At face value, the idea of buying all of one’s information security software from a single supplier makes a lot of sense. Today’s security threats exploit every medium available, so having anti-virus, firewall, intrusion detection and email security tools that speak the same language increases the chance of preventing disaster.
Consolidation in the security software industry should therefore be expected, and a recent shopping spree by Symantec – the sector’s largest company – is not altogether surprising.
In April 2010, it acquired two encryption software providers, PGP Corporation and GuardianEdge, for $300 million and $70 million respectively. The following month it forked out $1.4 billion for the identity and authentication divisions of Internet infrastructure giant Verisign.
Each of these deals demonstrates Symantec’s “information-centric” approach to security and its “best-of-breed” acquisition strategy, the company said. This is the same strategy that informed its 2008 purchase of online security services provider MessageLabs, its $13.5 billion merger with storage software vendor Veritas in 2004 and a host of big deals in between.
“There are only so many market-leading providers of these key components out there,” says John Brigden, Symantec’s senior vice president for EMEA. “We are pretty unique in putting all these pieces together.”
Brigden says that the addition of the Verisign divisions will help corporate IT departments maintain security, even as their systems become increasingly reliant upon the Internet.
Under Symantec, the acquired technology “will help businesses that want to incorporate identity security into a comprehensive framework so that IT can securely adopt new computing models”, he says, “from cloud computing and social networking to mobile computing and user-owned devices”.
Not everyone was convinced of the wisdom of the acquisition, however. Indeed, John Pescatore, a research fellow at analyst company Gartner, went so far as to say it was a “bad idea”. Pescatore believes that Symantec’s intention is to cross-sell security products to Verisign’s customer base. “We don’t think that will work,” he said.
Most of the Verisign divisions’ $400 million annual revenue derives from the sale of SSL certificates, which website operators buy to prove their sites are trustworthy. But the cost of SSL certificates is such that it is not a major purchasing decision, Pescatore argues, so leveraging the customer relationship will be difficult. “Selling copier paper doesn’t help you sell copiers,” he says by way of an analogy.
In addition, there is little scope for any meaningful integration of the two companies’ technology, Pescatore says. “A security certificate is like a licence plate on your car. You screw it on but there’s no integration with the rest of the vehicle.”
Instead, Pescatore predicts that Verisign’s SSL business will operate under Symantec as though it were a separate company. Despite what Symantec may say, this has in fact been the pattern for many its acquisitions, he argues, most notably the Veritas deal.
“The initial claims that [then CEO] John Thomson made – that security and storage management were essentially the same thing – have proven totally false. They operate [Veritas] as though it was a separate business now.”
That is not to say it has been a commercial failure, he adds: “They seem to be running it pretty well.” Symantec’s ‘storage and server management’ division was its highest grossing in its most recent financial quarter.
Brigden refutes Pescatore’s overall analysis. “Some of the things that we were talking about four years ago – about how true information security is more than just antivirus, it’s about protecting the data across your network, across storage systems and servers and across end-points – were ahead of people’s thinking at the time,” he argues.
Now, though, with data protection at the forefront of the corporate mind, this message is understood. Furthermore, he says, “the integration of our products has really come to a head. Our customers have seen those integrations come to market in the past year, and I think they’re excited by that.”
According to Pescatore, Symantec’s increasing diversification reflects the broader challenge that the company and others of its ilk must address. “The real issue that all mature security companies face is that as the market gets more penetrated, how do they grow? It means looking at emerging markets, looking for new product areas or diversifying away from security.”
Symantec has tried all of these at some point, with varying degrees of success, and it is a pattern that the company appears content to repeat.