Security's new deal

Mergers and buyouts are muddying the lines between security and other industries. Can purely security-focused providers survive?

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
6 min read
Security companies have entered a new era: Buy or be bought.

Signs of the shift have appeared in a flurry of recent deals. Security giant Symantec is moving outside its niche with its pending purchase of storage maker Veritas Software. On the other side, networking company Cisco Systems and software giant Microsoft have snapped up fast-growing security companies, looking to give their own growth a boost.

This push toward diversification, coming amid widespread consolidation in many areas of the tech industry, has investment bankers and analysts wondering whether companies that specialize purely in security products can continue to thrive.


What's new:
Companies outside the security market are snapping up players within, and security providers are reaching beyond their core markets with their own acquisitions.

Bottom line:
The shift has industry observers wondering whether companies that specialize purely in security products can continue to thrive.

More stories on this topic

"There's a debate whether the security market (will remain) its own market, over time--or will it be subsumed into two other markets, like the communications equipment market, or the networking or systems management industry?" said Kevin Sidders, a managing director at Credit Suisse First Boston. Sidders heads up U.S. software efforts in the investment bank's technology group.

Some security players say the industry will stay as is, selling standalone products such as antivirus software. They note that network threats are evolving so rapidly that companies are continually being born to tackle the new problems. Others, however, argue that the future of security lies in the technology being integrated at all levels of a company's network, from the hardware to the interface, and that the recent merger-and-acquisition activity bears this out.

Rapid revenue growth in the security industry is a key factor driving the deals. Software, services and hardware companies in the sector will pull in $52.2 billion in sales in 2008, compared with $22.8 billion in 2003, predicts market research firm IDC.

That makes those businesses attractive targets for acquirers in the networking, communications and systems management industries, among others.

Still, some say that security companies may be stronger if they provide a soup-to-nuts IT package rather than a product to be bolted onto an existing network.

"Security, ultimately, will not be a standalone market," said one investment banker who asked to remain anonymous. "It will just be just another layer of the infrastructure stack. It's no longer about just making the security products work together."

However it's done, the important thing for the customer is to make the technology as smooth to use as possible, said Fred Rickabaugh, chief security officer at Premier, a Charlotte, N.C.-based provider of support services to health care companies.

"I want the capability to build the 'best of breed' in certain areas were it's critical," Rickabaugh said.

In segments of the market where too few players exist to create competitive bidding, Rickabaugh said consolidation would benefit the customer by bringing one-stop shopping for multiple features.

Related story
Cisco set on secur-
ity spending spree

CEO John Chambers lays
out a seven-year
network security plan.

Given this importance to customers, security businesses will wield influence. Laura Koetzle, a security analyst with Forrester Research, said that security companies may find themselves part of a portfolio where they're considered core to the future of the acquirer.

"Security may be more of an influence as companies become blended," Koetzle said.

Networking companies, for example, are finding that intrusion prevention technologies need to sit on top of or next to the network, in order to keep the data moving at a fast clip.

Last year, router maker Juniper Networks said it will acquire NetScreen Technologies in a $4 billion deal that will bring it technology for virtual

private networks and firewalls. And last December, 3Com announced a $430 million purchase of intrusion prevention specialist TippingPoint Technologies.

Related story
Microsoft's long fuse
Security firms brush
off Microsoft's anti-
spyware plans, but
analysts say Redmond
could yet become
a security force.

Prospective buyers are also interested in anti-spyware companies and providers of security technology for devices and computers used by workers, said Anton Papp, vice president of information technology at investment bank Montgomery & Co.

Activity in the other direction--security companies buying outside their niche--is rarer, but still happening.

Symantec's acquistion of Veritas, a slower-growing storage company, is a case in point. The deal is expected to expand the security company's reach into the broadly defined systems management industry.

"Symantec is seeing their profit margins and market squeezed by IBM, Microsoft and Cisco, which are entering the security market, so they had to diversify," Papp said.

Hold the autopsy
Don't look for the demise of the security industry just yet, some industry observers countered. The trend toward absorbing and being absorbed hasn't been going on long enough to tell whether it's a real shift yet.

"(We're) still a year or two off from determining whether this hypothesis is real," Credit Suisse First Boston's Sidders said. "Once it's determined it's real, then it will take another three to four years to become ingrained in the industry."

Tying the knot

The growing importance of security in the office and home has sparked a shower of deals.

Target: Storage specialist Veritas Software
Deal: $13.5 billion, expected to close by early May
Impact: Will let combined company market integrated bundles of storage and security software to corporate customers.
Cisco Systems
Target: Security hardware vendor Riverhead Networks
Deal: $39 million, completed 2004
Impact: Adds hardware to curtail distributed denial-of-service attacks to Cisco's intrusion prevention lineup.
Other security buys: Twingo, Okena
Target: Antivirus software maker Sybari Software
Deal: Unspecified amount, expected to close first half 2005
Impact: Provides antivirus and antispam tool for e-mail and collaboration servers.
Other security buys: Giant Company Software, GeCad
Juniper Networks
Target: Network security provider NetScreen Technologies
Deal: $4 billion merger, completed April 16, 2004
Impact: Brings software and hardware to protect VPNs, create corporate firewalls and manage network traffic.
Target: TippingPoint Technologies
Deal: $430 million merger, completed Jan. 31
Impact: Provides intrusion detection appliance that inspects packets entering networks.

The cost of acquisitions could also temper the speed of the shift. About 30 security companies have a market capitalization of at least $50 million. By comparison, seven years ago that was true of only six to 10 businesses, Sidders said.

And because this industry is viewed as high growth, most security companies are content to build out their business, rather than hang out a "for sale" shingle.

"Security companies are bought, not sold. It's such a hot space," Papp said.

Not all of the buying activity is taking security companies beyond that market. Some companies are firmly holding onto the concept of remaining independent and focused solely on purely protective products, even while they make acquisitions.

McAfee bought digital security company Foundstone to bolster its security product line. McAfee has also bought other security vendors recently.

In addition, Check Point Software Technologies has largely grown its business through internal efforts, with the exception of the Zone Labs acquisition in late 2003.

Richard Stiennon, vice president of threat research at Webroot Software, puts himself in the camp that believes a standalone security industry is here to stay.

"New security companies are starting all the time to deal with a specific specialization," Stiennon said. "Five years ago, there were no antispam companies or anti-spyware companies. I don't think that will change."