based McAfee Inc. is probably the most innovative security vendor at the moment, Stamp said. "They've moved into the network access control (NAC) space and are going into the high-level policy and risk management products with dashboard capabilities, which is what CIOs want."
Cupertino, Calif.-based Symantec Corp. is taking a different approach by going head to head with infrastructure vendors like Microsoft, he said.
"The Veritas acquisition two years ago was smart because it allows them to move beyond the game of block and tackle," he said. "When it comes to email, you not only have to protect against the bad stuff coming in, you have to ensure that the emails going out comply with company policy and are managed accordingly. That includes archiving. "