Just call the dog days of 2010 the summer of security. HP’s recent announcement that it would swallow up security firm ArcSight for $1.5 billion caps off a summer full of blockbuster security acquisitions, as larger firms have tapped into their stockpiles of cash reserves to pick up high-performing security brands in bulk over the last few months. And according to many experts, we may well see even more high-profile security deals before the year is out.
"Large companies are gobbling up security companies left and right. Most of these companies making acquisitions are sitting on a ton of cash and from an ROI standpoint, acquisitions make sense," says Mandeep Khera, chief marketing officer at application security vendor Cenzic. "Because security is no longer an after-thought, security companies in particular are prime targets. Security companies not only have higher margins in general but also offer differentiators to otherwise commoditized technology products. We’ll definitely continue to see more consolidation in the security space in the next six to 12 months."
Over the course of this summer, security M&A activity has totaled well over $12.6 billion, headlined by the most recent HP, ArcSight deal, the massive $7.6 billion Intel purchase of McAfee and the $1.28 billion buy Symantec made of VeriSign’s authentication business.
"It’s a combination of this cycle of where we’re at in the economy right now and where the major vendors are in their position to be able to buy and the fact that security, frankly, does and should line up with the management of IT itself," says Scott Crawford, analyst for Enterprise Management Associates. "Security is a market that continues to do well and its leaders continue to demonstrate performance, as ArcSight does."
Not only are security firms on the whole outperforming the IT market by about double, but also the shifting mindsets about how security should be built into IT infrastructure are influencing major IT leaders to pick up security brands to fit into their overall strategy. According to analysts, this is a function of the way the security R&D ecosystem usually runs.
"The way the security market works is that there are lots of small players that are essentially providing the R&D for the big companies who later buy them," says Andrew Jaquith, analyst for Forrester Research. "Most of the big vendors don’t do much of their own R&D, they buy it. There’s always going to be that frothy, R&D-heavy innovative security company that is either in the Valley or in Israel that is doing things nobody is doing that is providing a lot of energy and is carving out a new market."
But in the near future, many of the bigger general IT firms will likely be picking up the more mature, well-known vendors because, well, they can afford it right now.
"Because we’ve been through a cycle where corporate profits have been pretty strong and many of the large potential acquirers that might acquire companies in the security market have a huge amount of cash on the balance sheet, it’s likely that if there’s going to be continued consolidation, you’re going to see more purchases of well-known top-of-market brands, as opposed to second-tier players," Jaquith says.