Times are tough, but the outlook for the security sector is not completely bleak, as managed services begin to boost revenue.
The third annual SC survey of the information security industry arrives at a time of unprecedented turmoil in the global economy. Despite the gloom, there remains an underlying positivity in the security sector. What the recession will do, analysts say, is put an end to growth in areas, such as anti-virus, which have become commoditised, while other doors will open.
According to Eric Domage, manager, western European security research and consulting at IDC, the European security market will see growth – but at a reduced rate – and activity will not start to pick up until well into 2010.
Other security sectors post-crash are likely to be changed forever, with most growth in managed security service providers (MSSPs). Security software is in decline and the shift to services will accelerate between 2010-2013, says IDC.
Despite that, the pressures on both customers and suppliers are likely to intensify during 2009 and on into 2010. Security chiefs are going to have to look hard at cost control and justify their spending requirements.
Domage says CSOs could put the squeeze on vendors: “CSOs should talk to software vendors and ask for rebates – anti-virus is now a commodity, so it should be highly rebated,” he says.
“This is a huge opportunity for anyone jumping into security services. Symantec is already there with its acquisition of MessageLabs, McAfee will follow, as will CA. Even Kaspersky is positioned for that,” says Domage.
So what of the Top 30 chart itself? It should be made clear that the publicly quoted financials for the companies on the list were researched end Q4 2008 and based on revenue only. Had the chart been based on market capitalisation, the placings might have been affected.
There have been climbers and fallers, but the chart remains an exclusive club. Only Kaspersky Lab (which revealed public financials for the first time) and Alcatel-Lucent, which is making a big move into data security, have managed to join the top table.
Revenue figures are mostly up, although BT's results are distorted by the weak pound against the dollar and Trend Micro's by the yen's fluctuations. The acquisition of MessageLabs by Symantec leaves Abingdon-based Sophos as the strongest UK pure play.
The doubling of revenue at Blue Coat was probably the result of its acquisition of rival Packeteer, but Blue Coat will no doubt be hoping for continued demand for its web-optimised security appliances.
Revenues have increased marginally, with Novell and VeriSign showing a small dip. HP still tops the chart, but it has as yet to make a significant splash into security as a service – unlike IBM, whose 2006 acquisition of Internet Security Systems (ISS) looks a smart move.
Of the three rankings that SC has published, this is the least dynamic. The days of feverish M&A activity are over, as businesses seek to conserve cash – and venture capital and private equity firms hunker down for the recession.
Analyst Maria Lewis Kussmaul, co-founder of Boston bank America's Growth, says that M&A activity will continue. “There are some huge bargains out there,” she says. If you have the cash, it is a buyer's market for those looking for promising technology as tuck-ins to their mainstream security proposition.
The information security sector in Silicon Valley too has to come to terms with changing times. Investment there is being channelled towards the bio-tech and renewable energy sectors, driven by US government carbon targets.
Analysts are predicting a “flight to safety”, as CIOs return to the big brands. Good news for those at the top of our chart – less so for those at the bottom.
Innovation was already slowing in the sector before the recession, due to commoditisation creep and maturisation. “The number of new ideas in the security space is definitely less than two years ago. It would require a major technological shift to change this – and virtualisation isn't that shift,” says Walter Pritchard, a managing director at San Francisco investment bank Cowen and Company.
He sees some positives. “Security is holding up better than other areas, but even in a good market people don't buy a lot of security – and in a recession they tend to buy the same. In 2001/2, there was a new virus to fight every day. That has changed,” he says.
He predicts another dull year ahead in terms of M&A. “I don't see any big bets this year. It's questionable whether McAfee would have bought Secure Computing if it had known how ugly the market was going to become,” he says.
Symantec will probably experience another under-performing year, but Pritchard believes it can manage. “Symantec is under no pressure to sell, but if the right offer came along, it would have to consider. Ultimately, it is vulnerable, but not in 2009,” he says.
Symantec CEO John Thompson retires this April. His successor Enrique T Salem has his work cut out to revive the security bellwether. One of Thompson's last acts as CEO was to acquire UK-based MSSP, MessageLabs. It will be interesting to see how Symantec swallows this, but it does give it an entrée into the MSSP sector.
Regulatory compliance is likely to be on the increase, especially in the financial sector – good news for the secure storage and encryption suppliers.
Kussmaul calls compliance the latest “threat vector”. She sees opportunities in log management (as one of the fastest growing areas of MSSPs) and a revival in fortunes for ID management.
“Log management, event management and network management are becoming baselines for application performance. All of the big (IT) management companies (CA, HP, EMC) are getting into security management, behaviour management and configuration and change management.
“In areas such as ID management, behaviour-based anti-malware and data loss prevention, you will see double-digit growth – up to 25 per cent growth. Even in 2008, companies we handle in ID management had exceptional Q4s and some companies have the strongest Q1 pipelines as well,” she says.
Kussmaul agrees that other areas such as firewalls, UTMs, web filtering and email security are likely to suffer from commoditisation. “Overall, it's a mixed but fairly optimistic 12 months for the sector,” she says.
That's about as good as it gets for the industry for the coming year. With so much uncertainty, IT and IT security specifically are unlikely to be untouched. Innovation is more likely to come from within corporate security departments as they juggle reduced budgets and staffing against increased threats and demands on ROI. Tough times, then, all round.