Insight Community

This trend is being driven by the needs of the end users, so is likely to continue for at least the next 18 to 24 months.  Managing Internet security is becoming more complex all the time, as new threats emerge and existing threats must be understood and remediated more quickly. 

Many of these threats require specialized understanding of a particular technology and attacker profile. Spam and phishing are both attacks involving e-mail, but the method and motivations of the attackers are different. Every time a new threat develops, it creates a market opportunity for a security company niche expertise.  This has resulted in an environment characterized by many providers with specialized expertise in market niches, and a smaller number of large companies seeking to be one-stop shops for security services.

While the complex nature of Internet security require specialized skills, the end-users of security products - both individuals and corporations - yearn for simplicity. They want to be able to secure their systems without having to manage dozens of software programs and multiple relationships with vendors.  For home users, antivirus software has long been the most essential and widely-used security tool, making it the gateway into the consumer market. This has created an opportunity for Symantec and McAfee to bundle additional services into security suites that continue to expand with each new threat. Every time a new threat emerges, these companies need to respond.  If they don't already possess the necessary expertise in-house, they will acquire it.

In the corporate security market, companies also look to their existing providers as their needs expand. Security firms work hard to establish these trusted relationships with major clients, and are loathe to refer those clients to other providers who they may compete against in other areas. In some cases, they will subcontract work when they require additional expertise. These subcontracting relationships may make sense for a time, but often lead one provider to consider acquiring the other.

This pattern repeats itself with each new threat, meaning that there will always be some level of merger and acquisition activity in the Internet security field. Microsoft's entry into the antivirus and anti-phishing business has accelerated the trend, providing leading Internet security firms with plenty of motivation to go to cover every base in their product portfolio in an effort to defend their position. As Microsoft ramps up and improves its offerings, there will be continued pressure on Symantec, McAfee and other major providers to acquire any expertise they lack in order to develop the most comprehensive security portfolio possible, if only to try and anticipate and stay a step ahead of coming initiatives from Microsoft.

One area of opportunity is likely to be RSS security. Microsoft's decision to integrate RSS directly into its desktop products will make RSS-based attacks much more attractive to Internet criminals seeking to assemble botnets of compromised desktop zombie computers. This makes RSS more attractive as an attack vector, and will offer opportunties for niche security expertise, which will immediately become attractive to companies competing with Microsoft in the security arena.   

Yes, as long as there are small companies to be gobbled up, large companies will do the gobbling. This is not any different from the software industry overall. The market for the small companies products increases, and the product range of the big companies increases, and they can charge more for the new specialized competence. As in the overall software industry, entrepreneurs will sell their companies when they can, since they want to realize the value they have created. So there is no reason why this should stop.

It can be debated whether it is good or bad for the industry, but it is pretty certain it is good for the users, since it means that the specialized competence of the small companies become available to a wider audience faster through the big companies.

If what is good for the users is good for the industry, certainly it will continue.

//Johan

Yes, absolutely. Firms like Symantec and McAfee have become such corporate giants now that it would be surprising if they DIDN'T continue acquiring. They have business people at the top running the company rather than the techies who undoutedly started them in the first place.

The pace of these acquisitions is really hotting up at present because each company is desperate to become differentiated. The problem is they are all following the same trends and essentially all look much the same from the outside.

There are fewer niche markets that small companies can involved in to ever hope to be acquired by the larger companies, and it seems that the storage companies are coming out on top. Symantec have been lucky in this area, buying up Veritas when it was relatively small and continuing to do well with it. EMC have bought RSA, NetApp bought Decru, etc.

Security as a sub domain of storage is an odd concept, at first but is indicative of a new move towards securing data - where our information, and therefore our business is kept - rather than networks, which has been the traditional focus for security companies.

Where there is this interest in data security, DRM, endpoint protection, encryption, integrity, access controls, this will shift the focus of network security to the extent that a large part of it will become redundant. The large firms will have to stay on their toes to keep up with the trends - something which is often hard for a large corporation to achieve. Too many voices in a crowd just equal noise, not a clear message.

I don't like large corporation, for a number of reasons, unfair pricing, poor treatment of staff, bad pay, lack of opportunity, however these are symptoms of a large, stable (often static) business, so conversely they also provide the ability to produce enterprise level software quickly and efficiently in a short time, and support it well. Smaller companies are often only in business to sell their idea to these larger players anyway, and do not expect to be able to carry their product past the development stage.

