How to make megabucks in IT security: A guide

comment Want to spend your holidays sunning on a deck, while gulping 1959 Dom Perignon with celebrity company? Then get cracking on building a security company.

comment If you're lucky enough to be the majority share-holder in a midsize security services company, there's a good chance you'll be sunning yourself on the deck of your new yacht this time next year, scoffing caviar from a diamond studded, solid gold plate.

The Foundstone guys are probably doing that right now. And let's face it, when your company gets picked up for a lazy US$86 million by McAfee, it's time to hit the water. The team at @Stake, which was formed by the hacking crew l0pht, also looks set to sail, after Symantec's announcement last week. The big yellow box would buy the midsize consulting group for an undisclosed figure thought to be around US$50 million.

By the end of next year, maybe CERT or the SANS Institute could organize a regatta; the current appetite for infosec companies seems insatiable.

Announced this week--but reported by ZDNet Australia last week--was the merger of beTRUSTed, Ubizen and TruSecure. Unlike @Stake and Foundstone, which were "grass roots" security companies, TruSecure is the Big Mac of the IT security world. Functional, soulless, and partially owned by Gartner.

Granted, it started off as an all-about-the-technology organization, but by the time the beTRUSTed merger rolled around, it was all about the money. It doesn't mean TruSecure didn't offer a good service--it's definitely a capable organization--but its marketing driven approach, versus a security-as-a-science driven approach, sets it apart from the likes of @Stake.

It's no surprise, then, that it was beTRUSTed, a security company owned by a capital fund belonging to a major U.S. bank, Bank One, that merged with TruSecure. Serious money involved, folks. Billions. beTRUSTed has deep pockets, gobbling up companies like 90East and SecureNet in Australia, and Ubizen in Europe.

beTRUSTed has an end-game, and the grapevine says it's to be acquired. From the beTRUSTed point of view it's all about getting a return on Bank One's money, and for TruSecure it's about earning dosh for their investors: J.P. Morgan Partners, Gartner Group, North Atlantic capital and others. You know, the little guys.

There is undoubtedly an exit strategy for all those involved in the merged TruSecure/beTRUSTed/Ubizen security behemoth. Investors like those rarely lose.

As for the anti-virus companies like Symantec and McAfee, the plan is to not be anti-virus companies anymore by investing heavily in security. In my mind, this is like believing a bus isn't a bus when it turns into a street. Sure, both Symantec and McAfee have some great security products, but let's face it, they are still anti-virus companies.

Symantec, for example, draws 74 percent of its revenue from desktop anti-virus, according to a recent report. That is not a typo. 74 cents in a dollar. While Symantec is now branded as a "global security solutions" provider, it seems the revenue balance is yet to catch up to the rhetoric.

Anti-virus technology has barely changed since its inception. Security technology, on the other hand, is always changing. New attacks make old defenses useless. So the McAfees and the Symantecs and the Computer Associates of the world will eventually realize staying on top of threats will strand them on a perpetual acquisition treadmill from which there is no escape.

Quite nice if you're developing intellectual property in security.

As for services, it remains to be seen if companies like Symantec can keep the intellectual momentum--the raw smarts--they pick up with companies like @Stake. The idea is to run a professional services organization and have the products to back it up. How can they stay sharp? If the products slip, the model fails. If the services slip, the model fails.

These companies have owned the proverbial goose that lays the golden egg for a long time: Anti-virus. But where anti-virus has been the easy sell, security is anything but. It's often seen as a cost to business, and it's far from being commoditized and standardized like anti-virus products. From the goose to squeezing blood from a stone.

The banks and accountants versus the anti-virus folk; the money set versus the cashed up geeks.

The recent raft of acquisitions means mid-sized security consultancies are becoming an endangered species. But perhaps companies such as @Stake are in fact supposed to be midsized; that could be their natural mode. One of the things that made @Stake a great company was the staff. You can't replicate the alchemic smarts required to be a top-notch security consultant in a business plan. Some may say consultancies like that are not supposed to be big, they're supposed to be mid-sized and expertly staffed.

Could key @Stake staff leave and start up another security group? Sure, why not. Will they leave for positions in non-vendor companies? Perhaps. Will they? It's impossible to say.

But there's a hole growing in the market in the midsize zone. Smaller companies of around 30 to 40 consultants will probably move to fill it. Will that lead to an acquisition? Maybe. And round and round it goes.

So, in short, if you can see yourself on that deck, gulping down 1959 Dom Perignon with your celebrity friends, then get cracking on building a security company. Ahoy!