Among these larger players, experts see two different strategies in action. Simon Rawling, global head of project management consultancy PIPC, says consolidation in the IT security space was inevitable given the decreasing product margins and maturing technology. He says that companies like Symantec are looking for streams of revenue outside of its traditional business, while Microsoft looks to bring in technology to secure its operating systems.
"Symantec's acquisition of Veritas is interesting because it suggests the company is going to start pushing outside of its traditional consumer base and into the enterprise market. This is not about market share but about forging new revenue streams," says Rawling.
He adds that this will complicate integration of the two companies since Symantec will try to cut costs without affecting customers. But he sees Microsoft's purchases in a different light. He says the company's position is different in that it is looking to integrate antivirus technology acquired through Sybari into its existing operating software.
"Is this an attempt to shore up well-reported security glitches in Windows? This might be possible, but the [side] effect of Microsoft entering the security market could force more consolidation as businesses attempt to vie for a smaller market slice. With built-in security, fewer Windows users, at the consumer level at least, will look for additional security software."
Additional companies have seen problems as partners have been snapped up by rivals.
"Other large players have lost position as partners have been acquired, meaning that they lose areas of capability — as just happened with Novell when ActivCard bought Protocom," says Fran Howarth, practice leader at analysts Bloor Research.
But will all this activity make it better for customers, as Symantec's ceo John Thompson claims? Some believe this is only the start and Symantec, Cisco and Microsoft may have set off a trend that will see many small companies absorbed into the security giants. "We'll see more consolidation as mainstream companies will look into getting into the security market, as Microsoft has done," says John Cheney, ceo, BlackSpider Technologies. But, he warns, buying companies is the easy part. "Taking a range of disparate solutions and creating a coherent product set is much harder. The risk is that you lose focus and customers get less effective solutions."
Rawling agrees. Buying businesses to gain market share has merit, he says, but only if implemented with a plan to integrate the businesses before cutting costs.
The top ten players that have gone on a shopping spree this year:
Symantec kicked off the year with its takeover of storage management company Veritas. The deal cost the company $13.5 billion and underlined Symantec's strategy of building a comprehensive range of security products, including storage. Symantec's Thompson said earlier this year that he wanted to see greater consolidation in the security market.
"We need to reduce the complexity of the infrastructure and that means having fewer vendors of greater scale," says Thompson. "The industry can't support hundreds of software companies, the advantages go to players of scale."
By the end of the year, Symantec's acquisitions had pushed it to become the world's fourth largest software company — not bad for an organization that confines itself to security. In August it bought endpoint security company Sygate for an undisclosed sum. In September it acquired anti-phishing and anti-spyware company WholeSecurity, again for an undisclosed sum. Then in October came the news it had paid $209 millon for security compliance software company Bindview.
And the momentum is set to continue. According to Enrique Salem, former ceo of Symantec acquisition Brightmail, and now svp of security products, the company is now poised to make six to eight such acquisitions a year, with a major deal along the lines of Veritas every 18 months.
Cisco, which has been buying companies for many years, also visited the security supermarket. In June it bought San Diego-based NetSift for $30 million in cash and options, saying it wanted NetSift's expertise in detecting high-speed viruses and denial-of-service attacks. In also bought VPN company M.I. Secure in June for £13 million.
By far the most interesting player has been Microsoft. Long pilloried for the poor security of its products, the company seems not only to have turned a corner with its efforts to secure Windows and Internet Explorer, but has been busy buying security companies.
Back in February, it made its biggest buy this year when it acquired email security company Sybari. Then in July, it followed up with the purchase of managed secure messaging service company Frontbridge Technologies.
Check Point Software Technologies bought Sourcefire, the company behind the open source IDS Snort, for $225 million. Check Point plans to integrate Sourcefire's Snort intrusion prevention and its RNA Real-time Network Awareness products into the CheckPoint NGX security suite.
CA has also made a couple of forays into the security market. In late June, it bought Tiny Software, a developer of firewalls and other endpoint security for Windows desktops and servers. Executives of the company said the deal expands its threat management portfolio, which includes antivirus, anti-spyware and anti-spam products. A month after that it bought Qurb, an anti-spam software company.
Data storage supplier Network Appliance bought storage security firm Decru for $272 million in cash and stock in order to expand the company's range of data protection products, including systems for disk backup and recovery and data replication software.
In August, Secure Computing reached an agreement to buy rival CyberGuard for nearly $300 million. Secure Computing ceo John McNulty said the deal would make the combined company "the leader in the unified threat management market." Last year, CyberGuard was snubbed in its bid to buy Secure Computing for $297 million.
Email security company MessageLabs made a bid in November for New York-based enterprise intant messaging company Omnipod for an undisclosed sum. It aims to expand the company into a secure instant messaging services company.
In May, AEP Networks acquired V-ONE, a maker of SSL VPN products, with the aim of broadening its reach into the public sector market.
In April, Digital Stakeout, an Atlanta-based managed security services ccompany, acquired ScannerX, a provider of vulnerability scanning and assessment services for an undisclosed sum.