In the middle of the last decade, SPI Dynamics was among the darlings of the security startup world. They had cool technology in a burgeoning segment of the security industry. The company’s profile was growing from modest beginnings (16 people, including three co-founders and a handful of engineers in an office behind a strip club near Georgia Tech University) to eventually to more than 150.
Investors loved the little Web app security company that could. Four rounds of funding helped the company’s engineers develop products such as Web app pen-testing tool WebInspect, which were solving real-world security dilemmas. Revenue was doubling, literally, every quarter. The good times were rolling; the company still maintained that informal, startup feel too, and innovation was still the priority despite the increasing focus on business and shareholder satisfaction.
“We were going through growing pains adjusting to being a bigger company and culture; it was crazy during our peak,” says Caleb Sima, one of the co-founders. Sima saw the handwriting on the wall; despite solid revenue, they needed more resources to hit their absolute peak and double, maybe quadruple, their business. “We had to decide: Stay small, or explode to a large company?”
The “For Sale” sign may never have been formally hung on the door, but acquisition was inevitable. This was the hey-day of consolidation in the security industry. Not only were pure-play security companies scooping up standout security startups, but large tech companies were taking a shine to security. From 2005 to 2006, there were at least 19 security deals. SPI Dynamics, for instance, had Compuware, IBM, Hewlett Packard and numerous others knocking at its door. Google was looking for entry into security; Cisco, EMC and CA too.
Very few startups sell to have their stuff fall off the face of the planet. Developers and execs alike have an emotional attachment to the technology and the culture that helped build it. To have it spiral into the black hole of some corporate abyss was sacrilege. But Sima says that’s what happened to SPI Dynamics for a period of time after it was acquired by HP in June 2007 for an undisclosed sum. Same story for Internet Security Systems (ISS) after IBM paid $1.3 billion for it in 2006. In fact, it became IT security’s version of a drinking game to ask, “Whatever happened to ISS?”
Today, information security market consolidation continues at a rapid clip, with large infrastructure companies like IBM active players. While some say consolidation hurts innovation and customer service, others – particularly the IT giants – say in the long run, it promises better integration, more insight into an enterprise’s security posture and, ultimately, improved risk management. Fewer point products for security managers to deal with, fewer headaches. But is that really the case? What have companies like IBM, HP and EMC done with their security acquisitions?
No Small Feat
Internet Security Systems, like SPI Dynamics, fell off the radar of the security world for some time after it was acquired by IBM in 2006. ISS not only was an intrusion detection and prevention pioneer with its Proventia product line, but its X-Force research team was an all-star team of white hat hackers at the forefront of analysis on worm and malware outbreaks. Unlike SPI Dynamics, ISS was a sizable corporate entity with 1,400 employees and a global workforce at the time IBM plunked down more than $1 billion for it in October ’06.
“It started to get to the point where it made a lot of sense,” says Dan Ingevaldson, former ISS technology strategist and director of professional services of the acquisition. “We were the biggest independent security company out there aside from McAfee. There was a lot of activity, nothing specific to IBM at first. But it was apparent that something was going to happen.”
ISS was the focal point of the corporate security research world for some time and featured some heavy hitters, such as founder Chris Klaus, president Tom Noonan, CTO Chris Rouland and a bevy of talented engineers and hackers who built up the formidable Proventia and RealSecure product lines and helped detect and combat such threats as the SQL Slammer worm. IBM certainly had the assets to scoop up a shiny target such as ISS. The opportunity was there to bolster its fledgling security services offerings with the ISS portfolio. IBM was sorely lacking intrusion prevention and vulnerability assessment technology, and ISS being a leader was a natural fit. IBM filled gaping holes with the ISS buy, and had close to a complete security story to tell alongside its Tivoli identity management play.
Integrating the company inside IBM, however, was a significant undertaking. IBM serviced thousands of accounts, and had a shiny new security bobble to offer its customers. IBM also serviced companies globally, from enterprises to the midmarket, something that would expand ISS’ almost exclusive enterprise foothold.
“Promises were made, but it’s always harder than advertised,” Ingevaldson says. “But I think they were largely successful in integrating ISS. When IBM acquired us, they had 300,000 employees. The natural thing to assume is that you won’t have access to (resources) like before, and be buried and hard to find. It’s a logical concern. But IBM is better at buying companies than anyone else.”
Ingevaldson says IBM worked hard to identify potential organizational issues that might arise as employees left and were replaced. “They managed our existing business and kept our account teams together,” he says. “IBM was not interested in reeling us in.”
IBM continues to invest and offer the Proventia product lines, including its Network Scanner, SiteProtector and endpoint threat mitigation offerings. These were the backbones of a company on the front lines of security research not so long ago.
