HP gets serious about IT security, but is it too little too late?

Hewlett-Packard has announced several new and improved security products and the establishment of an enterprise security products business unit that unifies a string of security-related acquisitions in the past two years, but is the move too little too late?

Hewlett-Packard has announced several new and improved security products and the establishment of an enterprise security products business unit that unifies a string of security-related acquisitions in the past two years, but is the move too little too late?

Consolidation of the security industry has been underway for quite some time, with most of the innovative smaller and medium-size players having been acquired either by bigger security suppliers or IT services companies such as IBM, Verizon and Fujitsu.

HP was relatively late in hitting the acquisition trail, and is only now bringing to market a broad and integrated offering of technologies from SPI Dynamics, Fortify, Tipping Point and ArcSight.

Rival IBM was much faster to market with its integrated security offerings, which means HP has a great deal of catching up to do.

But HP's move has generally received a warm reception, particularly from security industry organisations such as the Information Security Forum (ISF).

"The range and complexity of security threats is set to rise significantly over the coming years and thinking about possible future threats should form the foundation for taking a strategic view of information security," said Steve Durbin, global vice president of the ISF.

For multinationals, governments and any cyber-enabled organisation, information security is becoming increasingly a boardroom issue, and the ISF has consistently advised members that taking a proactive, strategic approach to risk management, by preparing the groundwork for future initiatives such as planning long-term security solutions, is likely to prove beneficial, he said.

According to Durbin, the fact that HP has taken the decision to bring together the security products and services that it has acquired over the past two years into one organisation, is evidence of the increasing importance of this fast-changing sector.

Kevin Richards, Information Systems Security Association (ISSA) international president said that with the recent acquisitions, HP has built capabilities from technologies that individually had strong followings in their respective product areas.

"HP has been a leader in the enterprise computing industry for years, and as an organisation, appears to see these acquisition as strategic to its future direction," he said.

But, as several industry analysts point out, the HP security capability that has been showcased this week has been in the works for at least four years, starting with the acquisition of EDS, which brought with it significant security expertise.

Graham Titterington, principal analyst at Ovum, said HP has been one of the leading security companies for some time, but this has been a well-kept secret until recently thanks to HP's "appalling" PR machine.

"For example much of the global banking system runs on HP security, but few people outside the industry know it," he said.

HP's recent acquisition spree, however, has signalled that it wants to change the situation, and Titterington believes that in the long term, HP has the potential to become a key player.

"It is a pity that it withdrew from the identity management market a few years ago as this would have given it a credible market presence and completed its offering," he said.

IDC analyst Eric Domage observes that HP is very late to market with an integrated security portfolio, but like Titterington, believes the company may, in time, be able to make up ground lost to competitors.

By acquiring key security technologies and integrating them with each other and core HP products and services, HP is in a much better position to compete in the global market, said Domage, as the company will no longer have to rely on partners like Symantec to take care of security integration issues and fill in the gaps.

HP is now truly global, in the sense that it is no longer missing the full security component of its offering and can retain all revenues within the company, said Domage, who believes that ArcSight is the jewel in HP's security crown.

As a late starter from a security point of view, HP needs a differentiator to help get up to speed, and ArcSight could be the key, he said, as it brings extensive security information and event management (SIEM) capabilities, which IBM does not have.

This is definitely the right step for HP, said Domage, one that will help improve its ability to retain customers as security becomes an increasingly important component of enterprise deals.

A strong security capability may also help HP regain its competitive edge, but it needs to keep going down the same path, acquiring key technologies and expertise.

"There are a few areas HP could still improve on, starting with threat mitigation," said Domage, with companies such as Symantec and Kaspersky Labs as potential acquisition targets.

While HP still has some work to do on the security front, by all accounts it has made a good start and has the potential to become an important player in the security market as the industry continues to consolidate as a key element of enterprise IT products and services.

Read more on Antivirus, firewall and IDS products