As a result, the danger comes when there are so many small players in an overcrowded space, for example log management. Those that are going to do well from it have already done so, time to leave. To sell up, the smaller company needs to have a niche and a focus. The larger buying company needs to have a need which it cannot fulfil in short order. This has already happened everywhere in network security, the market is overflowing and soon there will not be room for any more smaller players. They will simply go bust without funding or interest from the community at large.

To explain the shift in focus: if data is fully secured, and users are well authenticated and accounted, the network becomes a much more simple transmission device. The security of the network can be controlled through one set of rules, or a security model which can be applied to all data, and the data looks after itself. Devices like proxies, WAFs, perimeter firewalls become less and less necessary. I see a point where network security becomes a case of one "UTM" device at each end, one at the perimeter for controlling the user on entry and applying the network rules, and one at the data end to add encryption, integrity, and allow access to the relevant data. Of course at that point there is little need for the network at all except in terms of wires, and then the network becomes a device in itself. Many application providers are developing so fast that they already have the ability to achieve this inside their applications, it is just the available hardware which means it remains split out. 

It is interesting to think of the whole system in terms of convergence, and it is impossible to predict where the large steps here will be made, there probably aren't any. The very word itself implies small movement over time. Whether it is good or bad for the industry depends on your viewpoint. It is interesting technically, but not particularly satisfying to see business people getting rich off technical ideas. From a business point of view it is exciting being able to find new horizons and pushing to be the best in one area. Personally I am excited about data security, there is still a lot of work to be done there, and there will continue to be acquisitions here in particular for some time to come. 

The trend is not only going to continue but accelerate in the next 8 to 10 months, at which I believe it will plateau for a period of time.  The big firms got there by offering quality products but now they intend to easily maintain their dominance by purchasing minor players and upcoming major players.  They no longer have to maintain a level of creativity and out-of-the-box thinking to further their own field but instead will consume technologies they'll pay to further develop.  This will continue a cycle of "fund and further" with little intervention from the big firms.

 Truly, while this will bring new technologies to the forefront, it will be just as hindering to the IT security industry as it is now.  Without smaller companies being allowed to properly mature their products through several revisions, the original intention of the product itself will taper off into a maintenance-only mode due to the overbearing big firm that's funding them.  Rounds of angel investing will be more apt to continue the creative spark that started the product in the first place than will a buy-out that will inevitably end up with the product advancing but quickly hitting a plateau.  The heavy handedness of a big firm over a small team of devoted developers can easily cut productivity and creativity due to the sheer amount of red tape the team will have to go through with middle managers.

 Hopefully one day the big firms will realize they should foster the small companies and start-ups with resources and funding instead of dulling them with corporate policy and mindless meetings.

The trend is likely to continue over the next 18-24 months.  The larger organizations' advantages are their size, market penetration and breadth of computer security coverage, but there are weaknesses that come with these strengths.  A primary example may be found in new product feature development at these firms, which is similarly broad-based and focused on serving a broadly-defined customer base.  They are not, however, designed to deal with limited, but unique challenges to maintaining computer security.

Developers at smaller companies in the computer security space typically focus on serving niche requirements within the industry.  Consequently, their products are designed to serve small, but significant computer security markets where highly specialized solutions are required.  The companies that are successful at doing this effectively develop "best of breed" products, without the need to apply and deploy their technology across a wide customer base.  These companies will often have strong competition, which forces them to produce the best solution for the cost in order to remain viable.

Because of the wide variety of potential computer security threats, this kind of product development split between the big and small firms represents a good thing for the overall IT security industry.  It allows for both general computer security to become widely established while also delivering unique security products to those who need them most.  Since each kind of firm only has limited resources to devote to developing their respective technologies, this approach allows for each type of product to be developed according to the needs of the customers and does so in the most efficient way possible, while taking into account the strengths and weaknesses of both big and small firms in being able to develop, market and deliver each kind of product.  

The role of consolidation in the computer security industry is important when circumstances force what had been a tailored niche solution to become part of the general computer security environment.  Consolidation in the form of larger companies acquiring smaller ones provides a mechanism for bringing the unique capabilities of the smaller companies into the larger company's market, again in the most efficient means possible, as the development costs of bringing a new or revised product to market are the lowest this way.

