When security firms merge, some users are losers

When one security vendor merges with another or is acquired by a larger IT provider, the parties involved always tout the benefits customers can expect -- better help desk services, a wider array of management tools and the tighter integration of security into the larger infrastructure. Unfortunately for some users, those benefits don't always materialize.

When I heard of the acquisition, I was worried about whether talent would be depleted and whether service would wither. Franklin Warlick, senior messaging systems administratorCox Communications

SearchSecurity.com recently interviewed IT professionals whose security tools passed from one vendor to another to see if they're still happy with the products. Some are pleased with the end result, while others say they're frustrated by a drop-off in quality and support.

One unhappy customer is Farhad Karampour, an IT engineer with Newton, Mass.-based MIS Alliance Corp., which provides IT management services to small- and mid-sized businesses. Many of his clients use Symantec Corp.'s Backup Exec, a network-enabled backup product the Cupertino, Calif.-based antivirus giant acquired when it purchased storage company Veritas Software Corp. in late 2004.

Before Symantec took over, Karampour had no trouble renewing his clients' support licenses and found that the people working for Veritas' help desk could almost always help him resolve a problem. It's been the opposite scenario under Symantec, he said.

Mergers and acquisitions at a glance: There have been many acquisitions and mergers between IT security vendors and other companies in the last two and a half years. Here is a look at some of them: FEBRUARY 2007: EMC Corp. announces a definitive agreement to acquire data security firm Valyd Software Private Ltd. JANUARY 2007: Symantec Corp. signs a definitive agreement to acquire IT management software vendor Altiris Inc. for approximately $830 million. JANUARY 2007: Cisco Systems Inc. announces plans to buy Internet security gateway appliance vendor IronPort Systems for $830 million. JANUARY 2007: Fortify Software Inc announces its acquisition of Secure Software Inc. DECEMBER 2006: IBM announces plans to acquire Consul Risk Management Inc., whose software tracks employee behavior and unauthorized records access. SEPTEMBER 2006: EMC Corp. announces its $175 million acquisition of security event management vendor Network Intelligence Corp. AUGUST 2006: IBM announces the $1.3 billion acquisition of Internet Security Systems Inc. (ISS) to bolster its position in the managed security services market. JULY 2006: Secure Computing Corp. announces its acquisition of messaging security firm CipherTrust Inc. for $273.6 million. JUNE 2006: EMC Corp. announces plans to acquire RSA Security Inc. for just under $2.1 billion. DECEMBER 2004: Symantec acquires Veritas Software, maker of data backup and storage programs, for more than $13 billion.

"The technicians handling calls regarding Symantec Backup Exec don't seem to be as knowledgeable as when this software was supported by Veritas," he said. "It takes an average of 45 minutes or more to get a support technician on the phone."

One day, after waiting 45 minutes and then getting a technician who couldn't help him address his problem, Karampour asked to speak to a manager. He said he was disconnected after spending about a minute on hold.

He said it's been a nightmare trying to resolve the licensing issues, including the process for accessing the product installation keys. "To receive the license key for some of our clients, I have spent hours without any resolutions and the final answer during the support call is for Symantec to follow up and send an email with the requested information," he said. "The software continues to do a good job. The problem is the service."

Karampour believes Symantec bit off more than it could chew when it took over the product and that its technicians were not properly trained to deal with Veritas-related questions.

Symantec acknowledges problems
Symantec doesn't dispute that there have been problems. Last November, Veritas and Symantec enterprise resource planning systems were merged, resulting in new licensing, ordering and support programs that will ultimately streamline customer and partner processes, a company spokeswoman said in an email exchange. But in the short term, she admitted, the waters have been choppy.

"As expected with an infrastructure change of this magnitude, we are working through a period of transition with our partners and customers," she said.

In some cases, she said the problems are more cultural in that customers need to learn new procedures or processes to use the merged systems. In other cases, customers are running into technical problems on Symantec's end.

"However, Symantec has continued to process orders throughout this transition, and processed more orders in the month after the merger than were processed the month before or in the same month last year," she said.

She said Symantec is taking specific steps to resolve all issues. This includes increasing the capacity of its customer support lines and keeping in touch with the community via the company's Web sites, outbound emails and account-specific calls. The company is also working to resolve invoicing and reporting issues on an individual basis and is giving customers more time to make the transition.

"We have corrected the most serious issues already and are working with our partners to reconcile reports to ensure that processed orders were properly shipped, fulfilled and invoiced," she said.

A smoother transition
While the transition from Veritas to Symantec has been difficult for Karampour, other IT professionals report that their product support has improved or stayed the same following the acquisition or merger of their vendors.

Franklin Warlick said he was initially terrified to learn that his messaging security vendor, CipherTrust Inc., was being acquired by Secure Computing Corp., a San Jose-Calif.-based provider of security appliances, firewalls, and programs for identity and access management and content management and filtering.

"CipherTrust was a huge success story here," said Warlick, senior messaging systems administrator for Cox Communications, a multi-service broadband communications company with approximately 6 million customers across the United States. "Support was good. We had no complaints. When I heard of the acquisition, I was worried about whether talent would be depleted and whether service would wither."

His concerns proved to be unfounded, and today he happily uses Secure Computing's IronMail product to keep spam and other malicious content out of the company's 30,000 email inboxes.

A few weeks after the acquisition was announced, Secure Computing invited Warlick and other customers to a roundtable discussion where he was able to meet the CEO and get a better idea of the company's intentions.

"I saw they were keeping a lot of CipherTrust people at top levels," he said. "Once I saw it wasn't just about buying the product and releasing the people I quickly relaxed."

He said his product has not changed since the acquisition, though he's optimistic the company will add functionality to help enterprises combat Web-based image spam. He has also used the customer support system two or three times since the merger without incident.

Looking ahead, Warlick hopes Secure Computing will add more reporting capabilities to the product. "A better interface for customer reporting is something we hope for, and I was told it's coming," he said.

Too soon to tell
For others, it's simply too soon to tell if the quality of their security products and services will change as the result of a merger or acquisition.

Bryan Sowell, authentication services engineer for a large Fortune 500 company, is an RSA Security customer who has seen no change since the company was acquired by storage giant EMC last summer. He said it's probably too soon to tell what the overall impact will be, but for now he's cautiously optimistic.

"I haven't seen any change in the service or effectiveness of the RSA solutions," he said. "EMC did not have any competing products with RSA, though, so there were none of the traditional issues associated with acquisitions."