With independent security vendors getting acquired on an almost weekly basis, doubts about the staying power of those who remain are swirling through the industry.
Executives may insist their companies are still healthy and viable, as eEye Digital Security's CEO did following rumors of layoffs and other troubles. But one analyst has his doubts, and some CEOs refuse to outright dismiss the possibility of a future merger or acquisition.
"Like anybody, we would entertain it," eEye CEO Kamal Arafeh said when asked about a possible acquisition deal in the future. "But eEye is not up for sale. We are not trying to get anyone's attention for M&A purposes."
eEye CEO refutes rumors
At the Black Hat conference in Las Vegas earlier this month, rumors circulated of trouble within Aliso Viejo, Calif.-based eEye, with waves of layoffs and at least one demotion. Arafeh admitted there have been some challenges, including layoffs. But he refuted claims that the company's foundation is shaky and that it's shopping for someone to acquire it.
"In focusing on the larger enterprise clients, which can require substantial resources, we had been forced to take our eyes off the ball a little bit from the ability to keep focusing on the larger marketplace, be it medium-sized businesses or [smaller] organizations," he said. "So we had a little bit of struggle in being able to address the lion's share of opportunities out there and that deflated a little bit of the momentum."
To correct those problems, Arafeh ordered an overhaul that included the layoffs of seven engineers and two people from other departments. But he also beefed up the sales organization and opened a satellite office in Dallas with well over 20 people. Growing the sales team will help grow the company, he said.
Eric Maiwald, a senior security analyst for Midvale, Utah-based Burton Group., said vendors never willingly tell him bad news, but that a big question mark has clearly been hanging over eEye and other smaller security companies.
Unlike Sourcefire, which has bucked the trend by going public and acquiring ClamAV, an open source email gateway antivirus and antimalware project, Maiwald's impression is that most vendors are sitting around hoping someone will come along and acquire them.
The trouble with limited value
One problem for companies like eEye is that their tools are of limited value in enterprise settings, Maiwald said.
"eEye does vulnerability scanning and that was their claim to fame," he said. "There are a bunch of security assessment firms who will use something like this. But they can also use Nessus and other tools. And [eEye] doesn't do remediation, so in an enterprise they would be a component of something larger. Will I, Mr. Enterprise, buy a lot of eEye as a standalone product? I don't see it, and that's where a company can run into a struggle."
Standalone companies that continue to thrive are doing so by expanding their product portfolio and focusing more on tools to help IT shops manage all the security tools they already have. Symantec Corp. and McAfee Inc. are prime examples of that, Maiwald said.
"Symantec and McAfee are focusing heavily on security management," Maiwald said. One example was McAfee's release last year of Total Protection, which was designed to combine and manage all the elements of a comprehensive corporate security system through a single console and agent platform. "It's an example of independent companies pushing in new directions to cater to enterprise needs and stay viable," Maiwald said, suggesting that a lot of the smaller security vendors need to follow suit or eventually disappear.
The unique story of Sourcefire
Then there's the unique case of Columbia, Md.-based Sourcefire, which survived the collapse of an acquisition deal with Check Point and went on to go public. Check Point made plans to acquire the company behind the popular Snort open source IDS tool for $225 million in cash in 2005, but the deal was unpopular among die-hard Snort users. Some feared Check Point would allow Snort to languish, as some feel it has done since it acquired the popular free ZoneAlarm desktop firewall application as part of its $205 million purchase of Zone Labs in 2003. Others worried that Check Point would seek to further monetize Snort by no longer allowing it to be an open source product. The point became moot in March 2006 when Check Point withdrew its application.
Sourcefire announced plans to go public last October, and announced plans to expand with the acquisition of ClamAV earlier this month.
"Sourcefire is creating an interesting mixture of products," Maiwald said. "They started with intrusion prevention and have expanded to behavioral analysis capability. I don't know what they'll do with ClamAV, but it seems like they have an idea of what they want to cover."
Never say never
Like eEye's Arafeh, StillSecure Chief Strategy Officer Alan Shimel insists there's no "for sale" sign in front of his office. But he said it would be silly to dismiss the possibility of a future acquisition of the Superior, Colo.-based company outright.
"I think in next 24-48 months we'll continue to see increased consolidation," he said. "There's no for sale sign at StillSecure, but let's be honest -- We're a venture-backed company and supporters would like to see some return. An acquisition is one way to achieve that, and doing and IPO is another option."
Shimel said his company is in a good position to reach its business goals as an independent entity. But he acknowledged that the security market has become saturated and that some are finding it tougher to go it alone.
"With 800 some odd security companies in the market, there are too many going for too few customers and something has to give, so venture capital investments are slowing down," he said. "A lot of companies that raised venture capital money are not well enough capitalized to see profitability and so they face tough choices."
At the same time, he said, new security companies will keep popping up in response to new threats. That will mean more innovation and probably even more acquisitions, as big vendors try to tap into that innovation.
As for StillSecure's staying power, Shimel notes that the company was founded in 2000 as the dot-com bubble was about to burst. It knows how to survive tough times, he said.