“At the time, we were just focused on creating cool technology customers wanted,” Ingevaldson says. We were seen as the new guard in dealing with the threats of the day. We really were positioned in the trenches with customers, on the phone 24/7. Our teams were in the offices on weekends, nights, whenever, reverse-engineering systems and putting capabilities into our products. Our account managers were constantly relying on X-Force to position them as a knowledgeable partner, a trusted advisor for the industry. We had a good technical relationship with customers. Our customers had an intellectual interest in the problems of the day; it wasn’t about checking boxes for PCI that’s driving buying decisions today.”
SPOTTY TRACK RECORD
So far, the record’s been mixed, says Khalid Kark, vice president and research director at Forrester Research. A few years ago, Forrester predicted security would become a function of larger IT infrastructure management. “This was almost inevitable,” Kark says.
“In terms of the technology, a lot of these capabilities [from the acquired companies] still aren’t well integrated into the existing management or infrastructure capabilities that these companies have,” he says.
Oftentimes, acquisitions can hurt innovation and also translate to prices that are equal or even higher than before, leaving the end user with just one benefit: technology that has the backing of a big company. “IT buyers who want to play it safe and rely on a well-established, financially secure vendor are able to get that,” Kark says.
Amrit Williams, a former Gartner analyst and CTO at configuration and vulnerability management company BigFix before IBM bought it last summer, says large IT vendors historically haven’t done a good job at integrating security with their operational technologies, but are improving the way they handle security. In previous years, security at both IBM and HP was run by the brand, he says: “It was hard to find a single voice or strategy for security that spanned the brand and ensured the type of integration that would provide value to customers.”
But IBM and HP have made organizational changes so security spans their brands and EMC made RSA its own division, Williams says: “You’re seeing the large vendors recognizing the importance of security and not bury it in the brand.”
BIG BLUE CHARGES INTO SECURITY
At IBM, security has become a big business that’s core to the company’s overarching “Smarter Planet” strategy of making systems more interconnected and intelligent, says Marc van Zadelhoff, director of strategy for IBM Security Solutions.
To that end, IBM launched its security solutions group in March 2010 to give customers one place to access all of its security products and services and has made 11 acquisitions in security since 2006. Those acquisitions are driven by the IBM security framework, which outlines key risk areas organizations face, van Zadelhoff says. For example, IBM’s acquisition of BigFix was driven by the increased risk mobile devices and disparate endpoints pose to enterprises.“That company gets into a core part of our strategy, which is this whole interconnected planet and being able to manage the security on all these devices,” van Zadelhoff says.
Since 2000, IBM has acquired more than 100 companies. “We’re very good at that. We’re good at retaining key people and integrating them into the IBM fabric,” says van Zadelhoff, a former executive at Consul Risk Management, which was bought by IBM in 2007. He previously was on IBM’s security M&A team. “I would argue that a bunch of other companies aren’t as good at integration or the innovation side,” he says.
He defends IBM’s handling of its acquisitions of ISS [See p. XX], which was initially put in IBM’s services group -- a move that critics say led to the ISS intrusion detection technology falling behind in the market. About a year ago, IBM moved the ISS products into its software group.
“There are phases in any company. We made the right move to keep the company together and allow the teams to collaborate until we had the integrations completed,” van Zadelhoff says. IBM’s acquisition of ISS opened up career paths for ISS service engineers, and also led to the development of IBM’s virtual server security product, he adds. “An acquisition needs to be supported by a strong integration philosophy, then by the acquiring company’s innovation that can drive and complement these technologies.”
In February, IBM released Tivoli Endpoint Manager, what the company calls its “blue wash” of BigFix technology with new capabilities. van Zadelhoff says IBM is working to extend BigFix to mobile device management and showed off prototypes at the RSA Conference earlier this year. IBM also released a blue wash version of Guardium’s database security technology, InfoSphere Guardium 8, about a year after it acquired Guardium.
Analytics is becoming increasingly important in enterprise security in order to detect security threats, he says. “Companies have bought every security product in the world and still don’t know if they have an advanced persistent threat.” IBM is integrating technology from many of its acquisitions, such as Guardium, Consul and data analytics company Cognos, with its own capabilities and producing prototypes of advanced analytics that can troll through terabytes of data to uncover threats.
HP’S SECURITY PLAY
Like IBM, HP views security as key to its broader strategy. Last fall, HP unveiled its strategy for providing tools and services, including security, to help companies address the growing use of mobile and cloud computing technologies by enabling an “Instant-On Enterprise.” The company’s security acquisitions – including intrusion detection vendor TippingPoint, SIM supplier ArcSight and application security company Fortify Software -- were intended to build security into the fabric of the network, reduce risks, and help customers detect threats early, says Rick Caccia, vice president of product marketing of HP ArcSight.
