When Hewlett-Packard announced its Secure Advantage program in June, the security industry at large became an acquisition rumor mill and for good reason. When IBM decided to broaden its security focus, it bought venerable ISS while EMC followed a similar path by grabbing security pioneer RSA Security. Surely HP would do the same. The buzz went as far as HP buying McAfee--even HP merging with Symantec!
After speaking with Chris Whitener, Chief Security Strategist for Enterprise Storage and Servers at HP, I really don't anticipate a "big bang" security acquisition from HP anytime soon. This is not to suggest that HP isn't serious about security, in fact just the opposite is true. HP just doesn't seem really interested in selling traditional security point product but will instead focus its efforts on security services, security management integration, data security and the intersection of security and corporate governance.
The logic here is simple. Rather than the traditional "bottom-up" approach to security, HP's strategy starts with executive management and works its way down. In other words, HP plans to count on its relationships, industry expertise, product installed base and IT services management prowess to weave together enterprise security solutions that complement existing HP strengths. Yes, this will pull products like identity management, SPI Dynamics and Opsware, but it also relies of professional services for IT governance expertise in areas such as the IT Infrastructure Library (ITIL) and security standard ISO/IEC 17799/27002. Think big enterprise-wide projects and business-critical infrastructure here rather than basic threat management.
So will this work? Yup. Large enterprises are buying exactly what HP is selling and the list of competitors gets pretty thin after IBM and Symantec. HP needs to toot its own horn with marketing air cover and developing more industry-specific security solutions but its customers are already hearing more and more about Secure Advantage and HP capabilities every day through the grassroots efforts of its global sales force. HP will rely on IT muscle rather than specific security visibility and brand awareness.
HP won't be the most visible company at next year's RSA security conference but if it executes on this strategy, it may win some of the industry's biggest security deals. Sounds like a winning strategy to me.