With mergers and acquisitions taking hold, get used to ownership changes

The Santa Clara, Calif.-based company announced a "switch program" that offered free training and installation for IBM ISS customers who agreed to abandon their provider in favor of McAfee's risk management solutions. The November sales pitch focused on the credentials and intentions of IBM, a 118-year-old computing giant which is still a relative newcomer to the IT security space.

"IBM is not really focused on security," says John Vecchi, group product manager for network security at McAfee. "If you're invested in ISS's IPS and IDS appliances, you're in a tough spot. The question then becomes, ‘How secure do you feel that IBM will become a security vendor and maintain that and continue to support a hardware platform?'"

Peter Evans, vice president of marketing at IBM ISS, shrugs off such assertions as comical, especially considering the success of the Tivoli line. "You don't go spending $1.3 billion if you're not serious about security," he says. "They're failing to understand that customers aren't looking for one box to replace another box. They want to see how to streamline all of this."

Three months removed from what investment experts termed the most active mergers and acquisitions (M&A) year since the dot-com bubble burst in 2000, vendors such as McAfee are realizing the hot market likely has customers wondering: What does this all mean to me?

It is a perfectly legitimate question that does not always come with a simple answer. What customers may gain in expertise and convenience — buying multiple solutions from a single, established vendor with a rich partner base — they may lose in how innovative the product is or how influential they remain over future offerings, experts say.

"There are clear advantages and disadvantages [for the customer]," says Amit Yoran, CEO of NetWitness, a network forensics and investigations provider.

To understand how security professionals are impacted when one vendor falls into the hands of another, it is helpful to first consider where the hot IT security industry is heading. The sell-sell-sell mantra has reached new levels as a wave of consolidation strikes the industry.

"I guess big is the new small," says Bill Nagel, an analyst for Forrester Research based in Amsterdam, the Netherlands. "There's only so much consolidation that can happen before you end up with just a few companies around. Every week brings another merger."

And there is no slowdown in sight. In the first half of January alone, Fortify acquired Secure Software, Sophos snared Endforce, and Cisco picked up IronPort. Evans says enterprises on average deploy solutions from more than 30 security vendors.

"It's not surprising because, as an industry, we deliver point products to deal with point [problems]," he says. "But the industry's starting to pull back and saying it can't stand to stack more and more boxes because of the spending issue."

The fact is, industry consolidation has been building for several years, experts say. Technology providers that focus on information security are attractive sources for private equity investment. They are largely profitable, fast growing, and present strategic opportunities for larger players looking to leverage their capital and broad distribution channels.

And the market is flooded with vendors — some experts have said as many as 1,500 security companies are in business worldwide — thereby providing those companies interested in being bought with plenty of options to maximize their return. And this cycle is offering incentive for new start-ups to join the marketplace.

"What I'm seeing from the best-of-breed guys is that a lot of them are deciding to sell," says Doug Brockway, managing director at Innovation Advisors, a Boston-based investment banking firm focused on the technology space. "While they built terrific technologies that have capabilities that surpass some of the bigger players, they don't have the breadth and depth of sales distribution capabilities that some of the bigger guys do."

The keys to acquisition success    
So, for many vendors looking to cash in on their smart inventions, an acquisition makes sense. But the customers do not see any of this windfall, so how should they react?

Jim Melvin, vice president of marketing at RSA, purchased by EMC in June for $2.1 billion, says acquisitions should not negatively impact the customer as long as two key ingredients are in place: alignment of strategy and effective execution. (Melvin, in fact, joined EMC in September after it acquired Network Intelligence.)

"Some companies are better at acquisitions than others," he says. "If it's done right, the customer wins, no doubt."

In the case of EMC, the storage management giant decided to keep RSA as a standalone division, allowing the authentication mainstay to continue to flourish on its own (IBM is taking a similar approach with ISS). Melvin says this decision won Brownie points with customers because while RSA was able to leverage the EMC brand, it kept its own sales force and marketing teams.

EMC's track record: The 31,000-employee, Hopkinton, Mass.-based company has invested $7 billion in the past three years on 22 acquisitions. It now sells to all of the world's Top 10 telecom and pharmaceutical companies and calls 97 of the S&P Global 100 customers.

"In theory, if you get acquired by a really big company, they should have the cash to throw at the product to keep it good," Nagel says. "The only question is, ‘Do they have the commitment to do that?'"

Innovation and influence could suffer    
Then, there is Cupertino, Calif.-based Symantec, a multi-billion dollar security bellwether that has acquired more than 25 companies since 2000 and offers solutions in every aspect of IT security but the identity management sector, says Nagel, who co-authored a May report analyzing Symantec's acquisition strategy.

"Symantec is the poster child for the whole consolidation of the security space," Nagel says.

Tom Kendra, group president of worldwide sales and services at Symantec, says customers prefer running solutions from one vendor to minimize complexity and cost, in addition to gaining access to a broad set of partners. "What they want are world-class technologies that work together, and that is what we offer and what drives much of our acquisition strategy," he says.

While the company's acquisitions have long-term benefit potential to customers, they may suffer in the short-term as innovation takes a backseat to integration, Nagel says. "Suddenly, [Symantec] engineers have to spend a lot of time to get everything to work together. They simply don't have the development time to keep upgrading the products that their customers have become used to."

Kendra says integration is a critical part of any acquisition. The company develops dedicated teams to perform integration, and it works hard to retain the employees of acquired companies. "We do not quit selling the technologies we acquire during the integration phase," he says. "We take tremendous time and care when we integrate acquired companies into Symantec."

Aside from worries over whether the acquiring company will continue to support a particular solution, customers also must consider whether their influence over the product roadmap will diminish. "If you're a million-dollar contract to a smaller company, you can rest assured you've got the time and attention of that company at all times," Yoran says. "If you're a smaller size contract for a much larger provider, you may not have that full direction influence and attention at all times."

Robert Shaw, CEO of Cupertino, Calif.-based ArcSight, says independent providers such as his 6 1/2-year-old security management company provide the most innovative solutions and most customer focus.

He says that the independents — aside from producing best-of-breed solutions — are typically staffed by a small group of people who have been with the company since its inception and feel vested in the technology. Should that vendor be acquired, many employees often decide to leave, even if they are offered a position with the acquiring company.

"They're driven by a small cadre of people who are really motivated and evangelized in their area, and their intent is on creating something great," Nagel says. "But once they get bought and they can't control the destiny of their baby anymore, they move on."

Shaw says that when he hears of a local acquisition, his company soon sees a spike in applications. "If it's anywhere in our area, we see a flood of résumés," he says.

Still, Brockway, whose company advises mostly sellers wanting to be acquired, insists that many worry not just about the payday, but also about intangibles, such as customer and employee satisfaction. "They feel loyalty to the technology and to the customers who have worked so closely with them to make them successful," he says.

In an evolving industry such as IT security, still in its formative years, only time will tell how acquisitions ultimately play out for the customer. But one thing is certain: it is a seller's market out there. So if your provider appears to fill a hole in a larger player's portfolio, chances are an acquisition may not be far away.

"It's a trend that's not going to be going away," Yoran says. "The smaller companies will continue to be more aggressive and more innovative, and the larger companies will be the optimal delivery mechanism once these technologies achieve mainstream adoption."

ACQUISITIONS:
Partners impacted