Tuesday, June 19, 2007

IT Security Market Consolidation...

It's time again. It's that time when the market starts to consolidate. We've seen several "cool" technologies over the past 5 or so years, and many good, stable companies have been built upon them. Web Application Security is one of those niches, to be sure.
As we've seen over the last couple of months, WatchFire has been bought by IBM (who also bought ISS - what were they thinking?), and now HP has bought up SPIDynamics.

What does this mean. Let's analyze. In fact, let's take this beyond the scope of the Application Security niche, let's analyze acquisitions of security companies by the "gorillas" in the broader context of the Security space.

Acquisitions happen for any number of reasons, I will talk about some of them here, and the pros/cons of each:
  • Entry into a new market space (immature niche): This specific case is probably the most compelling. A company buys another small, emerging company because they have some new technology the bigger acquiring company thinks will "revolutionize the market". This happens often quickly and before the smaller, newer company can really even make too big of a splash.
    • Pros: Acquired company often makes a killing on buy-outs
    • Pros: Acquiring company typically gets entry (with their massive resources) into a product space they didn't have to R&D to get into
    • Cons: More often than not, the technologist geniuses who built the emerging company leave, you know what happens next (see NetworkICE acquired by ISS)
    • Cons: The acquiring company doesn't always reap the benefits of the acquisition, and the "hot new technology" fails to impress
  • Entry into a market space (mature niche): This often happens when a large company that has a stagnant pool of products is desperate to find some new tech space to get into. The thought is that by acquiring some new technology, or some new product that through integration a new surge in demand for their products will occur. Sadly, as with CheckPoint buying Zone Labs, and Symantec buying... well, name most any of their recent acquisitions, this rarely turns out well. Entering a mature niche is much like trying to build a hockey team in Nevada. The market is mature (hockey teams all over the place) and it's a commodity that has enough players already. Just because you've bought one of the players in that space doesn't guarantee you a seed in the playoffs, and unfortunately, in the world of business - if you're not in the playoffs you disappear into obscurity.
    • Pros: Infusion of (hopefully) large revenue and new customer base into existing company from acquisition of mature technology
    • Pros: Infusion of product into existing suite; integration is key here if properly executed
    • Cons: New product brought into existing suite, if improperly executed it becomes a nightmare
    • Cons: I'll say it again, you're trying to get into a market that is already mature by buying one of the players - not necessarily a power move.
  • Acquisition of competitor: This type of acquisition is always interesting to watch. You have one company buying another one out to (most likely) "rub out the competition" to use some mobster slang. It's interesting to see how acquisitions affect the customer base of both the acquiring and acquired company. Buying some company (like Microsoft does - GIANT, Teleo, etc).
    • Pros: Competition is gone - typically this frees the acquiring company from having to 'compete' with this competitor and infuses a significant number of user base, or percentage of the market-space.
    • Pros: Market consolidation is generally good for the market-space - makes the market potentially stronger and more mature
    • Cons: Market consolidation eliminates competition, price wars, and sometimes limits innovation (see Antii-Virus space)
    • Cons: Just because your vendor was acquired by its competition does not mean your product will get better... often this is a negative experience for the end-users as one product line inevitably disappears
I'm sure there are many more possibilities - but these are the 3 main ones I've noticed over the past several months, to years. Of course, we have to ask ourselves as consumers of IT Security technology... "What does this mean for me?" Let me give you my opinions here.
  • Market consolidation is going to make more companies more bloated (see Microsoft, IBM, Symantec) and much less useful. What I mean is this - Symantec acquires Sygate (excellent technology, by the way) and is currently absolutely failing to integrate the product(s). I've seen previews of the "integration" which is bad to say the least at this point, and have heard their sales people pitch to me that SAV 11 will have full integration - but no one can tell me what it'll look like, or exactly what that'll mean, or even what features will be kept, or other specification details. It's a failed integration in my opinion, and now Symantec is yet another company with a product line that forks and doesn't integrate very well. Supporting multiple "companies" inside their own shell is like having differing strands of DNA inside a living organism - they'll fight each other for resources and dollars until the host shell is destroyed or falls apart.
  • Market consolidation is also bad because it produces companies which try to do "All-In-One" products - which are historically "decent" at everything, but don't do any one piece well. Again, I don't mean to pick on the same vendors but ISS has had this problem as well - their Proventia appliances have tried to do too many things at once (firewall, anti-SPAM, IPS, etc) and I would argue they don't do any of those things as "best of breed".
  • On the flipside of that coin - consolidation in market-space does sometimes produce gems! When complimentary technologies are integrated well, the users and implementors benefit! I hate to say it - but Microsoft has done a pretty good job of integrating GIANT into their product line, and into OneCare (which isn't very good if you read my previous blog on anti-malware vendor rankings).
  • Acquisition of a security company by a non-security company is bad- period. Cisco buying tons of security companies doesn't make them any more of a security vendor. PIX is still an ACL router, it's barely a firewall. Their IDS is still pretty bad, but... it's integrated into the backplane of the switching core so that makes it all that more valuable. When Cisco bought Okena (the behavior-based host agent for workstations, desktops) and called it Cisco Security Agent the product quality (talking to some of their current/past customers) went downhill. IBM buying ISS and now WatchFire, and HP buying SPIDynamics ... again, a non-security company buying security interests. I am going to have to keep my eye on this as I work for a company who is a customer of many of the products/vendors listed above.
What will this mean? How will the industry take these latest acquisitions? What happens with the products, services, and support of the products which were acquired and not (attemptively) integrated? Only time will tell.

I welcome your feedback.

No comments: