Security Analysts Predict More M&A in 2007

While industry watchers have been calling for a shakeout in the security applications sector for several years, analysts and executives feel the time for more widespread consolidation among software makers may be drawing close.

Security software market analysts have been calling for significant consolidation in the space since at least 2005, but some industry watchers are predicting that 2007 may be the year when the trend is finally realized.

While a handful of high-profile deals were pulled off in the security sector during 2006, including EMCs buyout of RSA Security, of Bedford, Mass., for $2.1 billion and IBMs acquisition of ISS (Internet Security Systems) for $1.3 billion, experts contend that more deals will get done over the next 12 months as an array of factors combine to increase pressure on applications makers.

Along with the arrival of a range of security technologies from Redmond, Wash.-based Microsoft, both in stand-alone form and as features included in its newly released Vista operating system, the push by larger security software providers to diversify their product lines and generate opportunities in emerging sectors of the market will spur more deals in 2007 than have been seen in previous years, analysts said.

"Were seeing that large companies are trying to expand their portfolios and become end-to-end providers of enterprise-class security technologies," said Jon Oltsik, analyst at Enterprise Strategy Group.

"In order to do that, they must cherry pick among the other providers and look for specialists from the venture-backed startup world," he said. "In addition to traditional security players, well also see more deals made by large IT companies, such as in the case of EMC-RSA, as these companies try to win larger enterprise deals that demand some level of security expertise."

As another example of the type of deal he expects to materialize in the coming year, Oltsik pointed to the mid-November buyout of encryption specialists Pointsec Mobile Technologies, of Lisle, Ill., by Check Point Software Technologies, of Redwood Shores, Calif., for $586 million.

Midsize companies such as Check Point, which specializes in network security applications, are also being pushed by customers to bring on additional capabilities and will seek out acquisitions targets that lend broader appeal to their products, the analyst said.

Other experts agreed that there will be more mergers and acquisitions in 2007 than in previous years, but that the deals wont necessarily result in a smaller security applications industry as a whole. Despite his belief that large providers will continue to pick off smaller specialists and that a growing number of midsize vendors may merge to join forces, there will still be plenty of security startups coming into the space, said John Pescatore, analyst with Gartner.

"For every merger, there will probably be a new startup backed by venture capital and seeking to address some new type of threat or market demand," Pescatore said. "Among the deals that we do see, I think there will continue to be more deals where non-traditional security players invest in security technologies, such as with the RSA deal, and more examples of large security companies investing in non-security acquisitions to expand their business models, as with Symantec getting into storage with its acquisition of Veritas."

Executives at second-tier security applications makers said they know it will become increasingly hard to compete with larger players in the enterprise space, but indicated that being acquired isnt the only alternative they will face as administrators seek to lower the number of vendors they deal with, and the adoption of Microsoft Vista puts additional pressure on product pricing.

/zimages/6/28571.gifClick here to read more about Vista pricing.

Steve Munford, who signed on as the new CEO of anti-virus software provider Sophos in January, said that smaller companies will band together to provide integrated security applications through partnerships, and that his firm may also turn to the stock market to arm itself with resources to move upstream and compete with the likes of market leaders Symantec and McAfee.

Munford said that Oxford, U.K.-based Sophos and its peers, which include companies such as F-Secure, Kaspersky Labs and Panda Software, will likely be targeted for acquisition by large IT infrastructure vendors such as IBM and Oracle—not that hes planning to sell the firm he says.

"I definitely think we will see security become more important to the infrastructure providers, and that we will continue to see more deals to that end, but that will also create more opportunities for us as it will create a vacuum of pure enterprise security companies," Munford said. "We realize that there probably isnt much room for a $150 million anti-virus company, but there are alternatives to being rolled up in an acquisition. We may consider an initial public offering, for instance."

Tom Noonan, CEO and co-founder of Atlanta-based ISS, helped spearhead the companys sale to IBM, a buyout that was widely rumored months before it was announced. Noonan said the most significant acquisitions in 2007 will likely mirror the deal he made, as major IT providers seek to augment their existing products and services with additional security capabilities.

"Its a simple fact of life that no major IT vendor can sit before customers anymore and say they dont have a serious commitment to security and some proven expertise to back that claim up," Noonan said. "Customers are attempting to simplify their IT infrastructure and reduce the number of vendors they deal with, and at the same time security is becoming a core requirement for enterprises when they consider broader solutions from larger providers."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.