How to clean up in IT security: A basic guide

Want to get rich quick? Know about Internet security? Then read on...
Written by Patrick Gray, Contributor

If you're lucky enough to be the majority shareholder in a midsize security services company, there's a good chance you'll be sunning yourself on the deck of your new yacht this time next year, scoffing caviar from a diamond studded solid gold plate.

The Foundstone guys are probably doing that right now. And let's face it, when you're company gets picked up for a lazy $86m by McAfee, it's time to hit the water. The team at @Stake, which was formed by the hacking crew l0pht, also looks set to sail after last week's announcement that Symantec would buy the midsize consulting group for an undisclosed figure thought to be around $50m.

By the end of next year, maybe CERT or the SANS Institute could organise a regatta as the current appetite for infosec companies seems insatiable.

Announced this week -- but reported by ZDNet UK sister site ZDNet Australia last week -- was the merger of beTRUSTed, Ubizen and TruSecure. Unlike @Stake and Foundstone, which were "grass roots" security companies, TruSecure is the Big Mac of the IT security world: functional, soulless and partially owned by Gartner.

Granted, it started off as an all-about-the-technology organisation, but by the time the beTRUSTed merger rolled around it was all about the money. It doesn't mean TruSecure didn't offer a good service -- it's definitely a capable organisation -- but its marketing driven approach, versus a security-as-a-science driven approach, sets it apart from the likes of @Stake.

It's no surprise, then, that it was beTRUSTed, a security company owned by a capital fund belonging to Bank One, that merged with TruSecure. Serious money involved, folks. Billions. beTRUSTed has deep pockets, gobbling up companies like 90East and SecureNet in Australia, and Ubizen in Europe.

beTRUSTed has an end-game, and the grapevine says it's to be acquired. From the beTRUSTed point of view it's all about getting a return on Bank One's money, and for TruSecure it's about earning money for their investors: J.P. Morgan Partners, Gartner Group, North Atlantic Capital and others. You know, the little guys.

There is undoubtedly an exit strategy for all those involved in the merged TruSecure/beTRUSTed/Ubizen security behemoth. Investors like those rarely lose.

As for the antivirus companies like Symantec and McAfee, the plan is to not be antivirus companies anymore by investing heavily in security. In my mind, this is like believing a bus isn't a bus when it turns into a street. Symantec and McAfee have some great security products but they are still antivirus companies.

Symantec, for example, draws 74 percent of its revenue from desktop antivirus software, according to a recent report. That is not a typo. Seventy-four pence in the pound. While Symantec is now branded as a "global security solutions" provider, it seems the revenue balance is yet to catch up to the rhetoric.

Antivirus technology has barely changed since its inception. Security technology, on the other hand, is always changing. New attacks make old defences useless. So the McAfees, the Symantecs and the Computer Associates of the world will eventually realise staying on top of threats will strand them on a perpetual acquisition treadmill from which there is no escape.

As for services, it remains to be seen if companies like Symantec can keep the intellectual momentum -- the raw intelligence -- they pick up with companies like @Stake. The idea is to run a professional services organisation and have the products to back it up. How can they stay sharp? If the products slip, the model fails. If the services slip, the model fails.

Where antivirus has been the easy sell, security is anything but. It's often seen as a cost to business, and it's far from being commoditised and standardised like antivirus products.

The recent raft of acquisitions means mid-sized security consultancies are becoming an endangered species. But perhaps companies such as @Stake are in fact supposed to be midsized; that could be their natural mode. One of the things that made @Stake a great company was the staff. You can't replicate the alchemic intelligence required to be a top-notch security consultant in a business plan. Some may say consultancies like that are not supposed to be big, they're supposed to be mid-sized and expertly staffed.

Could key @Stake staff leave and start up another security group? Will they leave for positions in non-vendor companies? Perhaps. Will they? It's impossible to say.

But there's a hole growing in the market in the midsize zone. Smaller companies of around 30 to 40 consultants will probably move to fill it. Will that lead to an acquisition? Maybe. And round and round it goes.

So, in short, if you can see yourself on that deck, gulping down 1959 Dom Perignon with your celebrity friends, then get cracking on building a security company. Ahoy!

Editorial standards