The vendor collectors
Security giants continue to plug gaps in their offerings by acquiring smaller players. But is innovation being stifled? Hannah Prevett investigates.
What a difference a year makes – or ten. For it was nearly a decade ago when the then Gartner chief executive Michael Fleisher predicted a mass consolidation of IT companies. How right he was: from Alcatel and Lucent to Sun Microsystems and Oracle, so-called mega mergers have taken the industry by storm.
Subsequently, change has also beckoned within certain denominations of the hi-tech industries, and IT security is just one area where the landscape has shifted irrevocably. “Everything has changed so much since I came into financial services 12 years ago,” says the head of security at one banking behemoth who has asked not to be named. “I began to realise five or six years ago, when our investment banking arm organised its own security conference to take a closer look at the security companies themselves, that it's not just about how good the technology is, but also how good the company is and, vitally, its chances of survival.”
He makes a good point, because a merger doesn't necessarily mean that the acquired company is going to thrive under new ownership. “It depends on the reasons for the sale,” says the head of security. “Sometimes an acquisition is just a strategic move to take out the competition.”
Regardless of the motives for the sale, any M&A activity can have a huge impact on the customer. The head of security says he had a bad experience a few years ago when one of the Magic Quadrant security companies bought a smaller vendor with which the bank had been working. Prior to the sale, the bank had been in touch with a UK support team, but the new owner decided to shift support offshore to join the rest of its core customer service facilities. The bank was none too impressed by the resulting effect on service. “We lost all the skilled knowledge in the product – not to mention about 12 hours in timezones,” says our source.
However, even he acknowledges that being part of a larger vendor usually yields benefits when it comes to service level agreements (SLAs). Naturally, Angela Tucci, senior vice president and chief strategy officer at Symantec, agrees. “Often the smaller, more niche players can't handle the multinational players because they don't have the footprint,” she explains. “Our responsiveness is something customers look for.”
A better service?
Mark Tauschek, lead research analyst at US researcher Info-Tech Research Group, agrees that a larger vendor is generally better at providing support – particularly at a global level. “While you may have a good relationship with your small SIEM vendor, when it comes to getting a high level of support when you really need it, a vendor with a larger, more structured support organisation is better equipped to meet SLAs.”
For David Lacey, former CSO at Royal Mail and Shell and co-founder of Jericho Forum, good support is vital – regardless of the supplier's size. “If I was buying a security product, such as encryption, extremely good aftersales service and support is vital, because if I have a problem – losing the encryption keys, or something goes wrong – I will need immediate help,” he says. “This is never more important than when you're doing something in real-time, such as e-commerce.”
This isn't to say that working with a newly merged security vendor will be a wholly positive experience. Something frequently cited as a post-merger problem is maintaining the momentum of innovation and product development when nimble, entrepreneurial outfits become small cogs in much larger wheels.
Lacey says the capitalist culture of these large vendors is partly to blame. “In many cases, what you have is a company run by people with a very commercial mindset trying to extract the maximum amount of revenue from a cash cow.” This isn't helped by the fact that the original team that built the product often won't stick around at the new parent company following the fulfilment of any contractual obligations such as earn-outs. “Often the products aren't really developed after they are bought, and so the people who developed it initially tend to get disillusioned and move on. In those cases a lot of passion goes out of the product development,” says Lacey.
Peter Jaco, a serial entrepreneur and investor in the IT security space (his current start-up is cloud encryption company OrbisIP), agrees there has been a shift in attitude among founders of niche IT security technology companies. They are now deliberately setting up companies with a view to flogging them to the highest bidder a couple of years down the line, he claims. “It's a model that any smart entrepreneur will be aware of – to get their technology acquired. No longer are they looking to spend decades building it and then floating; they're looking to sell – probably to a US company – in two or three years.”
However, Tauschek says this is one area where market consolidation may produce a negative side-effect, because although a bigger vendor will have more budget for R&D, start-ups “innovate in unique ways”. He adds: “The larger vendor will purchase some of that innovative culture when it buys a smaller or start-up vendor, but innovation is often kind of squashed within a larger vendor environment.”
Even Rainer Gawlick, Sophos's chief marketing officer, agrees this is a “huge issue”, adding: “The bigger the company, the harder it is to maintain innovation.”
Symantec's Tucci also recognises this as a challenge, and is only too aware of how vital it is that large vendors work with the companies they purchase to ensure their products don't stagnate or, worse still, disappear altogether. “After [the merger] we need to continue on the innovation front,” she concedes. She cites Symantec's acquisition of VeriSign last summer as an example of a parent company nurturing the innovational culture of its new charge. Indeed, VeriSign's customers seem happy enough – second-quarter revenues are up 13 per cent year on year.
