The pace of mergers and acquisitions in the security industry has been breathtaking, but could it be headed for a stop?
Since last year, numerous top-tier smaller outfits have been snapped up by large players. Indeed, more than $10 billion has been spent in just the past six months by Symantec (VeriSign plus PGP and GuardianEdge), IBM (BigFix, OpenPages, PSS Systems), Hewlett-Packard (Fortify and ArcSight) and CA (Arcot).
Furthermore, the technology industry heavyweights -- who by virtue of their size largely innovate via acquisitions -- apparently still have oodles of cash at the ready.
What's behind the breakneck pace of acquisitions? One answer is that it's mirroring a growing awareness of security by senior executives. "Security is starting to get higher on their radar screens now," said Steve Robinson, general manager for IBM security solutions. "Many of our corporate accounts are starting to put in chief security officers, to expand their security teams and see that security has impact on all parts of their business."
This evolution and growing security understanding is -- on the upside -- leading customers to demand more consolidated approaches to mitigating their security challenges. Accordingly, said Robinson, "we need to move beyond the single product to solve a single problem, to more of a comprehensive strategy."
Cue mergers and acquisitions. But where should they end, and are businesses best served by a more all-in-one approach?
Consider Intel's $7.7 billion acquisition of McAfee, which surprised many industry watchers who thought endpoint security should be built into the operating system, rather than the motherboard.
The positive spin is that the deal has the potential to bake-in better security to PCs and mobile devices -- through to virtualized environments and the cloud -- from the get-go. But it also has the potential to be seen, in a few years, as an expensive one-size-fits-all boondoggle of AOL proportions.
Garter Group analyst John Pescatore likens the overall information security M&A equation to cars and boats: Would you buy a car from a boat maker? How about a boat from a carmaker? The short answer is, no. Now extend the paradigm to information security.
"I'm always amazed when network infrastructure vendors like Cisco and Juniper build security solutions that try to get us to put their software on our endpoints, and when software vendors like IBM Tivoli or CA acquire and try to sell network security products," he said. "These strategies always end badly -- it is why the McLobster sandwich and the Nobu Whopper never did well either."