In effect, the larger companies are selectively paying for other specialists to research and develop effective solutions - only paying when the smaller company's solution is proven.  This takes a lot of uncertainty and risk out of the R&D process, and the best part is that these products come with the assurance of having a built-in customer base.  

The simple answer is, "Yes, of course." 

We are in the midst of a "perfect storm" for M&A activity driven by a confluence of factors:

*** Benign interest rates (i.e., cheap access to capital)

*** Plenty of available capital; both in terms of access to debt and considerable cash hoards on balance sheets

*** Private equity buyers looking to pounce on undervalued assets

*** A maturation of the overall software industry

*** The health and reliability of maintenance revenues

As the software industry has matured, publicly-traded companies have (slowly) come to the realization that generating shareholder value has to come in different forms. The days of the "grow, grow, grow" philosophy simply isn't feasible any longer save for emerging niche segments. 

There are literally hundreds of small- to medium-sized software companies that are struggling to grow. It's far easier to make an economic case for a major vendor (e.g., Symantec or McAfee or Microsoft or Trend Micro) to acquire the product sets and drive incremental margin gains from rationalizing distribution and G&A than it would be for the smaller vendors to continue to go it alone.

Another major factor contributing toward consolidation is the "one throat to choke" mantra. Customers want accountability and it's far easier to have one or two points of accountability for enterprise security needs than it would be to continue to support dozens of point products/vendors.

As to the question of whether it's a good or bad thing for the industry? That depends on which constituency you're representing. If I'm a security consultant, consolidation is a relative non-event. If I'm an executive at one of the major vendors, consolidation can be both a positive and negative factor; but it's an inevitability. The larger vendors that are aggressive about filling out their product portfolios in an economically sound manner will benefit for years to come. Those that chase after functionality for fear of being lapped by the competition are likely to squander a golden opportunity. 

Take a look at the recent deal between Websense and SurfControl. That is (in my opinion) CLEARLY a case of rolling up the industry to protect against pricing degradation. Is that a smart move? Ultimately we can't answer that question until we see how well Websense executes against the potential synergies. It should be the right move, and arguably a necessary one, but making the purchase is only a fraction of what needs to happen before we can evaluate the value of any given acquisition or merger.

This is an excellent question and one that I consider very frequently given my role as a Director in a Distributed Systems Engineering organization at a large financial services firm.

As we look out at the threat landscape that our organization faces, we feel a tsunami approaching. While the earthquake that triggered this tsunami occurred long ago, when the rise of distributed networks and the commoditization of the personal computer in every home and on every office desk exposed substantial compute power with inadequate platform (network OS, server / desktop OS) security, we are now starting to see the rising tides. These tides are taking shape in the form of exponential increases in virus output from hackers around the planet in the form of metamorphic or variant threats combined with an increase in the use of increasingly complex and therefore harder to detect encrypted and polymorphic threats.

The problem for the more established players in the space is that these variant and more complex attacks are also much more effective at overwhelming or evading the traditional AntiVirus / AntiSpyware / AntiMalware protection techniques, which for so long, have been the bread and butter of their business models. While the big players in this space have gotten much more effective at assessment and protection in recent years by deploying global honey pots (virus bait) and teams of software engineers with automated detection, assessment and remediation tools (SWAT teams) to combat the traditional threats, the threat landscape has continued to evolve in ways that the AV industry, generally speaking, was not geared to respond to. Unfortunately, the traditional players have not been as quick to adapt as the threats have been to evolve.

Therein lies the opportunity.

So, to answer your first question, YES I believe that the M&A activity in this space will likely accelerate over the coming months / years for a few reasons, but the overwhelming reason is this.

While there may be more than one way to skin a cat, solving the more complex problems that the industry is facing will require increasingly more innovative and complex AI algorithms. These complex algorithms, given their nature, also have much longer development cycles as they require significant analysis and testing. That said, there are a few small, but very innovative companies in this nascent space that have been working on solving these problems for a considerable amount of time and have patented many of the technologies required.

