Analysis: Security Industry Consolidation

Perhaps it’s apt that Symantec chose “Hamlet” as the code name for its Endpoint Protection Version 11. After all, the infamous, indecisive prince of Shakespeares tragic tale suffered from longing ambition and a failure to vanquish his enemies to achieve his ultimate aims. The same might be said not just of Symantec, but of the entire security industry as it tries to sort out its ultimate

composition. Consolidation versus standalone companies. Best-of-breed point products versus holistic suites of security technologies. Security specialists versus one-stop shops for all IT needs.

Symantec is just one example of the Hamlet dilemma. Since its 2004 merger with Veritas, critics have charged that the worlds largest security company has lost its focus as it has broadened its horizons into storage management software. Longtime customers and partners have complained bitterly about the decline in quality in Symantecs security technology and support. Earlier this year, Symantecs resellers were in near revolt over the bloated Symantec AntiVirus Corporate Edition 10, calling it an ineffective, unmanageable “resource hog.” Hamlet is designed to restore confidence in Symantecs security products.

“Were trying to be more cognizant of users and their resources,” says George Myers, a Symantec director of product management on the Hamlet project. “None of these technologies is a silver bullet, which is why you need layered technologies.”

Symantec Endpoint Protection combines the power of multiple security technologies—software firewall, antivirus and malware protection and intrusion prevention—in a package with a significantly smaller footprint that its predecessor. It reportedly will have a 21MB footprint as opposed to the nearly 100MB of space required for Version 10.

Symantec hopes its new release will help squelch its critics. Some customers and—no surprise—competitors blamed Symantec’s security product woes on a lack of focus. Since the 2004 merger with Veritas, Symantec has spent most of its energy on the storage market and lost its way on security, critics charge. While Symantec made key strategic acquisitions to bolster its security offerings—such as the purchase of Sygate for its endpoint security and Altiris for configuration management—it completely abandoned the security hardware market and the rapidly growing unified threat management appliance market. Meanwhile, the onetime world’s largest freestanding security company is now drawing most of its revenue from storage and data management software sales, particularly through the sale of products it inherited from Veritas. According to the 2007 Symantec annual report, gross revenue soared more than $1 billion and profits jumped by nearly $350 million, buoyed primarily on the full inclusion of Veritas revenue.

By comparison, Symantec’s profits were $156 million in 2006, and its net earnings and profitability per share were slightly lower than comparably smaller CA (formerly Computer Associates). Dollars and cents are only one measure of success; the decline in security product quality has led some to question Symantec’s acquisition of Veritas, wondering if it was a mistake to drift away from the companys traditional security core. It’s criticism that Symantec CEO John Thompson shrugs off.

“People certainly have an opinion about what we should or shouldnt do, but we’re focused on helping customers better manage and protect their information,” says Thompson.

With antivirus commoditized and on the verge of becoming valueless with the entry of Microsoft into the market, the major security vendors, Symantec, McAfee, Trend Micro and Check Point Software Technologies, are moving at warp speed to position themselves for the next evolution in risk management: data leakage. At the same time, noncore security vendors, such as Cisco Systems, IBM and EMC, are moving deeper into the security markets through organic development and strategic acquisitions. Never mind the hundreds of small security vendors that are peddling their wares in hopes of building the next big powerhouse (or achieving enough critical mass to warrant acquisition).

“Why should I, as a user, have to pick apart each part of the security problem?” says Lloyd Hession, CSO at BT Radianz, a provider of application services to financial institutions. “The ‘Yellow Box’ approach is more about putting products in the same color box than true integration.”

But has the information security market matured to the point where the consumers, enterprises to end users, are ready for holistic technology suites delivered by one vendor? Or do best-of-breed security infrastructures still trump the one-stop shops? Should vendors have a singular focus on security, or will customers accept a vendor with diverse product lines that include security? Most important, are security vendors bringing valuable technologies that improve security and add simplicity, or are they pushing increased complexity without improving security?

