Why RSA is swimming against the security tide

It's easy to be giddy about information security these days: Companies are spending on new technologies, vendors are killing their numbers, and VC-backed startups are getting snapped up by Check Point and Symantec like knickknacks at a Florida flea market.

All of this good news is little consolation for RSA Security, a venerable industry icon. While many vendors are popping Champaign on a quarterly basis, 2005 has been rough for RSA. The company's stock is down around 50% from a year ago and there continue to be more Bears than Bulls on Wall Street. This week, RSA revised its Q3 and Q4 financial sell off and announced that two senior sales and marketing executives would be leaving the company causing yet another 2005 investor sell off.

Why is RSA swimming against the security tide? Two good reasons:

1. RSA's core business is surrounded. RSA makes almost all of its dough on security tokens. While the company is still perceived as the premium brand, it faces an ever tougher battle against flexible authentication services from Verisign and low-cost alternatives from companies like Vasco. Even though the market for two-factor authentication continues to grow, these market dynamics mean that RSA is caught in a death spiral of lost share and margins.

2. Diversification has failed. RSA has lost loads of money in its failed strategy to diversify into Identity and Access Management (IAM). Wall Street is putting pressure on the company to divest this losing business and rumor has it that there is indecision and divisiveness within the executive management ranks. Shedding two senior people only fuels these fires.

As I see it, one of three things happens to RSA.

The company may act on its own and kill (or sell off) its IAM and other marginal assets. This move would likely boost the share price pleasing investors but it would force RSA into a commodity business model. The company's days as a security thought leader would come to an abrupt end.

The second possibility is that someone comes along and buys RSA for its installed base. The company's market cap is relatively low and it's sitting on just under $290 million in cash and short term investments so the numbers could be attractive to the right suitor. An IBM or CA could do this deal and use the RSA security token base (and revenue) to seed the market for an enterprise IAM play.

The final possibility is that the company does nothing and continues to flounder. As a Massachusetts resident and UMass alumni (note: loads of the senior management team went to UMass), I'd hate to see this happen so I hope the company opts for one of the options described above. If this doesn't happen, expect to see a different name for that big Northern California-based security show in the next few years.