You are certainly the most distinguished group of highway scofflaws and degenerates ever gathered together in one place
-Cannonball Run (1981)
“This really is a merger of equals,” Gerstner said, during the conference call. “I wouldn’t have come back to work for anything less than this fantastic opportunity. This lets me combine my two great loves – technology and biscuits.”
-April Fool special in the Register
The Horn of plenty
I remember living in San Jose, CA in 2000; and it was a very different real estate market then from what it is today. We are now exiting the summer doldrums in the US, where housing appears to have reached a nadir; but in the heady days of 2000, the story was very different. Sellers would actually announce a single day on which they would accept bids, and potential buyers would put all their bids in on that day. Buyers would send in cookies and cake and would submit videos of their children and dogs and parakeets playing and frolicking and they would talk about how the house would be used by a loving family and would really mean something as part of a legacy…and the bids would race to 20% or 40% over asking price.
Those were the days for sellers!
The San Jose Mercury News has an ad in it (I forget the details) that actually said, basically, “I always dreamed of having a million dollar home, I just didn’t know it would be a 2 bedroom bungalow with no yard.”
That’s the transition we have now, in reverse, in the security industry: it’s a sellers paradise. But it can also drive some really unusual behaviors, and the face of security may be dramatically altered or brought into question.
In his 2007 keynote at RSA Conference, Art Coviello talked about how the Security Industry as we’ve known it was going away (if memory serves, he said in 3 to 5 years). He later adjusted this and talked about a “bar belling” of the industry, meaning that there are a few large players and some startups but a large gap in midcap players that would emerge. Now this was said in the wake of the EMC acquisition of RSA, but then we ran smack into the financial crisis and industry M&A activity went into the deep freeze.
Q2 2010 saw this all get shaken up in a massive way with some large, startling acquisitions and activity around Symantec and Verisign, PGP and Guardian Edge (see Wall of Yellow) and most recently with Intel and McAfee, which ironically was highlighted as being reminiscent of EMC / RSA (and how EMC / RSA are an example of how to do this sort of thing right); and I think Art’s prediction is proving prophetic. All the large platform players are buying up the mid-size security companies faster than smaller companies are rising to fill those middle ranks.
And now the most recent pending acquisition of ArcSight for a whopping $1.5B — is it me or are security companies going for a massive premium?
Q1 Labs had an interesting take on this today, saying that they were “thrilled” because it brings “SIEM to the forefront of the security software market.” I think it’s more likely that it heralds a time when a company that has a single product line might make part of a larger portfolio play; in other words, it’s a seller’s market.
I am going to take a more conservative approach here and say that there is a future security hell and a future security heaven. How it all plays out has yet to be seen, but it could go one way where companies are acquired as more than chips in a portfolio of assets, they become integrated with platforms, they bring value and trust to new computing paradigms and thrive in their own right (i.e. we make 2 plus 2 greater than 4). Jonathan Penn in his blog cited EMC / RSA as an example of this:
“So what is a good model out there? I pick EMC/RSA as a better model to emulate. EMC has been embedding some of RSA security technology into its products, it continues to support the RSA product lines in and of themselves, and it also develops new solutions that span lines of business (virtualization security and data classification come to mind here). Moreover, EMC has built RSA into a broader and more successful security business by acquiring Network Intelligence (SIM), Tablus (DLP), and Archer (GRC). RSA is now the brand of EMC’s security division, not just its authentication and encryption product lines. It is a stronger player in the market than it would have been if EMC did not acquire it and it had been left on its own.”
I welcome a world where security is built-in, standards can evolve and start to build on a strong foundation instead of just hashing and re-hashing old ground and security itself becomes both more business relevant and more accessible to more people.
Then again, I worry that many large companies are where good technology goes to die, for the most part; and I hope that we can wind up with a much better security ecosystem when the latest rash of security acquisitions die down.
If that’s not the case, I hope that a healthy round of new companies will rise to fill the middle ranks of our “bar-belling” industry and bring some fresh approaches and ideas to solving customer problems because these large companies are going to have to figure out how to stay abreast of disruptive trends like Virtualization and User Driven IT and compete with the very real demand from the industry for aggressive, innovative, agile approaches to security, to governance, to compliance and to risk management.
If we are to avoid “security hell,” we really need to watch how the assets evolve in their new homes, how the new companies integrate with one another (and play together between massive corporate continents and not just corporate islands), how they build real systems and how they integrate and build standards for interoperability among systems.
And so I look forward to the next generation of startups coming into the mid-size range of the security industry, I wish HP and the other suitors all the best; and I wish the smaller players the best of luck as they seek to take advantage of a seller’s market.
Let’s remember (while we watch the metaphorical videos of dogs and parakeets and children eating cookies and cake during the bidding) the end users who need systems that are predictable and repeatable and interoperable and function in a SOC but also work in a GRC program and over time make the focus on the task of risk management and security easier because the focus on the tools has been dramatically reduced…because the risks continue to mount, and we can’t be asking customers to wait while it all shakes out.