Good IT security has been fundamental to the success of the network computing revolution that has occurred over the past two decades; poor IT security has led to some of the most high-profile data breaches that have occurred during that time, writes Bob Tarzey, analyst and director, Quocirca. Originally, much of that security was provided by specialist suppliers, but today more and more of it is incorporated in the IT infrastructure. When should buyers rely on what is provided by infrastructure suppliers and when should they turn to IT specialists?
Changing security landscape
The largest acquisition during 2010 in the IT industry was that of security giant McAfee by Intel, at $7.7bn (Figure 1). This deal even surpassed the amount paid by Oracle for Sun in 2009 ($7.4bn). While the deal took industry watchers by surprise, it clearly underlines this trend of IT infrastructure suppliers adding security to their portfolios.
There has been plenty of debate about what Intel will do with McAfee. So far it has taken a fairly hands-off approach; the parent company is not even mentioned on the opening page of the McAfee website. It has been stated that Intel wants to make sure security is more tightly integrated with silicon by better integrating security software at the chip level, but this only makes sense for some McAfee products, such as anti-virus and end-point security.
Quite a few McAfee products are delivered as appliances, some of which are not currently based on Intel hardware, so there is a minor opportunity for migration. Other areas that McAfee operates in, such as content security and security management (enhanced in 2010 by two McAfee acquisitions; Trusted Digital and 10 Cube), would not be implemented purely at the chip level. So the move by Intel into the IT security space, its largest ever acquisition, is probably best seen as recognition of the continuing importance of IT security and an area where Intel can grow revenues faster and with better margins than its core business.
Intel is not alone. HP, which has had its ups and downs with IT security in the past, has been marching back into the IT security arena over the past few years. It made two acquisitions in 2010; privately held Fortify for code testing, and ArcSight for security and information event management (SIEM), the latter valued at $1.5bn (Figure 1). HP also picked up UK-based security services provider Vistorm when it acquired EDS in 2008, and TippingPoint for network security when it acquired 3Com in 2009.
Figure 1: Largest IT acquisitions in 2010 ($bn) - source: Quocirca
IBM added code testing to its portfolio last year when it acquired Ounce Labs, which now sits in its Rational software development division. IBM already had a broad range of security products, through it 2006 acquisition of Internet Security Systems and other existing products in its Tivoli division for identity and access management and compliance. That was enhanced by another 2010 acquisition of privately held BigFix for end-point management. Such tools are required to deliver end-point security effectively and consistently.
Cisco, the world's leading networking supplier has also been building on its established firewall business, with acquisitions such as IronPort for e-mail security in 2007 and ScanSafe for web content security in 2009. EMC, the world's largest storage supplier, acquired the major player in identity and access management, RSA, in 2006. Looked at through the lens of the joint venture - the Virtual Computing Environment (VCE) coalition - Cisco and EMC (along with VMware) can boast a broad, all-round security portfolio.
During 2010, Microsoft launched news versions across much of its Forefront security range, which includes Forefront End-point Protection (FEP), Forefront Server Security (for Windows Server SharePoint, Exchange, Lync), Forefront Threat Management Gateway (formerly ISA Server) and Forefront Unified Access Gateway (formerly Intelligent Application Gateway). The Forefront range had been built up over a number of years through the acquisition of various small and relatively unknown security suppliers.
The motivation for Microsoft's long journey into IT security is clear: to make sure its customers can use its products more safely. Security was one of the key pillars of Microsoft's Trustworthy Computing initiative, launched in 2003. Many gauge that to have been a success, with Microsoft's products generally considered to be more secure than they were a decade or so ago. But Microsoft only protects Microsoft, to the extent that it often scraps support for third-party products provided by the suppliers it acquires.
For most organisations, IT security needs to cover a wider range of heterogeneous platforms. The situation looks set to get worse as the diversity of devices and operating systems (OS) increases, particularly when it comes to user end points. Whereas Microsoft continues to dominate the PC OS market for the moment, it is currently an also-ran when it comes to smartphones and tablets. It hopes to reverse this through its new partnership with Nokia, but only time will tell if these two giants of their respective industries can make a go of it against Apple, HTC, Google, RIM and others (Figure 2).
Figure 2: The battle of the smartphones (source: Gartner)
That need to secure and manage heterogeneous IT environments brings us full circle. It is the reason why security specialists exist in the first place. Whatever Intel chooses to do with McAfee, it would be crazy to defocus on its generic capabilities to look at securing just Intel-based devices. McAfee once proudly claimed it was "the world's largest independent security supplier", a crown it took from Symantec only because the latter had diversified into storage software through the 2004 acquisition of Veritas.
Despite its previous bluster, it seems likely that McAfee will maintain its credentials as a specialist with the ability to manage security across much of its customers' infrastructure, just as Symantec and CA, another broad-based software supplier with a security portfolio, have done. And it is for this reason that security specialists will continue to be the key providers of security for many organisations rather than purely relying on what other suppliers have embedded in their infrastructure offerings.
With that said, there is still plenty of choice. Following the loss of its independence last year, McAfee passed its crown to Japan-based Trend Micro, whose revenues for 2010 approached $1.1Bn. Trend Micro has a fairly broad IT security portfolio, but it has started to diversify, for example into data protection with the 2010 acquisition of Humyo (rebadged SafeSync). Israel-based Check Point, the original firewall supplier, is not far behind with 2010 revenues of $830m.
Behind these two are a host of smaller security suppliers, including Blue Coat, SafeNet, Websense, Sophos, Webroot, SonicWALL and Kaspersky. All have their own focus which generally needs to be supplemented with products from elsewhere. All are potential targets for infrastructure suppliers to plug further gaps or acquire market share. Who knows who will be wearing McAfee's former crown 12 months from now, but overall the market for IT security looks set to remain lucrative for infrastructure suppliers and security specialists alike.
Buyers should evaluate what is available from their chosen infrastructure suppliers in the first instance, but this will rarely meet all requirements. More importantly, buyers must make sure they have in place a coherent IT security strategy across all their IT assets with the ability to manage it. Many will find that it will still be the IT security specialists that will enable them to best keep ahead of the rapidly changing threat landscape.
This was first published in April 2011