HP is developing a security intelligence and risk management framework that integrates its acquired security technologies with some of its traditional capabilities in IT operations and applications management. “We think if we tie all that together we have a strong ability to understand who’s on the network, what applications are there, where vulenrabilities might exist, and monitor to reduce risk in the business,” Caccia says.
Core to the framework is the ArcSight SIM technology. Since HP acquired the SIM vendor last fall, it’s been working to integrate the ArcSight log management product with its system management technology. That integration gives customers better context for network events, Caccia says.
HP also has been working to integrate the static code analysis capabilities it acquired when it bought Fortify Software last September with the dynamic testing capabilities from its SPI Dynamics deal. In April, the company released a hybrid analysis product, which Subbu Iyer, senior director of products and application lifecycle management at HP Software, describes as an “industry first.” Fortify, like ArcSight, is run as a standalone business within HP. It’s headed by former Fortify CEO John Jack, and combines the R&D teams of Fortify and SPI.
SPI Dynamics’ suitors began knocking, bearing figurative wheelbarrows filled with cash. Compuware called. IBM did too, and so did HP and a handful of others. Startups in security and other IT segments probably have a dedicated line for merger and acquisition calls, and SPI Dynamics was no different. But they weren’t desperate either. They had a number and they were sticking to it. For three years, IBM tried its damndest to bring SPI’s Web app security capabililties into the Big Blue family. The pitch, however, was always a lowball offer—as were most of the offers that Sima, CEO Brian Cohen and the rest of the management team fielded.
IBM tired of the chase and came to SPI with a take-it-or-leave-it offer. “They said, ‘Here is our final offer, if you don’t accept it, we’re going to acquire different technology,’” Sima recalls. “We said ‘No.’ It was not close to what we wanted. We heard rumors after we turned them down that they were acquiring Watchfire, our major competitor.”
And that’s exactly what happened. And that’s exactly the nudge HP needed to get serious about its offer to SPI.
“HP called and asked what it would take for us to acquire you and get it done within two months,” Sima says. “HP made its offer, and we put down a minimum number. They came back, and said they would do this and this, and it was a good deal to us.”
SPI had leverage in knowing IBM was ready to pluck Watchfire off the shelf and HP wanted to get into the same space before IBM. “They gave us our number, and we said ‘fantastic.’” Ironically, IBM beat HP to the punch by one day, announcing its acquisition of Watchfire 24 hours before the SPI deal was made public on June 19, 2007. The horizon was now endless for SPI, which was promised access to HP’s massive global sales force, channels and endless development dollars.
“We can literally change the way Web app testing QA is done; this was a big sell,” Sima says. “This was very appealing to me. Every entrepreneur wants to change the world. That pitch was given to us as a nice goal for us.”
What happened, however, was opposite. SPI was in a Bizarro mega-corporate world, cash flush sure, but suddenly without that startup feel. HP’s Mercury Interactive group, acquired in July 2006, along with HP’s corporate M&A team, managed the SPI Dynamics purchase. There was a 90-day integration deadline in place and things moved relatively quickly—and in a disturbing direction. Customer support was no longer within SPI’s purview, instead it was moved into a call center system with tiered levels of support that were foreign to SPI customers used to the company’s intimate relationships with customers. Sales and channel were also moved into corporate, and Sima says there was little motivation internally to sell SPI. HP corporate even bandied about changing product names, and made the team move from its prepaid office near Georgia Tech to an office an hour north in Atlanta.
“We fought to the death for all of this not to happen,” Sima says. “But it was like a Prius and a Monster Truck; you’re gonna get run over. There’s nothing you can do.”
Rather than focusing on their product as they had all those years, the SPI team was suddenly in the middle of corporate politics, evangelizing Web application security internally, scratching and clawing for development, sales and channel support. For a year, the little company that could was a cog inside the massive machine that was HP and was a poster child for the integration nightmare small startups face when they’re gobbled up by tech giants.
“It should have been expected, we should have had more experience and foresight because that’s what large companies are wont to do,” Sima says.
Iyer says the rationale behind Mercury Interactive handling the SPI deal was to add security to Mercury’s application performance testing, but he adds that HP could have done some things differently with the acquisition. [See page XX]
“We learned a lesson. That’s why we’ve been very intentional in the way we have worked with Fortify and ArcSight,” he says. “We’ve not rushed to functionalize these organizations. We’ve made sure they run as independently as possible and sell to the core security buyer.”
Caccia sees an opportunity to improve on enterprise security, where multiple point products are failing to catch intruders or malware slipping through the cracks.
“There are lots of security products [today]. They work well but are fairly narrowly focused,” he says. “We think there’s an opportunity to provide unification across those. We don’t want to replace them, but we want to provide better insight and intelligence across them because customers demand it.”
