Mergers & Acquisitions in the Information Security Field

The news about the sale of the VeriSign consulting team to AT&T suggests that there will be many similar transactions in the near term within the information security market. The investment being made in this market is great, but based on previous experience, a positive outcome is less than certain. From my point of view there have been three stages of roll-up/investment in the market, and each has had limited success.

This first stage included some winners like the VeriSign IPO, and some less successful acquisitions–like The Wheel Group with NetRanger and NetSonar. The acquisitions continued through the end of the Internet boom, with Symantec leading the charge with acquisitions ranging from Raptor/Axent to Riptech. Overall, the outcome was marginal. Many of the purchases were product-oriented, and most of the products are now gone. However, the managed services organizations like Riptech and the independent spin-off of Secure Computing’s consulting team (Guardent) lived on to do fairly well.

The second stage started with the acquisition of Guardent and was followed by similar transactions with Foundstone and @Stake. The NetSPI team had looked at these firms as the industry leaders to be emulated; however, the rumor was that these sales were driven by the investment bankers’ fears of a market downturn (which turned out to be correct). There were other purchases around this time that also fit into a similar category, like BT’s purchase of Counterpane.

With improved market conditions, the IBM purchase of ISS and the MCI purchase of NetSec with the following conglomeration with Cybertrust fall into a third stage. The outcome of these appears to have been OK, but, as with all mergers, there appears to have been some misalignment. As we’re now seeing, Guardent and the related MSS group are being spun-off from VeriSign. This stage now includes the roll-up of security assessment product companies like Sanctum, SPI Dynamics, and Ounce by major technology integrators. Other real and rumored roll-ups include mid-sized VARs like Fishnet and Accuvant purchasing similar companies.

With the VeriSign consulting announcement, we are seeing the continued consolidation of the market. There will likely be more acquisitions, and it will affect the security market and its consumers in good and bad ways. On the positive side, the industry does not yet have a focused leader with a consolidated offering. Symantec and McAfee tried to play this role, but they appear to have given up on it. IBM may have the offering, but since they offer so much else, I wouldn’t call them the security industry leader.

The current trend of carriers and major technology players getting into the space means larger and more consolidated security offerings. The lack of focus may limit the ability of these large firms to continue to offer boutique-oriented services. Additionally, roll-ups that combine security with other offerings introduce a lack of independence. This is a huge issue that doesn’t get discussed much, but it’s one that no firm has truly overcome. It will be interesting to see how the remainder of the product companies fit into this stage. nCircle and Fortify are organizations to watch in this regard. It will also be interesting to see how successful the carriers like AT&T and the major tech players like IBM and HP are at integrating security consulting into their organizations.