This effectively means that the larger companies who want to STAY in the game will either need to have had the foresight to see the tsunami coming and been planning for it or, they will need to go out and buy technology to solve it in order to stay relevant. Either way, as is also often the case, the smaller companies may have a more limited supply of resources that they can apply to developing their technologies into commercially viable, consumer or enterprise ready, products.

So, while many of the smaller companies are already commercializing their ideas and may have made inroads into the enterprise space, they may need the backing of a larger, more established player, who has established connections, solid financial backing and a well rounded suite of products, to bring their products to the masses.

The certain bottom line here is that, as always, there will be winners and losers, though I can guarantee one thing. The price tag for a small company with the right technology will command a premium, so putting your money on the right horse in this space will be very lucrative.

To answer your second question, "Is this a good or a bad thing?" Net net, I think it’s a GOOD thing. Commercializing these technologies is good because the smaller companies have really good technology that will solve real problems and protect real people, both directly and indirectly. The direct protection will come from more robust consumer products geared toward protecting the increasing amount of private data stored on personal computers. The indirect benefit comes from the fact that most companies are liable for protecting your personal data. If they fail in their obligations, then both companies and their customers suffer because it is likely that your data can be stolen and the corporate reputation will be tarnished effecting shareholders and potentially the broader economy, etc...

On the down side, many times acquisitions lead to eroding of the corporate cultures that created the innovations in the first place. However...and here's the rub...there will always be an innovative company waiting in the wings to capitalize on the new needs.

Such is the nature of capitalism. Ain't it great!

Will Security Software M&A continue

According to Peter Kuper who is the Vice President, Senior Research Analyst at Morgan Stanley, the only two security companies in the last 5 years to have an IPO is Source Fire and Checkpoint. The rest of the activity in the field is in the M&A realm. Most companies over the last five years have been bought by larger companies, with Mr. Kuper continuing saying that 7 out of 10 dollars spent in information technology is spend on the big four, Cisco, Microsoft, and the rest.

That leaves 3 dollars on the table for every other IT company to compete over. The market share of smaller companies in relationship to total IT spend is going to be fractional of the money left on the table. Highly aggressive companies with excellent and compelling technology that has a proven track record in building brand and selling product are take over targets, as well as IPO targets.

Depending on why the company exists, (some companies exist to go IPO with a big payday, or exist to be sold with a big payday) the M&A activity is a viable option depending on the type of pay day that the company owners want. It is often easier to be purchased outright than it is to go IPO. Given the money involved with M&A, on the order of millions of dollars for certain, and an IPO market that is barely non-existent, the expectation of M&A activity should increase.

The only way that M&A activity will decrease is if the IPO market picks up with a bigger pay out than can be gotten through M&A activity. Depending on the end value of the company, the compelling technology, the ability to sell that technology and gain brand recognition, being bought out can be an easier path, with an equal chance at “the big money” as an IPO can be.

In an uncertain IPO environment, M&A makes a compelling answer to those companies that need to find deeper pockets, or owners that want to move on to something else after doing one thing very well for years.

Yes, it's a good thing and yes, it will continue. The main downside to this type of consolidation is that it can inhibit innovation by the smaller players. However, as long as there is substantial profit to be had by creating a small, innovative security startup and getting bought by the big players the potential for innovation in this space should continue to thrive.

On the positive side there are several advantages to having large and powerful players in the security space. Here are some important positive aspects and economies of scale that make big players the best players:

* Deeper pockets

* More market penetration allows for broad solutions that impact many companies and users

* Larger data sets to examine

* More cooperation with other big players. Key players like Google or Microsoft are more likely to make necessary changes when prompted by requests from a Norton or a McAffee than from a small startup.

Action plans for large firms should be to seek small, innovative players that have new and helpful technologies. They should recognize that because their own size will tend to inhibit innovative, flexible solutions to the rapidly changing security landscape they should be happy to pay a premium to the smaller firms for buyouts or for application development.

Action plans for smaller security firms and startups would include taking advantage of flexibility and potential for rapid development and deployment on smaller scales as well as utilizing skills of staff that are familiar with newer online threats to security with an exit strategy geared more to buyout by a big player or creating a high value applications to license to the big player.