EMC BANKS AND BUILDS ON RSA
Tom Heiser led the team responsible for M&As at EMC before becoming president of the company’s RSA security division. For a year leading up to the RSA acquisition in 2006, EMC embarked on a security strategy. “We knew security was important to EMC. We didn’t know what our approach would be,” he says. After quickly deciding against building its own security business, it looked to M&A and eventually RSA, which had the “critical mass” and technology strategy that fit with EMC’s.
Since then, its layered in more security acquisitions to its RSA business, based on a strategy that looks at market dynamics, growth opportunities, and customer needs, says Ted Kamionek, vice president of business development at RSA who leads security M&A for EMC/RSA. EMC’s purchase of GRC software vendor Archer Technologies last year and its April acquisition of network monitoring company NetWitness are deals that allow EMC to grow while providing integrated technologies that give customers better visibility into their infrastructure, he says.
Startups have a hard time scaling and reaching a lot of customers, Heiser says. “Companies don’t want to buy point products, they want to buy solutions. …When we acquire companies, customer expectations go up substantially in terms of customer responsiveness, service, product quality and functions down the road,” he says. “Many customers rely on us to buy these smaller companies to make sure they’re hardened for mission-critical applications.”
In the case of Archer, EMC/RSA capitalized on the company’s loyal user community. Archer gave its customers the ability to design and prioritize features and functions through online forums and an annual user conference, and RSA has invested heavily in sustaining that Archer user community, Kamionek says.
“Now we’re taking that community and rolling it across other products to leverage that powerful input. …That’s an example of how we’ve taken what worked for a small company and brought that into RSA to help accelerate and prioritize innovation here,” he says.
FALLOUT ON THE FRONTLINES
That rosy picture is at odds with the more common scenario in the wake of an acquisition, in which the customer experience changes and not usually in a good way. “The simplest way to think about it is products disappearing without a good migration strategy. Post sales degradation. All the usual things when you have a company that’s too big and distracted,” says Andrew Braunberg, research director at Current Analysis.
While Williams says acquisitions -- when handled strategically rather than just filling a portfolio gap -- can sustain innovation, Rene Bonvanie, vice president of worldwide marketing at Palo Alto Networks, an independent provider of enterprise firewalls, says innovation is always hampered in large companies. “The challenge for large companies is to stay focused on something as specific as security,” he says.
Innovative or not, though, it’s easier to sell security to executive management when it comes from a large company rather than a niche player, says Brian Engle, director of information security at Temple-Inland, a manufacturing firm based in Austin, Texas. If a company is already a customer of a large IT provider, it’s easier to approach the C-suite with a security component from that provider. “It’s like adding a line item rather than formulating something from scratch,” he says. “It doesn’t mean what you’ll get will be the best thing there is, but sometimes you have to make that sacrifice.”
If the promised technology integration from consolidation actually happened, security would improve by no longer being bolted on after the fact, Engle says. “As long as we have this separate security industry, we’re going to have difficulties in providing top-to-bottom security,” he says. “If consolidation was working, we’d be better for it, but I don’t think the integration is working as good as it could.”
However, Chris Ipsen, CISO for the state of Nevada, is wary of the consolidation trend leading to what he calls a monoculture. “As soon as we become overly reliant on one way of thinking, we become less secure.”
Going forward, a layered approach to security that mixes new ideas and established technologies will be critical for resilience, he says. “It requires us to go back to basics in terms of rigorous controls, separation of duties, layers of defense and enforceable policies. All those things that represent good hygiene in a network become more important with consolidation.”
Every vendor can be acquired and companies should be prepared, Williams says. He advises getting contractual commitments to roadmap items that are critical to your company, especially during license renegotiations. Security managers also should look at the vendor’s competition for potential alternatives.
“What gets people into trouble is when it’s difficult to switch, especially if the technology has a lot of integration including customization specific for your organization,” Williams says. “That’s a situation where you want to be candid with the acquiring company and say, ‘I need to make sure commitments that were made to me by the company you acquired are kept.’”
Forrester’s Kark cautions against getting locked into long-term commitments as a vendor gets acquired. “It might sound easy to lock into three years and get a great deal, but there’s a reasonable amount of uncertainty with this transition, so you want to make sure you’re not in a situation where you signed a three-year contract and after a year, 40 percent of the people you dealt with are gone,” he says.
For Sima and SPI, the experience of being swallowed by a big company was rough, but he sees improvement. Since then, HP has continued to invest in security and has had integration success stories folding in Fortify and ArcSight, he says.
“Looking back, it was unfortunate we were the example. We fought hard inside of HP when they were doing the acquisition of Fortify to make sure the same things didn’t happen to them that happened to SPI,” Sima says. “They learned a lot of lessons. Things are much better. SPI has a foothold working inside HP now. It took a long time and a huge amount of mistakes.”
Marcia Savage is editor of Information Security. Michael S. Mimoso is editorial director of the Security Media Group at TechTarget. Send comments on this article to firstname.lastname@example.org.