It should be remembered, though, that VeriSign was a huge incumbent in its own right (turnover last year was $681m), so it's never going to be as easy to dispose of a VeriSign as it is an eight-man outfit with one niche product dreamt up in Silicon Valley.
One must not be too hasty in dismissing acquisitions as wholly bad news for the customer – or the technology that's been acquired. Info-Tech Research Group's senior research analyst, James McCloskey, cites RSA (which itself was acquired by EMC in 2006), which bought risk and compliance start-up Archer last year. Its products are now being tightly integrated with RSA's enVision SIEM platform. Simultaneously, many members of the original team from Archer have gone on to create LockPath, a compliance and risk management group. This is just one example of a group of innovative individuals going on to spawn more ideas after looking for an early exit. Tauschek says this is “the reason that innovative new companies keep springing up, and it's almost a natural lifecycle for the innovator to be acquired by a larger player at some point”.
Room for ideas
Gawlick cites Sophos's purchase of German data encryption software company Utimaco in 2008 as an example of innovation being continued. “We did a lot with them to make it more stable, to distribute it in more languages, offer better support,” he recalls. “But, also, we want to make sure that the team continues to innovate. We do need to give them a certain amount of time to test new things. Around 80 per cent of the stuff they play with ends up not being commercially viable, but every now and then you get those nuggets.”
There does seem to be room for innovation on all sides, if research from Gartner is to be believed. According to its findings, the top five security software vendors accounted for less than half of the market in 2010 – down from 60 per cent four years previously. Gartner says Symantec, McAfee, Trend Micro, IBM and EMC comprised this quintet last year, snaring $7.8bn in revenue between them. That may sound a lot, but it represents only 44 per cent of the total market, which means the rest is occupied by start-ups and smaller outfits at the forefront of innovation.
Yet this proliferation of products – not to mention threats – has meant that the jobs of CSOs and the like have become increasingly complex. Our anonymous security boss acknowledges that he simply doesn't have time to keep abreast of all new developments in the security space. Lacey, however, isn't very forgiving. “There is a complete lack of imagination in the information security user community and that's where the big problems arise,” he says. “If you try to explain a new idea to a bunch of CSOs, they just don't pay attention, they're not interested. There's no enthusiasm for innovation and imagination.”
For Gawlick, it's a generational thing. While he admits that people generally “under-appreciate IT security”, he says “people just don't understand it well”, adding: “Those making decisions today grew up when you just had to put some anti-virus software on.”
There is too much emphasis on compliance, too. “People don't know what to do to be secure in their business,” says Gawlick. “They ask ‘what's the minimum I have to do to not get into trouble with the authorities?'”
The chasm between compliance and security is a topic on which Lacey has been waxing lyrical for some time. “Ninety-nine per cent of companies practice compliance, not security,” he says. “The difference is that compliance is trying to meet a whole bunch of control objectives as cheaply as possible, based on out-of-date standards. It's this tick-box mentality that's driving security.”
Based on this view, it's no surprise that Lacey's predictions for the future of IT security are fairly apocalyptic. “I think that virtually everything is broken in information security. The whole approach is not working: the standards are not appropriate and the skills we have are wrong,” he says.
For anything to change, it needs to get even bleaker, he says. “It may take some kind of global electronic Pearl Harbor to make people wake up.”
Tauschek agrees that the future isn't too bright, despite the talent and innovation going on at security vendors of all shapes and sizes. “Security professionals jump up and down and yell and scream to try to get attention, but their pleas often fall on deaf ears,” he claims. “Security is getting more complex because the bad guys are getting more complex – they're getting much better at introducing difficult-to-detect-and-thwart vulnerabilities and they're using more advanced technologies. The cyber bad guys aren't just the punk hacker sitting in his parent's basement any more – they are organised and very well funded. I think we've already started to see what can happen with guys like Anonymous out there breaking Sony's PlayStation network and threatening Facebook.”
It's only natural to wonder what's next: will hackers take out the National Grid, or another piece of critical national infrastructure, as Lacey predicts?
Naturally, the vendors themselves aren't as downbeat – on either side of the fence, as acquirer or the acquired. Gawlick admits that “people are slow to understand the gravity of the situation”, but adds that “while it will never be perfect – just like you can never keep robbers out of houses – good technology is out there.”
Entrepreneur Jaco reveals that he is “cautiously optimistic”, adding: “We've got to be positive, continue to innovate and think outside the box.”
It is perhaps the anonymous head of security at the bank who best sums up the situation: “Security is going to get bad – but as bad as it can be to just be good enough.”