Feeding frenzy: M&A activity in IT security

With an improving economy, security companies are being scooped up by larger firms at a brisk pace, reports Deb Radcliff.

Even with predictions that 2010 would see an uptick in security acquisitions, the pace by which they occurred – along with the direction many are taking – signal what a number of analysts believe to be a banner buying period that will result in the further integration of security and operations.

“Security is consolidating and it is operationalizing,” says Marc van Zadelhoff (left), director of strategy for IBM Security Solutions. “That the two are happening at the same time is no coincidence. Consolidation is occurring because customers can no longer afford the 35 to 50 different point security-related products they're using. Security is operationalizing because customers also want security built in.”

Since IBM's acquisition in 2006 of Internet Security Systems, Big Blue has acquired 10 additional security software and services companies as part of its strategy to enable this consolidation within their product sets.

IBM, with $9.1 billion in software profits in 2010, has most recently invested in built-in security at the application layer with its 2009 purchases of Ounce Labs for enterprise source code analysis (price undisclosed) and in database security company Guardium for what is rumored to be $225 million. Then last July, IBM acquired BigFix, maker of endpoint vulnerability assessment and compliance solutions, for an undisclosed price rumored to be $400 million.

IBM is not the only large infrastructure vendor to invest heavily in security acquisitions over the past two years. So too are HP, Intel and even non-IT companies such as Assa Abloy, the $5 billion lock company based in Stockholm.

Mirroring IBM's acquisitions earlier this year, HP in September completed an estimated $150 million purchase of Fortify, provider of static analysis for application assurance. Then, in October, it completed a $1.5 billion acquisition of ArcSight, a leading log management vendor.

Economically speaking, there are two fundamental drivers behind today's fast-paced acquisition activity, says Bob West (right), founding CEO of research firm Echelon One, based in Cincinnati.

“First, the economy is improving,” West says, adding that at the same time, buying organizations are sitting on cash and ready to acquire complementary technologies. “Second, demand for security automation has been growing as threats and vulnerabilities are rising.”

Inversely, there are also a lot of fledgling firms ripe for acquisition because start-ups have innovated in the areas of mobility, cloud, unified access, streamlined security/systems and application management with analytics, says Skip Glass, partner at Foundation Capital, based in Menlo Park, Calif.

“Small companies are getting funded and coming out with market-accepted products,” says Glass. “But even medium and large fish are getting acquired.”

Analysts say acquisitions, such as McAfee's purchase of Intel, bring better options for security on small devices needing tiny processors that do a lot of work. Another sign security will meld deeper into endpoint devices is the announcement by Dell in January of its acquisition of security services firm SecureWorks.

There have also been numerous rumors of HP, or even Microsoft, acquiring stalwart Symantec, while Symantec has been busy with sizeable security acquisitions of its own in recent years. In April, Big Yellow acquired PGP (encryption) for $70 million and Guardian Edge (for smartphones) for $70 million. Then, in May, it acquired VeriSign's identity and authentication business for $1.3 billion (the buy also included a majority stake in VeriSign Japan).

Many of these acquisitions will lead organizations to consolidation in their security operations. “There has always been innovation and acquisition in the security space,” says Vimal Solanki, VP of corporate strategy for McAfee. “These acquisitions happen because security products work best when they are tightly integrated with other products.”

Initially, this integration will develop through the use of suites that can take security management as close to a “single security chokepoint” as possible, adds IBM's van Zadelhoff.

Acquisitions also show that security is no longer seen as add-on but is becoming part of the core of products and services larger IT vendors are offering, says Rhonda MacLean, founder of MacLean Risk Partners.

“HP, IBM, EMC and CA do very large deals with enterprises,” says MacLean. “Enterprise customers are asking the large technology companies to ensure products are secure, either through building it in or ensuring they have solutions that can be easily integrated to meet their security needs.”

In addition to better-integrated security management, many of today's acquisitions bode well for the successful melding of security and other IT operations, says Rick Caccia, VP of product marketing at ArcSight, an HP company.

“Until lately, security has been seen as an after-the-fact technology bolted on in a layer-by-layer basis, none of which connects to IT operations,” he says. “But with recent acquisitions, it really feels like the silos between security and other IT operations are melting.”

In addition to the Intel acquisition, another example of operations and security integration is the acquisition of ActivIdentity in December for $162 million by HID Global. HID Global's parent company is Assa Abloy, a Swedish lock manufacturer with more than $5 billion in revenues.

HID Global describes its vision for a convergence of technologies to protect against the ever-improving physical threats to infrastructures. With the ActivIdentity acquisition, HID Global will integrate with its cards and readers used for both door and computer access, says Anthony Ball (left), SVP of identity and access management at
HID Global.

“Nowadays, individuals are remotely logging in from a variety of devices and from different offices in buildings around the globe,” he says. Because remote workers are not all tapping into the company's protected servers, this makes complying with the government's personal identification verification (PIV) difficult. “This situation is also creating the perfect storm for consolidation.”

Point solutions
Consolidation is not only happening on the part of large infrastructure vendors. Some so-called point solutions providers are growing suites of their own. For example, the last independent IDS/IPS vendor, Sourcefire, is acquiring companies to grow its own portfolio.

Most recently, in January, Sourcefire announced the $21 million acquisition of Immunet for a cloud-based, anti-malware capability – its first pick-up since its 2007 purchase of ClamAV – to complement its holistic approach to network, data and endpoint security. Since the ClamAV acquisition, Sourcefire has focused on its own innovations, optimizing its IDS/IPS and expanding its real-time network awareness (RNA) technology, says Tom McDonough, Sourcefire's president and COO.

“I've been to some of the biggest banks in the world and they may have 1,200 firewalls and 40 IDS/IPS systems sending reports and alerts all the time,” McDonough says. “Ultimately, by driving down management overhead and centralizing functions of all these different technologies, you bring down the total cost of ownership and drive up efficiencies for return on investment.”

Missing from this acquisition story is Microsoft, which made no security acquisitions until October, when it announced the purchase of AVICode, a start-up for .NET application monitoring. With Windows 7 released late in 2009, much of Microsoft's security innovation has taken place organically. Plus, the software giant is innovating in new areas: i.e., its software development kit for secure mobile application development released in late 2010.
Van Zadelhoff of IBM says it is important to note that large vendors also did their share of innovation during the down economy. For example, IBM, with nine of its labs developing new security tools, produced half a dozen new security products last year, he says.

This convergence does not mean the end of point security products, say analysts. As new threats and platforms arise, so too will there be innovative start-ups developing tools that will likely become part of a larger security toolset.

New threats and software tools are partly what drove the 2010 market for security software, which grew 11.3 percent from 2009, to $16.5 billion, according to Gartner research.

“There will always be new challenges that task IT managers to look outside their comfort zone of vendor managers to more leading-edge point solutions,” says Geoffrey Oblak, general partner with Ascent Venture Partners. “Acquisitions will continue in this market and, presumably, that is good for all constituents.”

Deb Radcliff

Deb Radcliff was the first investigative reporter to make cyber crime a beat starting in 1996 after researching a best-selling book about Kevin Mitnick called the Fugitive Game. Since then, she has written hundreds of articles for business and trade magazines, won two Neal awards for investigative reporting, and was runner up for a third. She stood up an analyst program for SANS Institute and ran it for 15 years before joining the Cyber Risk Alliance as strategic analyst on the business intelligence unit. And she wrote her first book in a cyber thriller series, “Breaking Backbones: Information is Power,” which is selling well on Amazon and other outlets.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.