As Microsoft prepares to launch its next-generation Vista operating system in late November, industry watchers are predicting that the products onboard security features will help further commoditize the already crowded anti-virus applications business.
Hoping to find new avenues for expanding their companies as Vista emerges and anti-virus technologies become available from an ever-growing number of software providers, market leaders Symantec and McAfee are turning toward professional security services to help drive their future expansion.
Both anti-virus top dog Symantec, based in Cupertino, Calif., and second-ranked McAfee, of Santa Clara, Calif., have built substantial businesses providing tools that protect organizations against threats that target vulnerabilities in Microsofts existing Windows operating systems. Researchers at Boston-based Yankee Group Research chart todays Windows security aftermarket at roughly $3.6 billion per year.
And while neither firm is ready to concede that Vista will dampen demand for such products, and both Symantec and McAfee argue that Microsoft has yet to prove that it has built a significantly more secure operating system, each is pursuing expanded professional services opportunities as one method of building revenues in other arenas.
Just as Oracles commercialized relational database and Dells re-engineering of the PC manufacturing process drove IBM away from dependence on product-based revenue and further into the services business, the increasing saturation of the anti-virus segment is leading security companies to look for ways to turn their hard-won expertise into additional dollars, said Greg Hughes, executive vice president of worldwide services and support at Symantec.
Symantec plans to remain an anti-virus provider above all else, Hughes said, but services provide an immediate opportunity for the company to create new business with customers.
“We cant make it on product innovation alone any more. We will continue to invest to that end, but we also need to focus on creating deep, problem-solving relationships with customers to truly help them address the many security issues facing enterprises today,” he said. “Were seeing the role of the chief security officer moving more into the job of managing their companys overall IT risk, and thats not a problem that can be solved by products alone.”
When Symantec rolled out its new Security 2.0 corporate strategy in mid-October, the company announced a new partnership with massive consultancy Accenture to offer “security transformation services” to help businesses develop and implement new data security policies and manage disparate technologies, with a focus on simplifying such efforts. Such opportunities abound for the company as security technologies become even more sophisticated and diverse, Hughes said.
Symantec CEO John Thompson has gone so far as to promise that about 10 percent of his companys revenues will be derived from services by 2010, whereas they account for only half of that at present, with almost half of the existing business having come to the firm via its acquisition of storage specialist Veritas Software in December 2004.
The company would like to become a “trusted advisor” for services that help companies merge security governance and regulatory compliance efforts, while moving aggressively into operational security services that aim to help protect IT infrastructure, Hughes said. In addition to partnering with Accenture, based in Hamilton, Bermuda, Hughes indicated that Symantec will likely make acquisitions in the next several years to help build out its professional services portfolio.
Among the deals the firm has pulled off over the last several years, some have been made with an eye to providing services that arent specific to Symantec products, with technology-agnostic expertise arriving via buyouts of Brightmail and IMLogic, and in Veritas Enterprise Vault storage business, Hughes said.
McAfee has been aggressively increasing its focus on compliance and security management services since its August 2004 buyout of Foundstone for $86 million cash, and it too launched a new corporate vision in October 2006 focused on helping companies balance their overall risk management strategies.
While anti-virus and other security applications will remain at the core of McAfees strategy, an emerging array of professional services will help the company transform itself from a provider of point products to a risk management partner for enterprises, said Vimal Solanki, senior director of product marketing at the firm.
In addition to Foundstone, McAfee has purchased risk mitigation and compliance experts, including Onigma, Preventsys and Citadel Security Software in 2006 alone, to help expand its expertise in the segment.
“Today customers are looking at security challenges and compliance as two different areas, but we believe that under the guise of risk management we can help companies address both problems while creating policies that will help them better prepare for the future,” Solanki said. “Leading the market isnt about point products anymore; its all about helping management deal with risk, which will open a lot of new opportunities for both products and services.”
Both Symantec and McAfee are also building significant capabilities to provide so-called managed security services to enterprises, although the firms concede that only a small number of companies are ready to buy into that model, which offloads responsibility for security operations to the vendors as in other forms of IT outsourcing.
Competitors Scoff at Anti
-virus Vendors Chances in Services Market”>
The anti-virus leaders may be optimistic about their prospects for jumping further into the professional services market, but some companies they will compete with in the space maintain that it will be hard for such product-oriented vendors to transition into the sector.
While there is rapidly increasing demand for professional security services, making the leap into the business isnt something that can be achieved overnight, said Mark Iwanowski, chief executive of risk management specialist KSR, in San Mateo, Calif., and a former senior vice president of global IT at Oracle.
According to Iwanowski, Big Four consultants such as Accenture dont want to move into operational security management services because they have no interest in overseeing the daily tasks involved in such work, while anti-virus companies such as Symantec and McAfee lack the high-level expertise needed to help customers create security policies and governance strategies. End users will also be suspicious about the firms willingness to recommend products from other security providers, he said.
For its part, KSR is looking to provide security assessment and management services while acquiring technologies such as anti-virus software through mergers and partnerships with companies such as Qualys, Tablus and TriCipher.
“If you look at the genesis of these anti-virus companies, theyre trying to reinvent themselves around risk management and professional services, which will be very hard to do for a number of reasons,” Iwanowski said. “These companies and those coming into the services market from the network side cannot address risk management with the breadth that [CIOs] are looking for. The Big Four are better at it, as [are companies] like IBM, but they dont want to manage the operations, which is what will create opportunities for companies like KSR.”
Industry analysts observed that Symantec and McAfee are wise to expand their security services businesses as Microsoft and other forces in the market put increasing pressure on their product-derived revenues.
Both companies will likely have strengths in particular areas, with McAfee focusing on compliance and Symantec flexing its muscle in IT infrastructure, according to Andrew Braunberg, an analyst with Current Analysis, which is based in Sterling, Va.
“Symantec is well positioned given the breadth of its existing portfolio in IT infrastructure, and could probably become a substantial player in the security professional services market,” Braunberg said. “McAfee deserves to get a lot of credit in moving to risk management; they traditionally havent kept their eye on the ball in terms of market shifts, but theyve been very focused on this strategy over the last 18 months or so; acquisitions such as the Citadel deal could play well into their growth in that capacity.”
The analyst said the move is also part of the companies ongoing efforts to generate more business from enterprises as consumer security technologies become particularly commoditized.
“Part of this strategy is being driven by the need to diversify more strongly into enterprise market, as customers there are ready to adopt services much more broadly,” Braunberg said. “These vendors need a serious professional services group if they want to play at the highest levels of the enterprise market; thats seen as a requirement for doing business in the enterprise space.”