Security firms jump in the acquisition pool

Spate of billion-dollar deals is prompting midsize IT security providers to offer themselves up as buyout candidates.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
5 min read
A correction was made to this story. Read below for details.

The fish are jumping in the IT security industry.

In recent months, the sector has seen several billion-dollar buyout deals. That has created a feeding frenzy among would-be acquisition targets, roiling the industry's waters.

In June, storage giant EMC announced a $2.1 billion megamerger with RSA Security. In August, IBM announced plans to spend big money in the security arena, with a $1.3 billion buyout deal of Internet Security Services. And EMC last month snapped up Network Intelligence for $175 million.

"Security has gone from a 'nice to have' to a 'must have,' and corporate board rooms across America are spending millions to solve the problem," said Peter Kuper, an analyst at Morgan Stanley.

Driving the changes, in part, are new regulatory compliance issues and a desire by customers to deal with fewer vendors, investment bankers and analysts say. In addition, system management and networking companies are active buyers of this technology, as they seek to embed security into their systems or applications.

"The consolidation is happening now, but security will remain in silos until there is full integration of products, and that will take some time," said Ranjini Chandirakanthan, an analyst at ThinkEquity Partners.

She added it can take up to five years for new products to be developed and released.

Hot sectors
Security sectors that have particularly caught buyers' eyes include companies that prevent data leakage, as well as those that tackle identity theft, Chandirakanthan noted.

Encryption technology, intrusion prevention systems, electronic data security and compliance driven applications are also gaining attention from prospective buyers, said Ian MacLeod, managing director of investment banking for Goldman Sachs.

"Security has gone from a 'nice to have' to a 'must have,' and corporate board rooms across America are spending millions to solve the problem."
--Peter Kuper, analyst, Morgan Stanley

Regulatory issues, such those relating to the Sarbanes-Oxley Act, are also helping to drive the security deals. Customers want to have a smaller set of vendors accountable if their technology fails to keep information secure and in compliance with regulations--and large systems and storage companies have the financial clout to act as consolidators.

"They have the ability to do the potential M&A (mergers and acquisition) deals in cash, or are large enough to do them with stock, or a combination of both," MacLeod said.

Midsize security companies are the ones most likely to be engaged in looking for a buyer or willing to do a deal, Kuper said.

Prior to their acquisition announcements, ISS and RSA Security, for example, had long been rumored to be potential buyout candidates.

Other names analysts point to on a short list of potential targets include Trend Micro, Check Point Software Technologies, McAfee and Secure Computing. These are companies that are too small to be a soup-to-nuts security provider, but too large to be a niche player, analysts and bankers noted.

Stuck in the middle
Companies like these are considered midtier players--a position that puts them at a disadvantage, analysts said.

"On one side, you have companies like Cisco (Systems) and Microsoft that will discount the price they charge for security, and on the other side, you have the best-of-breed (niche security) companies," Kuper said. He noted that mid-sized security companies are the ones most likely to be engaged in looking for a buyer or willing to do a deal.

Stocks in these companies are down by roughly 10 to 20 percent from year-ago levels, except for Secure Computing, which is down by nearly 60 percent. By comparison, the tech-heavy Nasdaq is up by more than 5 percent.

"McAfee would be a target, had it not been for its consumer business. Buyers don't want the consumer side, so maybe it could take the consumer piece private and sell the enterprise business," said one security analyst, who requested anonymity.

McAfee, meanwhile, has been busy snapping up more security companies, in a likely bid to increase its critical mass and become a one-stop player.

And over the past two years, speculation has periodically flared up on Wall Street that Cisco would acquire antivirus software maker Trend Micro. Networking giant Cisco, which has been a longtime buyer of security businesses, expanded its relationship with Trend Micro last year, as part of its Adaptive Threat Defense initiative.


Correction: Due to incorrect information provided by a financial-analyst site, this story misspelled the last name of a Morgan Stanley analyst. His name is Peter Kuper.

Check Point, a pioneer in firewalls and virtual private networks, has faced a challenging environment, with its stock off nearly 22 percent from its 52-week high of last October. Its second-quarter revenues are down 4 percent, to $138.9 million, compared with a year ago. During the past four years, the company has seen its stock suffer amid flat product sales.

One analyst, however, recently upgraded Check Point's stock to a "buy" from a "hold," based on the belief its sales will strengthen during the remainder of the year and that the climate has become even more attractive for security acquisitions.

"The healthy premiums paid for RSA and ISS might spur other companies in the space to consider selling."
--Katherine Egbert, analyst, Jeffries

"The healthy premiums paid for RSA and ISS might spur other companies in the space to consider selling," Katherine Egbert, an analyst at Jeffries & Co., stated in her report. "This might be even more true at Check Point, as management--traditionally not a willing seller--contemplates the expensive replacement of several key executives at once."

Secure Computing, meanwhile, has been trying to bulk up, announcing in July that it was acquiring messaging security company CipherTrust for $273.6 million. But investors panned the deal, pushing the stock down 38 percent to $4.99 on the day after it was announced. Secure's share price has yet to recover to its previous trading levels, hovering around the $6 to $7 a share range.

But John McNulty, Secure Computing's chief executive, contends that the company's position is enhanced with the deal, noting the specialist in unified threat defense is acquiring a "market leader in messaging."

Check Point, McAfee and Trend Micro declined to comment for the story.

And as the consolidation of the security industry further progresses, and as protective technology becomes embedded into other kinds of product, one analyst predicted that standalone security companies would become extinct.

Walter Pritchard, an analyst at Cowen & Co., described their future this way: "Security, at the end of the day, is an adjective. It's a way to describe things. There will be a base level of security that will be embedded into storage, desktops and servers."