Tuesday, April 18, 2006

Spotting valuable investments in the information security market

Back in January I mentioned the possible acqusition of SiteAdvisor in my "Look who's gonna cash for evaluating the maliciousness of the Web?" post and it seems McAfee have realized the potential of this social-networking powered concept on a wide scale, and recently acquired SiteAdvisor -- this was meant to happen one way or another and with risk of being over-enthusiastic I feel I successfully spotted this one.

Next to SiteAdvisor's pros and cons that I commented on, I also provided a resourceful overview of some of the current malware crawling projects out there, to recently find out that WebRoot finally went public with the Phileas spyware crawler, and that Microsoft's Strider Crawler came up with the Typo-Control project -- great idea as a matter of fact. What are some of the current/future trends in the information security industry? Are the recent flood of acquisitions the result of cheaper hardware and the utilization of open-source software, thus cutting costs to the minimum while the idea still makes it to the market?

Have both, entry and exit barriers totally vanished so that anyone could get aspired of becoming a vendor without the brand at the first place? Excluding the big picture, it is amazing how uninformed both, end and corporate users are, yet another lack of incentive for security vendors to reach another level of solutions -- if it ain't broken, don't improve it.

Moreover, what would the effect be of achieving the utopian 100% security on both, the market and the world's economy? On one hand we have "the worst year" of cybercrime, whereas spending and salaries are booming, and they should be as the not knowing how much security is enough, but trying to achieve the most secured state is a driving factor for decades to come.

The bottom line is, the more insecurities, the more security spending, the higher the spending, the higher the growth, and with increasing purchasing power, corporate R&D, and government initiatives you have a fully working economic model -- going to war, or seeing terrorists everywhere is today's driving force for military/intelligence spending compared to the "Reds are everywhere" propaganda from both camps of course, back in the Cold War period. Fighting with inspired bureaucrats is always an issue as well.

The Ansoff's Product/Market Matrix often acts as the de-facto standard for developing business opportunities, that is, of course, if you're not lead by a visionary aim, promote an internal "everyday startup" atmosphere to stimulate creativity, or benchmark against competitors. On the majority of occassions a security vendor is looking for ways to diversify its solutions' portfolio, thus taking advantage of re-introduced product life cycles and new sources for revenues.

While there should be nothing wrong with that given a vendor is actually providing a reliable solution and support with it, I often argue on how marketable propositions centric business model is not good for the long-term competitiveness of the company in question.

It's the judgement and competitors myopia that I'm talking about. In respect to the current information security market trends, or let's pick up the anti virus solutions segment, that means loosing sight of the big picture with the help of the mainstream media -- cross refferenced malware names, "yet another" malware in the wild, or supposed to be Russian hacker selling his soul for E-gold(cut the stereotypes here and go through the majority of recent statistics to see where all that phishing, spam and malware is coming from), is a common weakness of a possible decision-maker looking for acquisitions. Focusing on both, current trends, and current competitions is the myopia that would prevent you from sensing the emerging ones, the ones that would improve your competitiveness at any time of execution of course.

The way we have been witnessing an overal shift towards a services based world economy in comparisson to a goods based one, in the informaiton security market services or solutions will inevitably profiliate in the upcoming future. When was the last time you heart someone saying "I don't need an anti-virus scanner, but an anti-virus solution, what's yours and how is it differentiated from the others I'm aware of"? Un-informed decisions, quick and cheap way to get away with the "security problem", or being totally brainwashed by a vendor's salesforce would result in enormous long-term TCO(total cost of ownership) problems, given someone actually figures a way to make the connection in here.

Some time ago, I came across a great article at CSOOnline.com "2 Vendor Megatrends and What They Mean to You" giving insight on two trends, namely, consolidation of security providers and convergence -- the interception between IT and physical security. And while it's great in respect to covering these current trends, I feel the article hasn't mentioned the 3rd one - Diversification. An excerpt :

"One trend is consolidation. "We're seeing the bigger players buying out many of the smaller companies. And I think the largest of the security firms are looking to provide a full range of enterprise services," says C. Warren Axelrod, director of global information security at Pershing, a Bank of New York Securities Group company. "The larger firms, like Internet Security Systems, Symantec and Computer Associates, are buying in many areas to complement what they have. They're basically vying for control of the security space." Axelrod is dead on, and consolidation is just as rampant among physical security vendors as it is in the IT world."

I feel consolidation is happening mainly because different market segments are constantly getting crowded and mainly because it's very, very hard to get a name in the information security market these days, so instead of run for your own IPO, compete against market players whose minor modification may ruin your entire idea, you'd better get acquired one way or another. @stake is an example of how skilled HR runs away from the acquirer, at least for me counting the HR as the driving force besides the brand.

More from the article :

"The second trend is convergence—the confluence of IT and physical security systems and vendors—which, in some sense, is another form of consolidation, only it's happening across the line that historically divided those two worlds."

Tangible security is often favored by investors as it targets the masses, and the most visible example besides perimeter based defenses are the hardware appliances themselves. These days, there isn't a single anti virus, anti spam or anti spyware solution provider without a hardware appliance, but what's to note is how their OEM agreements are still working and fully applicable, it's all about greed, or let's avoid the cliche and say profit maximization -- whatever the market requires the vendors deliver!

Very in-depth article, while I can argue that vendors are so desperate to "consolidate bids" on a national level, as they usually try to get as big part of the pie as possible. What's else to note is that the higher the market transparency, the more competitive the environment, thus greater competition which is always useful for the final user. In respect to heterogenity and homogenity of security solutions, and all-in-one propositions, the trade-offs are plain simple, cut total TCO by using a single vendor, get your entire infrastructure breached into by an attacker that would sooner or later find a vulnerability in it -- find the balance and try to avoid the myth that complexity results in insecurities, as it's a unique situation every time.

What we're witnessing acquisition-to-solution turn-around periods of several months in response to an emerging market - the IM one, mobile anti-virus scanners seem to be the "next big thing", whereas it would take quite some time for this segment to develop, still you'd better be among the first to respond to the interest and the fact that there are more mobile phones capable of getting infected with a virus, than PCs out there -- 3G, 4G, mobile banking would fuel the growth even more, and these are just among the few issues to keep in mind. In a previous post, I also mentioned on a creative use of security intelligence information in Sophos's Zombie Alert service, and a product-line extensions, namely McAfee's bot killing system. What no one pictured would happen is emerging these days - vulnerabilities turning into IP and the overal commercialization of the security vulnerabilities market, and getting paid for getting hacked is a growing trend as well -- much more's to come for sure.

The secrets to successful acquisitions?

- retain the HR that came with it, and better put something on the table at the first place
- don't try to cannibalize the culture there, Flickr is the perfect example out of the security market
- go beyond the mainstream media sources, and PR releases, use open source competitive intelligence tools in order not to miss an opportunity
- attend as much cons as possible to keep track of who's who and where's the industry heading to
- cost-effectively keep in touch with researchers, and an eye on their blogs, you never know who would be your early warning system for business development ideas

Try to stay on the top of security, not in line with it.

Technorati tags:
, , , , , , ,