Putting Security in Focus

“We are focused on nothing but security”” is a common refrain in the halls of the large security vendors. Those companies that have achieved the mass to make them among the largest technology companies have faced the same choices as Symantec: diversify or face stagnation in an ever-­competitive marketplace. Companies such as Trend Micro, Check Point and McAfee are resolved to remain focused on security and avoid the distractions of acquiring nonsecurity products.

McAfee knows the pitfalls of a diversified product line. Network Associates—the precursor to today’s McAfee—was formed in 1997 when network monitoring tools vendor Network General merged with up-and-coming antivirus vendor McAfee in a $1.3 billion deal. The new company—the largest security and network management company and the 10th-largest software company in the world at the time—started to spread its wings with complementary network management, traffic monitoring and security products. The idea was creating a one-stop shop for security and network management tools. “I think theyre really poised to be the premier security company,” an Infonetics Research analyst said at the time.

The merger failed because none of the products was properly integrated into a holistic offering and none of the offerings was best in class.

While others have flirted with the concept of a one-stop shop, no one has brought all the complementary security technologies that provide perimeter and client-level security under “one pane of glass.”” Staying focused on nothing but security gives them an advantage, the executives of these firms argue.

“When you get in the elevator and you push the button up to security and the button down to storage, it’s two different selling propositions, and that’s why they [Symantec] are having such a hard time,” said McAfee President, CEO and Director David DeWalt, in an interview less than 90 days after assuming his new post. “There’s no need to diversify. There is so much room for consolidation that we don’t need to move beyond security.”

Echoes of DeWalt’s defiance are heard up and down Silicon Valley. Check Point CEO Gil Schwed has dismissed the idea of the firewall software company taking on networking or nonsecurity products. Trend Micro CEO and Director Eva Chen believes remaining focused on security gives her antivirus company an advantage as it migrates to reputational analysis of malicious websites. And CEO Gene Hodges aims to keep Websense and its emerging array of capabilities targeted as an antivirus alternative.

But domain expertise may not be enough. DeWalt comes from a world of diversified product lines and go-to-market strategies. While Symantec isn’t keeping him awake at night, the continued penetration of broad-line IT vendors has him counting sheep. Cisco Systems is pushing out on multiple fronts from telepresence and unified communications to security. EMC’s acquisition of RSA Security filled a significant gap in its information lifecycle and storage-management story. IBM snapped up Internet Security Services earlier this year to bolster its service offerings. Oracle continues to develop an identity management platform through a series of small acquisitions. And Google surprised many with its acquisitions of GreenBorder (Web browser security) and Postini (e-mail security).

Microsoft has been threatening entry into the security market since it launched its trustworthy computing initiative in 2002. Few traditional security companies believe that the Windows maker poses a threat to their antivirus or perimeter security business. Nevertheless, Microsoft sees opportunity. “We want to be a player in the security market, mostly because our customers want us there,” says Kevin Turner, Microsoft’s chief operating officer.

The challenge for the pure-plays, says Hodges, is maintaining pace and market viability against competitors that are larger with deeper pockets for wheeling and dealing in head-to-head competitions. “The job for us smaller guys is to drive the technology,” he says. “If you are a pure-play, you don’t have much choice other than to just sell yourself.”

The Quest for Simplicity

Cary Westmark, the vice president of IT at Troon Golf, is still repeating himself when meeting with security vendors, large and small. “We’re managing golf courses, not NASA, and we don’t need and can’t afford NASA security.” Managing 185 high-end golf courses in 32 states and 28 countries, Troon Golf is singularly focused on attracting golfers to the greens and keeping them there with luxury accommodations and services. Its IT systems are built around that purpose; security is simply a piece of what it takes to connect 1,300 workstations, users and branch locations for smooth, uninterrupted operations.

What’s frustrating to Westmark and many IT and security managers is that vendors aren’t looking at their true business and operations needs. Rather, they’re manufacturing total cost of ownership and return on security investment models that justify the acquisitions of their products.

