The Ashimmy Blog

I was reading this article in PC World about the the past year being another banner year for consolidation in the software industry. I don't think anyone can argue that we continue to see big fish eating little fish, and even bigger fish eating the big fish. What I thought was interesting though was this quote by the authors: "Outside of security companies, it is now difficult to name even a half dozen well-known, best-of-breed vendors that are holding their own."  Do you really think that is true?  Not that you can't name a half dozen best-of-breed vendors, but the outside of security part.  Do you really think security has been immune to the consolidation epidemic?  I don't think so, but maybe I am lost in the trees without seeing the Forrest.  My impression is that security is probably consolidating at a faster rate than other software sectors.

2007 saw the return of the IPO for several security companies, but overall it seems the traditional security consolidators, Symantec, McAfee, Cisco continued along with their shopping spree.  Joining them were really big fish like Microsoft, Google, IBM.  Even those companies that did IPO are still shark bait and not big enough to remain independent, if one of the larger guys decide they are a good fit. In fact as we heard at RSA last year the independent security vendor is a dinosaur and already dead. We are also seeing medium and smaller players picking over the carcasses of dead and dying companies.  Many smaller players are realizing that they can't go it alone and are more open to discussing mergers and acquisitions with partners and at valuations that they would not have considered 12 or 18 months ago.

This whole thing to me though boils down to two issues.  The first is what drives consolidation and the second one is it really the death knell of independent security software vendors.  Lets have a look at each of these:

1. What drives consolidation - Number one is that big companies find it much easier to buy innovation than to innovate themselves.  The companies who traditionally acquire already have a pipe into large numbers of customers.  They need more products and new technology to push down those pipes and monetize those customers.  Companies of that ilk usually spend a great deal of their creative energies continuing to maintain their pipe and build their distribution footprint.  It is much easier for them to buy the products and innovation than to also have to do that themselves. 

The second thing driving consolidation is the there are just too many damn security companies!  For too long the VCs and others were only too happy to fund security start ups.  After security is always one of the top three priorities of IT managers right?  Well as Uncle Art told us, there are just not enough buyers out there to support all of those companies. No one likes to just see a funded startup just close the doors.  But the venture capital for security start ups not executing is dry and getting dryer fast. So many have no choice but to "look for strategic alternatives". It seems there is always some "kind soul" willing to buy up any half-baked, also ran technology play and blend it into their existing portfolio.  We saw it this year with NAC.  Many NAC wannabes who did not cash in on the NAC goldmine sweepstakes for a variety of reasons, did not have the capital to stay in the game.  So many other companies wanting to enter the game late went bottom feeding and picked up technology that while not even close to best-of-breed, was almost good enough to let them entertain the illusion of at least playing n the game. My caveat to that though is "you get what you pay for".  A dog with fleas is a dog with fleas no matter whether it has a rhinestone collar or not.

2. Is it really the end of the security ISV?  I emphatically believe no! I think we will see less of them than in the past. I think because of this evolution they will be stronger, better organized and more capable of success. They may also have more realistic expectations of what success is.  But as long as the entrepreneurial spirit lives there will be people who see a better, faster, cheaper way of doing things and will bring that way to market.  It may not involve revolutionary new technology.  In fact in most cases it won't. It will be in combining old tech in new ways. Of packaging existing tech in new ways. In using old tech for new problems.  I am a firm believer in innovation. The opportunity to cash out by selling to one of the sharks will be incentive enough to keep the fires of security start ups going.  For that matter not just security, but software ISV's in general.