In IT security, vendor size does not compute

The key component to the vendor selection process is due diligence. Chris Liebert, senior analystYankee Group

In this era of innovation through acquisition, should you stick to the safer security vendor stalwarts, or should you consider the potentially riskier IT security upstarts?

"I think the key component to the vendor selection process is due diligence," said Chris Liebert, a senior analyst of enabling technologies at Boston-based Yankee Group. "A customer has any number of resources to determine whether that vendor will help them accomplish their networking and security goals."

The big names in the security industry are trying to maintain growth in stagnant areas, said Mounil Patel, research director at Boston-based Aberdeen Group. It keeps shareholders happy, he said, and security is seen as a natural extension of their core businesses.

Larger vendors are more stable, but unless they also make an effort to integrate their product lines, there is little product benefit to the customer, Patel said.

Some larger companies invest in promising start-ups, with plans to acquire the company as it becomes a category leader, he said. Such acquisitions allow the company to invest money into external research and development (R&D). But smaller companies are often far more innovative and faster, Patel said, so it is prudent for customers to consider them.

Industry consolidation: Merger madness: What to do when your infosec vendor gets acquired Opinion: More security consolidation is on the horizon Report: Microsoft shaking up security market Security's role in mergers and acquisitions Mergers: The shifting landscape

One such company is the Toronto-based Medic Alert Foundation (MedicAlert). The foundation needed a secure method for customers to view their medical data through its Web site. Their Internet service provider recommended StoneGate security software from Atlanta-based Stonesoft Corp. After comparing the product and company to larger vendors and their offerings, MedicAlert decided that "a traditional route would have been much more costly," said Michael Shreve, director of systems and supply chain at MedicAlert.

Unable to do their own benchmarking, MedicAlert looked at third–party reviews and checked the vendor's organization and structure; they were satisfied that the vendor was stable and that they would still be in business well into the future. MedicAlert also was able to build into the contract assurances that the product could still be used if Stonesoft was acquired or went under.

Another plug for smaller companies is that some customers believe that big security vendors have lost focus, according to Vitor Souza, marketing coordinator at Fort Lauderdale, Fla.-based Bit Defender. Many large vendors lack product innovation and are plagued with poor customer service, Souza said.

He added that many smaller vendors have a sharper focus on developing advanced technology. There's less red tape, he said, so they can customize deals. Big vendors won't negotiate and work with budgets, while smaller vendors will, he said.

Still, while smaller vendors can be innovative and fill a niche, larger vendors offer more stability, said Toby Weiss, general manager of the security management business unit at Islandia, N.Y.-based CA. The ideal scenario is what Weiss calls a "small vendor atmosphere within a big vendor." He believes that, overall, a larger vendor has the resources to offer better customer service.

In addition, organizations need to count on both breadth and depth, according to Chris Voice, chief technology officer of Entrust, a mid-sized vendor based in Addison, Texas. Voice sees a danger to some of the merger mania, including a loss of depth as companies serve different masters. "Is investment still going to be there in a large generalist organization, where security isn't their business?" he asked.

Of smaller vendors, he cautioned that "new and aggressive may save money, but it won't keep you off of the font page."

Peter Evans, vice president of marketing for Atlanta-based Internet Security Systems, said that big names are trusted brands, but successful smaller vendors are often the ones that are partnering with the big companies. He advised customers to look for security solutions that integrate with other vendors' products.

The ability to scale for growth is also critical, Evans said. Security needs to be set up and treated as a control system – a "set it and forget it" approach that automatically takes care of issues, he said.

Additionally, experts say that third-party resources and industry publications are a great starting point for research since they offer product insight. Testing the product in-house is also helpful and some vendors offer free trials. Look at vendors of all sizes, checking for stability, technology, price, and commercial flexibility.

Customers must look at their own business plans and growth potential, and determine their long range plans. Can the solution be scaled and supported on a global level? How is support from sales to rollout to post sales? Look at a smaller vendor's revenue growth, and look for strong engineering and management teams.