For instance, at the recent Infosecurity New York conference, a vendor of IP-enabled surveillance videocameras claimed that it could correlate a persons image with a smart card ID that activated a turnstile, a door lock and, ultimately, a workstations network credentials, all in real time. When asked how it handles bandwidth issues, the vendor responded: “Bandwidth isnt an issue because we run our own lines.” When asked how it manages all the stored video and access log data for auditing, the vendor responded, “Storage really isn’t an issue. Disk space is so cheap that you can just buy more disks.”

Walk any trade show floor or exhibit hall and you’ll find a product to meet any conceivable security risk or threat. Beyond the commoditized network security systems (firewalls, NIDS, VPNs) and client security suites (endpoint security, antivirus and malware protection) there are a multitude of offerings that address application security, database encryption, USB token locks, policy management, auditing and forensics tools, identity management and more. While each product has a viable use in specific instances, security executives say that few have broad-based applicability. Nevertheless, security vendors will hard-sell their products to meet their sales quotas and revenue objectives. “Theres an 80/20 rule in security products—only 20 percent of the security products are really useful,” says BT Radianzs Hession.

Consolidation is a persistent reality in the security space. Many security entrepreneurs start out with a simple business plan: build product, achieve relative critical mass and sell to Cisco, Microsoft or Symantec at a 10-time revenue multiple. Mergers and acquisitions are often the means by which larger technology companies obtain the innovations of free-thinking entrepreneurs. Many of Microsofts security offerings are the result of acquisitions, and Symantec, McAfee and CA are the amalgamation of dozens of acquisitions. Large vendors continue to snap up smaller rivals for their technologies. Whether those technologies ever make it into broader distribution is an entirely different issue.

“I’d like to see more innovations with new technologies and approaches,” says Roger Fye, vice president of IT at Dial Global, a subsidiary of Excelsior Radio Networks and the largest independent radio network in the country. “What we’ve seen over a period of time is the big guys sitting on their thumbs, and now they’re trying to reposition themselves.”

Evolution of security technology and products is an absolute necessity, says Richard Stiennon, chief marketing officer of unified threat management device provider Fortinet. His company is constantly looking for ideas on consolidating functionality. Security is tasked with responding to new trends and threats, making it far more dynamic than other IT sectors. The market, he says, isn’t mature, and that’s reflected in the fragmentation of technologies offered by security vendors and choices large vendors make in their acquisitions.

“Its a bunch of individuals making bad decisions,” says Stiennon. “I think it’s a lack of understanding of their own industries that leads them to make bad acquisitions. When you get to the size of Symantec and McAfee, it’s not security people running these companies, and they don’t talk to their customer often enough.”

End users, however, are split on whether they would prefer vendors who are solely focused on security, or the conglomeration of technologies under one vendor umbrella.

“It would be nice to have only one vendor to call,” says Rob Israel, VP and CIO of John C. Lincoln Health Network in Phoenix. “It would make life a lot easier.” “The world is going to change, and I don’t want to be in three or four different systems and then have to pay someone to come pull it together and tell me what I need to know,” echoes David Jordan, CISO of Arlington County, Va.

Although consolidation may have the mythical appeal of producing simplicity, skeptics say the major security vendors still havent done a good enough job in integrating the products they already have and persist in pushing new products that bolster their revenues without adding true value to security infrastructures. Many security managers say they can achieve higher levels of security with low-cost, high-impact security policy and process management.

“The industry is too complex, too dynamic for anyone to build an effective suite and create one-stop shopping,” says Scott Mackelprang, vice president of security and compliance at Digital Insight, an ASP for midsize banks and subsidiary of Intuit. “If you think youre going to buy into a suite, it wont be the answer to your problems.”

Lawrence M. Walsh is a freelance writer based in New York and the former editor of Information Security and VARBusiness magazines. Contact him at lmwalsh@twentyonetwelve.biz.