On all technology fields, security is the only one that is almost completely driven by outside actors. Changes in ERP,CRM, storage, wireless, and computers are driven by competitive pressures, innovation, and the drive to make things smaller, faster, and cheaper. Threat actors, be they hacktivists, nation state spies, cyber criminals, or the surveillance state, are the primary drivers of the IT security industry. The security industry produces products and services to address new attack methodologies, while also working towards efficiency and innovation. The established players in the firewall, anti-virus, Identity and Access Management, and data security, fields all strive to add features and improve ease of deployment and management. But for new technology to counter new threats the established vendors have had to turn to startups for innovation.
"Sometimes the acquisition of the startup changes the whole direction of the acquirer"
For its first decade, the dynamic of the industry could be described as many small firms developing cutting edge solutions with large firms relying on the small firms and the all-knowing eye of the market to winnow out the losers. Cisco, Symantec, McAfee, IBM, and CA would acquire the security companies that had the most momentum and add their products to their portfolios. Sometimes the acquisition of the startup changes the whole direction of the acquirer. That happened when Cisco, the networking giant, acquired Iron Port, the email anti-spam and security company. The Iron Port team took over security at Cisco. Suddenly Cisco was no longer a network security company but a messaging security company. With the fairly recent acquisition of Source Fire that transition is being reversed. Another great example of a beneficial acquisition was Trend Micro’s acquisition of Third Brigade, a small server security company based in Ottawa. The Third Brigade team infiltrated Trend’s operations and helped pivot an anti-virus company into cloud server security.
This percolation of startups to established players gave investors a clear vision of the path to liquidity they sought. VCs and angels would invest in technology that had prospects for quick growth and a quick sale at favorable multiples of revenue.
But the market dynamic began to change in 2005 as Symantec had to look to larger and larger acquisitions and made the blunder of merging with a datacenter company, Veritas. Perhaps management was fooled into thinking that they had to match EMC which had acquired RSA and pledged to get to $1 billion insecurity revenue in short order. As Symantec struggled to find a strategy that made sense to its stock holders and the market it floundered. Only now is it finally unwinding the Veritas deal and splitting back into two separate companies. Lesson learned: never merge two companies that exist in different universes, one driven by technology change, and one driven by outside threat actors.
While Symantic’s role as the acquirer diminished, McAfee headed down its own in explicable path. First McAfee acquired the faltering Secure Computing, and then, still inexplicably, sold itself to Intel in the largest acquisition ever in the security industry. This was another example of two industries trying to merge although synergies are still note vident. While both Symantec and McAfee (now sometimes called Intel Security) continued to make a few tactical acquisitions, they left avoid.
That void is being filled by Private Equity firms that are ecstatic to have the opportunity to invest in an industry that is growing close to 24 percent a year. Thom a Bravo has made the biggest investments to date, with Sonic Wall, Blue Coat, Tripwire+nCircle, and Entrust just some of the bets they have made. Sonic Wall sold to Dell. Entrust was sold to Data Card. Tripwire to Belden; and Blue Coat is in the process of being sold to Bain Capital with the reported intent to take it public again.
In the meantime the smaller PE funds are making investments too. They are looking for established companies with loyal customers; perhaps with a market or geographic niche. Cigital and Identity Finder have both taken significant PE investments. And if they are not originating buy outs, second tier PE firms are participating in the debt offerings floated to fund the big deals.
Acquisitions by tech companies like IBM and Cisco are still happening, but the dynamic has changed thanks to large PE firms entering the space, at least for now. What is going to be interesting to watch is Symantec, the new security company, post break up with the data center division, as it jumps back into the acquisition space. The final event needed to restore order to the security eco-system is for Intel to spin out McAfee again. And who better to take on such a big deal other than Private Equity?