Compliance Purists Stare Down AV Threat

As anti-virus companies push further into the market for compliance automation software, established applications vendors say they're not intimidated by the increased competition.

As enterprises wait to see whether the newly elected Congress will soften regulatory guidelines such as the Sarbanes-Oxley Act in 2007 and alleviate the strain placed on businesses, anti-virus vendors including McAfee continue to push aggressively into the market for compliance tools.

Over the last year, McAfee and rival Symantec have significantly expanded their product offerings in the compliance segment, with both companies launching new corporate strategies that place related risk management technologies at the center of their future plans.

McAfee also bought a handful of companies in the compliance market in 2006, announcing deals for Citadel Security Software ($56 million) and Onigma ($20 million) during the fourth quarter alone.

However, as McAfee, of Santa Clara, Calif., and other security software makers look to the compliance space to bolster revenues while the market for anti-virus applications becomes commoditized, smaller companies already competing in the sector said they are confident they can compete with such giants.

McAfee and Symantec may be adding pieces to help enterprises manage aspects of regulatory compliance, but it will be hard for those companies to take away business from specialists who have spent years refining their products, said Jon Darbyshire, chief executive at Archer Technologies, Overland Park, Kan.

"Theyre missing the ability to provide customers with a single console that allows users to correlate data, and thats not something they can build overnight," Darbyshire said.

"Our systems will be in demand because they are vendor neutral and customers will use them to consolidate information from products offered by companies such as McAfee and Symantec."

Darbyshire said that he isnt shocked that the anti-virus market leaders have moved into compliance automation, but he said he is surprised it took them so long to do so.

He expects that McAfee and others will continue to build out its compliance capabilities during 2007, in particular via acquisition, but said it will take time for the companies to integrate the technologies they buy.

/zimages/1/28571.gifMcAfee snaps up another compliance specialist. Click here to read more.

Other compliance specialists contend that the anti-virus crowd wont soon be able to develop the complex IT process controls necessary to help enterprises retrench their operations to improve compliance. This is expertise that they say can only be gained by participating in the market for years.

"These are narrow, highly-customized systems, and thats not exactly the specialty of these large anti-virus players, and I dont think theyll even want to acquire something so specialized," said Chris Poelma, chief executive of compliance software maker ControlPath, based in Englewood, Colo.

"There will certainly be more consolidation, but Im more concerned with newly-funded pure-play compliance vendors, because customers are looking for specialization, not something that integrates with their AV system."

Executives at McAfee brushed off those criticisms, and said that on the contrary, enterprises are specifically looking for compliance technologies that can interact with other security applications.

By working with its channel of systems integrators and consultants, McAfee has access to the most advanced business process expertise in the world, said Vimal Solanki, senior director of product marketing at McAfee.

Solanki said it is typical for smaller companies to criticize larger firms abilities to integrate the technologies they acquire, but that his firm has already blended in most of the tools it has purchased.

"Enterprise customers are concerned about risk from two fronts, from security threats and from potential non-compliance," he said.

"We made security risk management our central strategy because customers are telling us they want us to add more ability to mitigate the risk of non-compliance. Customers want something thats easy to manage, and when they have the option to purchase an integrated solution, they will do so."

Customers are also interested in benefits from further linking security and compliance technologies, in particular tying together issues such as vulnerability patching and streamlining infrastructure, he said.

Some industry watchers believe that there is plenty of room for both smaller compliance purists and the anti-virus crowd to compete.

While companies such as McAfee will likely remain focused on the security aspects of compliance, there will be a need for software makers that specialize in automating business processes and can help provide top layer intelligence as firms integrate various products, said Vivian Tero, analyst with IDC in Framingham, Mass.

"There should be plenty of room for everyone to compete, but the smaller companies need to hone in on specific areas they can exploit." Tero said.

"In the end how well the [AV companies] do will be based on whether customers actually want compliance products that are integrated with other security applications."

/zimages/1/28571.gifCheck out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.