Anti-virus Leaders Look to Services for Growth

News Analysis: As anti-virus tools become increasingly commoditized and Microsoft pushes further into the security software sector, traditional market leaders such as Symantec and McAfee are expanding their professional services businesses.

As Microsoft prepares to launch its next-generation Vista operating system in late November, industry watchers are predicting that the products onboard security features will help further commoditize the already crowded anti-virus applications business.

Hoping to find new avenues for expanding their companies as Vista emerges and anti-virus technologies become available from an ever-growing number of software providers, market leaders Symantec and McAfee are turning toward professional security services to help drive their future expansion.

Both anti-virus top dog Symantec, based in Cupertino, Calif., and second-ranked McAfee, of Santa Clara, Calif., have built substantial businesses providing tools that protect organizations against threats that target vulnerabilities in Microsofts existing Windows operating systems. Researchers at Boston-based Yankee Group Research chart todays Windows security aftermarket at roughly $3.6 billion per year.

And while neither firm is ready to concede that Vista will dampen demand for such products, and both Symantec and McAfee argue that Microsoft has yet to prove that it has built a significantly more secure operating system, each is pursuing expanded professional services opportunities as one method of building revenues in other arenas.

Just as Oracles commercialized relational database and Dells re-engineering of the PC manufacturing process drove IBM away from dependence on product-based revenue and further into the services business, the increasing saturation of the anti-virus segment is leading security companies to look for ways to turn their hard-won expertise into additional dollars, said Greg Hughes, executive vice president of worldwide services and support at Symantec.

Symantec plans to remain an anti-virus provider above all else, Hughes said, but services provide an immediate opportunity for the company to create new business with customers.

"We cant make it on product innovation alone any more. We will continue to invest to that end, but we also need to focus on creating deep, problem-solving relationships with customers to truly help them address the many security issues facing enterprises today," he said. "Were seeing the role of the chief security officer moving more into the job of managing their companys overall IT risk, and thats not a problem that can be solved by products alone."

When Symantec rolled out its new Security 2.0 corporate strategy in mid-October, the company announced a new partnership with massive consultancy Accenture to offer "security transformation services" to help businesses develop and implement new data security policies and manage disparate technologies, with a focus on simplifying such efforts. Such opportunities abound for the company as security technologies become even more sophisticated and diverse, Hughes said.

Symantec CEO John Thompson has gone so far as to promise that about 10 percent of his companys revenues will be derived from services by 2010, whereas they account for only half of that at present, with almost half of the existing business having come to the firm via its acquisition of storage specialist Veritas Software in December 2004.

/zimages/3/28571.gifClick here to read more about McAfees risk management strategy and its purchase of Onigma.

The company would like to become a "trusted advisor" for services that help companies merge security governance and regulatory compliance efforts, while moving aggressively into operational security services that aim to help protect IT infrastructure, Hughes said. In addition to partnering with Accenture, based in Hamilton, Bermuda, Hughes indicated that Symantec will likely make acquisitions in the next several years to help build out its professional services portfolio.

Among the deals the firm has pulled off over the last several years, some have been made with an eye to providing services that arent specific to Symantec products, with technology-agnostic expertise arriving via buyouts of Brightmail and IMLogic, and in Veritas Enterprise Vault storage business, Hughes said.

McAfee has been aggressively increasing its focus on compliance and security management services since its August 2004 buyout of Foundstone for $86 million cash, and it too launched a new corporate vision in October 2006 focused on helping companies balance their overall risk management strategies.

While anti-virus and other security applications will remain at the core of McAfees strategy, an emerging array of professional services will help the company transform itself from a provider of point products to a risk management partner for enterprises, said Vimal Solanki, senior director of product marketing at the firm.

In addition to Foundstone, McAfee has purchased risk mitigation and compliance experts, including Onigma, Preventsys and Citadel Security Software in 2006 alone, to help expand its expertise in the segment.

"Today customers are looking at security challenges and compliance as two different areas, but we believe that under the guise of risk management we can help companies address both problems while creating policies that will help them better prepare for the future," Solanki said. "Leading the market isnt about point products anymore; its all about helping management deal with risk, which will open a lot of new opportunities for both products and services."

Both Symantec and McAfee are also building significant capabilities to provide so-called managed security services to enterprises, although the firms concede that only a small number of companies are ready to buy into that model, which offloads responsibility for security operations to the vendors as in other forms of IT outsourcing.

Next Page: Competitors scoff at the anti-virus vendors chances in the services market.