Rapid consolidation in the managed security business can have costly results for corporations that entrust the safety of their most valuable information to companies in danger of disappearing tomorrow.
"The economics suggest that only a few major players will survive," said a recent report by investment bank Pacific Crest, which estimates there are more than 50 managed security providers now in the market.
The consolidation is picking up steam.
Pilot Network Services and Salinas Group both went out of business in the spring, with no contingency plan for their customers and no help in moving them to other providers, customers and employees said. Former executives of the companies could not be reached for comment.
More favorable recent transactions include Guardent acquiring DefendNet Solutions in the spring, OneSecure selling its customers to Riptech, and Electronic Data Systems absorbing the assets of Fiderus.
"I would expect this trend to continue," said John Schneller, senior research analyst of CIBC World Markets, the global marketing arm of the Canadian Imperial Bank of Commerce. "This is a business where scale is tremendously important and valuations are down. That's the state of consolidation."
Venture capital pouring into the market for managed security service providers hit $322 million in the fourth quarter of 2000, but only $212 million in the second quarter this year, according to CIBC research.
Managed security service providers are hired to monitor and manage a variety of network components, such as antivirus software, firewalls, intrusion detection systems, and Web and e-commerce servers. The market this year for MSSPs is $630 million, according to The Yankee Group.
Some businesses look to managed security as a cheaper way to secure their operations, paying a monthly fee to a provider instead of dishing out hundreds of thousands of dollars up-front for hardware and software and hiring their own people to run it.
However, if the provider that's hired suddenly goes out of business, the company has to pick up the pieces of the broken security operation and either piece it back together itself or find someone else to do it - which could take days, weeks or months, depending on the complexity the of systems. Experts advise companies to choose providers carefully.
That doesn't make the customers left behind by converging forces feel any better. During Pilot's breakdown, one I-manager found out the real meaning of the phrase "out of service."
"The senior executives at Pilot had completely disappeared," said the vice president of information services of a West Coast health care provider, speaking on the condition he and his company not be identified.
When Pilot went out of business, the health care provider went scrambling for other resources. Employees using the virtual private network (VPN) system to connect from outside the company were disconnected for up to four days. It would have been worse had the company not already had a backup ISP under contract.
About three weeks elapsed from the time Pilot warned customers it would go out of business to when it actually went kaput, the customer said.
There was apparently no such warning from the Salinas Group, a New York MSSP. According to a former company engineer, who asked not to be identified, Salinas had billed several customers for an entire year of service just a couple of weeks before it went out of business in April.
E-mails retrieved and displayed at www.salinasgroup.org, a site run by former employees, show executives were already planning the Web site for a new company they were building, Averweb, before they closed Salinas.
Officials from the former Salinas could not be located. Calls and e-mails to Averweb were not returned.
Whether behind closed doors or out in the open, executives of MSSPs are searching for dollars that will keep them in business.
At a CIBC security and privacy conference, Jeff Payne, president and CEO of venture-backed Cigital, stood up in front of a packed gathering of peers and investors and said flat out he was looking hard for money.
But his hand is only one of many reaching out for a little cash, and very few are going to get it, according to experts. "We're tracking maybe 25 or 30 serious companies in the marketplace, and only four or five them will be survivors," said Ed McPherson, a director of Pricewaterhouse Coopers. Other professionals in the market back up his estimate.
When one considers that Internet Security Systems and Symantec both run profitable public software companies that can fund their respective MSSP businesses for years to come, that leaves maybe three open slots for private companies to make it through the funding gauntlet. "Most of the venture-backed companies will not make it," McPherson said.
The private MSSP companies typically got their start as security consulting businesses, offering professional advice until customers began asking for those consultants to host the operation as well, said Ram Shanmugam, principal of Greylock, which has funded MSSPs. In a security industry teeming with venture capital, those companies jumped at the chance to expand.
That was what Al Decker did as former CEO of Fiderus, until he realized the money was about to run out. "Over the course of 14 months, we had acquired about 60 customers," Decker remembered. With cash reserves drying up and an IPO out of reach, Decker opted to be absorbed by EDS. "The time was right, the economy was nipping at our tails," he said.
McPherson said this model seems to be a trend in the nascent MSSP market. As a company comes out of the "embryonic" stage, just beginning to become viable, it either fails or fades. "The question is whether someone buys you or you just [go out of business]," McPherson said. "And there's only going to be a very few that make it out of the pack."
As for private companies that are strong enough to survive the increasingly poor economic conditions, frequently mentioned candidates include Counterpane Internet Security, Guardent and TruSecure. Those companies that do make it will have nearly $2 billion in revenue to split among them by 2005, according to The Yankee Group.
"There is still money flowing into this space," CIBC World Market's Schneller said. "But it won't be indiscriminate. [Investors] will be very highly critical."
Greylock's Shanmugam has seen several technological opportunities opening up, especially in VPNs. So far, companies such as eTunnels, Fiberlink Communications, Imperito Networks, OpenReach and SmartPipes offer these kinds of services. Shanmugam also points to secure data storage and managed extranet services as underserved markets in managed security.
As for the I-manager of the West Coast health care provider burned by the Pilot shutdown, he said the best way to gamble on managed security is to spread out the bets. "A sole provider at this point, given that experience, seems to be too risky," he said.