With the recent announcement that EMC will be buying RSA Security, it is clear that the consolidation wave is rolling through the identity authentication and management space. This wave probably began in December of 2005 when RSA bought Cyota, but while that deal could be viewed as a one-off acquisition of a private company by a much larger public company, this $2 billion acquisition signals the start of real changes to come.
This is, of course, inevitable, as the explosion of identity theft and the data breaches highlighted daily by the media are driving the demand for protection by both consumers and businesses.
So what does that mean for these consumers and business that rely on security vendors, both large and small, to provide technology that keeps them one step ahead of savvy, organized, identity thieves?
It could be a really good thing. Combining best-of-breed technology with broad distribution networks should lead to greater adoption of identity authentication solutions, something every business and consumer desperately needs.
Often in emerging fields like identity authentication, smaller private companies lead the development charge as they have the ability to take the risk of following an unproven strategy, a risk public companies can not afford to take. While most of these small players will not survive, those that do typically emerge with industry leading technology and are therefore ripe for an acquisition by a larger company looking for a proven, less risky, solution. Large public companies have profit margins and quarterly earnings to be concerned about, often hindering development in completely unknown or emerging markets. Over the last few years, numerous small companies have sprung up with the sole intent of providing a solution to remedy the identity theft crisis. These small, venture-backed companies are able to reap the benefits of their focused, private environments that allow them to take risks in their approach and methodology.
In just the past few years, we have seen the emergence of technologies to address the growing identity theft problem with tremendous success. Technologies such as knowledge-based authentication (confirming an identity based on a consumer's ability to answer questions – typically where the consumer did not provide the answer in advance) and risk scoring (likelihood of an individual not being who they claim to be based on complex algorithms and patterns) have emerged from smaller companies to become "best of breed" even with many larger multi-dimensional public companies having competing offerings. The smaller players are able to take the technology in a direction and to a depth not previously explored.
As the consolidation wave gains momentum, expect many privately-held companies to find themselves partnering or being bought by their larger public peers. The larger company typically brings an enormous amount of resources in marketing, distribution and development, resources they are eager to apply once the technology has been proven.
Why don't the larger companies just develop the technology on their own? A complex question, but in most cases they simply can not afford to take the risk to venture into uncharted waters, and are willing to pay more for a proven technology than it would have cost them to develop on their own. Remember, most of these unproven technologies developed by small companies will fail, so removing that risk is worth a few extra million in an acquisition of a known rather than an unknown.
There are many small-to-mid-size best-of-breed technology companies addressing different components of the authentication market. If the large public software providers are able to pick out the right best-of-breed companies and combine them with their own solutions, without loosing sight of the key aspects that made them successful as a stand alone provider, everyone will benefit – except for the identity thief.