Security software companies such as Symantec and McAfee are experiencing increased pressure from Microsoft, which has beefed up the built-in security capabilities in Vista. In an effort to counter this competition, the larger firms have been seeking acquisitions that will help differentiate their product portfolio and maintain product superiority. Acquisitions typically focus on two areas:

1. Acquisitions with next-generation feature/functionality that can be incorporated into the core product suite
2. Acquisitions that target a niche or highly specialized market that will remain impervious to any mass-market product that Microsoft introduces

As Symantec and McAfee reevaluate their portfolios over the next year, they are likely to continue acquisitions at a slower rate, as management fills gaps in the portfolio and focuses on integrating previously made acquisitions.

Whether consolidation in the industry is a good or bad thing depends on who you are.

• Consolidation reflects a defensive posture against Microsoft; however, it will not alter Microsoft's slow entry into the market (nor will it alter Microsoft's ineptness at developing secure products)
• Symantec and McAfee will become larger and more stable, in a better position to hold off Microsoft
• VC-backed startups will find it more difficult to scale organically to the size needed to generate 10x returns for their investors
• Bootstrapped startups will continue to be able to find niche segments that are under the radar of the incumbents (even during and after this period of consolidation)
• Customers will see fewer, more stable products and services with consistent levels of quality...for a price

Adding to my prior comments, let's not discount Google's acquisition of Postini. This was, by far, Google's most enterprise-focused acquisition to date and adds a critical security layer to all of their hosted productivity applications. Postini's financial profile certainly was good enough for an IPO under current market conditions, yet they opted for a buyout instead.

When I spoke to a friend (one of the founding VCs) about this deal, he said the opportunity to provide Google with the security layer it desperately needed to attract SMB enterprise accounts was simply too good to pass up.

I believe that it's irrelevant, since the days of third party security software are numbered.

More and more, the team, behind Windows (XP and Vista) is including 'good enough' security into their OS and browsers. i.e. a firewall, anti-virus, anti-phishing, anti-spyware, anti-popups. Some of these tools are fit for purpose now, some aren't, but the trend is clear. And with several totally free security suites (Zone Alarm's free option, AVG, etc.) available for home users, I don't see a long term place for the likes of Symantec and McAfee, no matter how many other firms they buy up in desperation.

The history of OS is littered with utilities whose functionality eventually got merged into the OS itself. I don't see things changing.

The end result is bad for specific 3rd party software firms but good for the end user, who gets more value thrown in with the OS and less need to buy extra, possibly resource-draining 3rd party security suites.

Consolidation will continue in the security market over the next 18 to 24 months and beyond. The main reason is because security problems multiply and mutate. From the network to Web applications, from databases to mobile users, security problems abound--and thus so do market opportunities.

Vendors that aren't security-centric can build profitable business units to address security-related problems within their primary domains. For instance, Cisco and Juniper have security portfolios that complement their network-centric view of the world. Storage giant EMC now owns two security companies (RSA and most recently Tablus) that focus on information protection. Microsoft, the poster boy of exploited software, is continuing to expand its presence in consumer and enterprise security software and hardware. Even Google is getting into the game--it acquired GreenBorder, a tiny startup that runs desktop applications in a virtualized environment to protect them from Web-based malware infection.

And because there are so many security problems, the ecosystem is ripe with small companies and startups, which have the entreprenurial freedom to focus on new and emerging threats. Startups essentially act as research labs, exploring the feasibility of new technologies and testing the viablity of a particular market (these days, information leak prevention).

By contrast, large vendors are locked into supporting and upgrading existing product lines and watching quarterly share prices, which inevitably draws their focus away from innovation.  So rather than build it themselves, established companies buy it. Acquisitions inject new relevance into a company's offerings.

 Is this good for the overall IT security industry? Mostly yes. It's great for the founders and investors whose companies get acquired. Certainly the competition that security-centric companies face from other vendors moving into the market benefits the industry. And the depth and breadth of startups and small companies tackling emerging threats helps the industry advance.

But there are downsides as well. One is that security is often regarded as a product rather than a process. So enterprise customers focus on deploying a hot new technology, but leave critical servers unpatched. Second, an acquisition tends to validate a product or technology in the minds of potential customers. But that validity may not be warranted because the products may not be fully baked, and potential countermeasures may not be understood. Yet because the product now bears the label of a major vendor, such issues can get swept under the rug. Finally, good ideas and good products can get lost inside a larger organization, negating the value of that innovation.