The Foundstone guys are probably doing that right now. And let's face it, when your company gets picked up for a lazy US$86 million by McAfee, it's time to hit the water. The team at @Stake, which was formed by the hacking crew l0pht, also looks set to sail, after last week's announcement that the big yellow box, Symantec, would buy the midsize consulting group for an undisclosed figure, thought to be around US$50 million.
By the end of next year, maybe CERT or the SANS Institute could organise a regatta; the current appetite for infosec companies seems insatiable.
Announced this week -- but reported by ZDNet Australia last week -- was the merger of beTRUSTed, Ubizen and TruSecure. Unlike @Stake and Foundstone, which were "grass roots" security companies, TruSecure is the Big Mac of the IT security world. Functional, soulless and it is partially owned by Gartner.
Granted, it started off as an all-about-the-technology organisation, but by the time the beTRUSTed merger rolled around, it was all about the money. It doesn't mean TruSecure didn't offer a good service -- it's definitely a capable organisation -- but its marketing driven approach, versus a security-as-a-science driven approach, sets it apart from the likes of @Stake.
It's no surprise, then, that it was beTRUSTed, a security company owned by a capital fund belonging to a major U.S. bank, Bank One, that merged with TruSecure. Serious money involved, folks. Billions. beTRUSTed has deep pockets, gobbling up companies like 90East and SecureNet in Australia, and Ubizen in Europe.
beTRUSTed has an end-game, and the grapevine says it's to be acquired. From the beTRUSTed point of view it's all about getting a return on Bank One's money, and for TruSecure it's about earning dosh for their investors: J.P. Morgan Partners, Gartner Group, North Atlantic capital and others. You know, the little guys.
There is undoubtedly an exit strategy for all those involved in the merged TruSecure/beTRUSTed/Ubizen security behemoth. Investors like those rarely lose.
As for the anti-virus companies like Symantec and McAfee, the plan is to not be anti-virus companies anymore by investing heavily in security. In my mind, this is like believing a bus isn't a bus when it turns into a street. Sure, both Symantec and McAfee have some great security products, but let's face it, they are still anti-virus companies.
Symantec, for example, draws 74 percent of its revenue from desktop anti-virus, according to a recent report. That is not a typo. 74 cents in a dollar. While Symantec is now branded as a "global security solutions" provider, it seems the revenue balance is yet to catch up to the rhetoric.
Anti-virus technology has barely changed since its inception. Security technology, on the other hand, is always changing. New attacks make old defences useless. So the McAfees and the Symantecs and the Computer Associates of the world will eventually realise staying on top of threats will strand them on a perpetual acquisition treadmill from which there is no escape.
Quite nice if you're developing intellectual property in security.
As for services, it remains to be seen if companies like Symantec can keep the intellectual momentum -- the raw smarts -- they pick up with companies like @Stake. The idea is to run a professional services organisation and have the products to back it up. How can they stay sharp? If the products slip, the model fails. If the services slip, the model fails.
These companies have owned the proverbial goose that lays the golden egg for a long time: Anti-virus. But where anti-virus has been the easy sell, security is anything but. It's often seen as a cost to business, and it's far from being commoditised and standardised like anti-virus products. From the goose to squeezing blood from a stone.
The banks and accountants versus the anti-virus folk; the money set versus the cashed up geeks.
The recent raft of acquisitions means mid-sized security consultancies are becoming an endangered species. But perhaps companies such as @Stake are in fact supposed to be midsized; that could be their natural mode. One of the things that made @Stake a great company was the staff. You can't replicate the alchemic smarts required to be a top-notch security consultant in a business plan. Some may say consultancies like that are not supposed to be big, they're supposed to be mid-sized and expertly staffed.
Could key @Stake staff leave and start up another security group? Sure, why not. Could they leave for positions in non-vendor companies? Perhaps. Will they? It's impossible to say.
But there's a hole growing in the market in the midsize zone. Smaller companies of around 30 to 40 consultants will probably move to fill it. Will that lead to an acquisition? Maybe. And round and round it goes.
So, in short, if you can see yourself on that deck, gulping down 1959 Dom Perignon with your celebrity friends, then get cracking on building a security company. Ahoy!