Beyond Anti-Virus

McAfee and others aim to muscle in on compliance, but purists fear them not.

As enterprises wait to see whether Congress will soften regulatory guidelines such as the Sarbanes-Oxley Act in 2007, anti-virus vendors such as McAfee continue to push aggressively into the market for compliance tools.

Over the last year, McAfee and rival Symantec have significantly expanded their product offerings in the compliance segment, with both companies launching new corporate strategies that place related risk management technologies at the center of their future plans. McAfee also bought a handful of companies in the compliance market in 2006, announcing deals for Citadel Security Software for $56 million and Onigma for $20 million during the fourth quarter alone.

However, as McAfee, of Santa Clara, Calif., and other security software makers look to the compliance space to help bolster their revenues as the market for anti-virus applications becomes further commoditized, smaller companies already in the sector say they remain confident they can compete.

McAfee and Symantec may be adding pieces to help enterprises manage some aspects of regulatory compliance, but it will be difficult for the companies to steal business from specialists that have spent years refining their products, said Jon Darbyshire, CEO at Archer Technologies, a compliance software maker in Overland Park, Kan.

"Theyre missing the ability to provide customers with a single console that allows users to correlate data, and thats not something they can build overnight," Darby-shire said. "Our systems will be in demand because they are vendor-neutral, and customers will use them to consolidate information from products offered by McAfee and Symantec."

Darbyshire expects McAfee and others to continue expanding their compliance capabilities during 2007—mostly through acquisition—but said it will take time for the companies to integrate the technologies they buy.

Other compliance specialists contend that the anti-virus crowd wont soon be able to develop the complex IT process controls necessary to help enterprises retool their operations in the name of improving compliance.

"These are narrow, highly customized systems, and thats not exactly the specialty of these large anti-virus players," said Chris Poelma, CEO of ControlPath, a compliance software maker in Englewood, Colo. "Im more concerned with newly funded pure-play compliance vendors because customers are looking for specialization, not something that integrates with their AV system."

McAfee officials said enterprises are looking for compliance products that interact with other security applications.

"Customers are concerned about risk from two fronts: from security threats and from potential noncompliance," said Vimal Solanki, senior director of product marketing at McAfee. "We made security risk management our central strategy because customers are telling us they want us to add more ability to mitigate the risk of noncompliance. Customers want something thats easy to manage, and when they have the option to purchase an integrated solution, they will do so."

Some industry watchers said there is plenty of room for both smaller compliance purists and the anti-virus crowd. While companies such as McAfee likely will remain focused on the security aspects of compliance, there will be a need for software makers that specialize in automating business processes and that can help provide top-layer intelligence as companies integrate various products, said Vivian Tero, an analyst with IDC.

"McAfee will stick to the security side of the equation, and there will still be plenty of demand for other compliance products that address the problem from a business process perspective," Tero said. "There should be plenty of room for everyone to compete, but the smaller companies need to [home] in on specific areas they can exploit; in the end, how well the [anti-virus companies] do will be based on whether customers actually want compliance products that are integrated with other security applications."