Security and compliance software vendor ArcSight went public this week. And the market mostly yawned. Does the market have this right?

To be fair, the Nasdaq is well off its highs from last fall, and the latter half of this week wasn't good for stocks in general. Maybe that explains ArcSight's market debut stumble. Or maybe the market is calling it right.

Shares of ARST, ArcSight's stock symbol, opened at $9, a bit low on its expected range. The initial offering was 6.9 million shares at $9 to $11 per share. ARST closed the week at $8.66 per share and even fell another penny in after-hours trading, to $8.65.

A somewhat disappointing start.

There are some reasons for this, other than a market in malaise. ArcSight, which launched as a security event management vendor about seven years ago, has some hefty competitors, since it didn't take part in the security event management acquisition spree during the past few years:

That leaves ArcSight fighting these players big and small, along with their partners or inside services teams, for what's left of the security information and event management (SIEM) market. In its favor, ArcSight has about 80 partners, including MSSPs.

I don't predict an especially bright future for independent SIEM vendors in general:

When it comes to failed SIEM deployments (failure defined: scrapped implementations or an implementation well below initial expectations), think of network and system management "framework" deployments in the mid- to late 1990s. Ugh.

If any vendor ever tells you that it has a plug-and-forget SIEM solution: run. Run like the wind with your checkbook tucked firmly away.

As for enterprise expectations: I'd first like to flashback to the beginning of what is now the SIEM market. These tools were born back in the days when intrusion detection systems created so many alerts it was just easier to turn the darn things off -- or tune them so low as to be useless. SIEMs (they were called just SEMs back then) were born to collect security-related event information from across the network and normalize IDS alerts. So SEM was born as a result of IDS doing a poor job. They were false-alert generating machines. Also, all of the worms that struck enterprise networks, from Code Red (2001) to MS Blaster (mid-2003) created even more demand.

Then, network worm attacks fell off a cliff in 2004. And intrusion detection and prevention systems matured (somewhat).

As a result, demand in SIEMs also fell off a cliff. And many of these vendors suffered.

They were saved by a vast beast that grew seemingly from nowhere: regulatory compliance.

Essentially, regulatory compliance required security and compliance information to be culled from applications, network devices, and security tools, as well as identity and access management suites. And because these SIEMs are well-positioned to manage disparate sources of security and regulatory compliance data, the SIEM market (as a standalone category) was saved.

But they still require significant work to "work." Vendors with vast services capabilities, or with a very dedicated, very well-trained, and capable solution provider channel, are better positioned to succeed.

In the most recent estimate I could find, research firm IDC predicts the SIEM software market to reach $873.2 million in 2010. The segment is growing at about 25.2% annually. Last year, according to an ArcSight press release, IDC placed ArcSight in the market lead position.

When you divide that by 10, or more, competitors, that means it could be lean times for some vendors.

And at this stage of the SIEM adoption cycle, the vendors like IBM, CA, and Cisco have -- or should have -- an advantage.

For instance, Cisco's security event product, the MARS appliance, largely borne from its Protego acquisition, I wouldn't consider a full-fledged SIEM. But it does provide the functionality needed for a large chunk of the market.

Every time I talk to Cisco, it refused to answer how many MARS installations it has. But I'd guess it's at least 4,000. And word on the street is that MARS pricing is aggressive.

With all of those headwinds, independent SIEMs have quite the fight on their hands indeed.

But ArcSight does have a number of good things going for it. First, its ArcSight ESM solutions have been reported to me as solid by many of its customers. Those customers include large three-letter government agencies and large enterprises in many vertical markets around the globe. It has what has always struck me as a solid management team across the board.

But will it be enough in a crowded market? And will ArcSight be able to hold its lead (according to IDC)?

I'm not so sure.

(Disclosure: The author doesn't hold positions in any IT security vendors.)