Rapid consolidation in the managed security business
can have costly results for corporations that entrust
the safety of their most valuable information to companies
in danger of disappearing tomorrow.
"The economics suggest that only a few major players
will survive," said a recent report by investment
bank Pacific Crest, which estimates there are more
than 50 managed security providers now in the market.
The consolidation is picking up steam.
Pilot Network Services and Salinas Group both went
out of business in the spring, with no contingency
plan for their customers and no help in moving them
to other providers, customers and employees said.
Former executives of the companies could not be reached
More favorable recent transactions include Guardent
acquiring DefendNet Solutions in the spring, OneSecure
selling its customers to Riptech, and Electronic Data
Systems absorbing the assets of Fiderus.
"I would expect this trend to continue," said John
Schneller, senior research analyst of CIBC World Markets,
the global marketing arm of the Canadian Imperial
Bank of Commerce. "This is a business where scale
is tremendously important and valuations are down.
That's the state of consolidation."
Venture capital pouring into the market for managed
security service providers hit $322 million in the
fourth quarter of 2000, but only $212 million in the
second quarter this year, according to CIBC research.
Managed security service providers are hired to
monitor and manage a variety of network components,
such as antivirus software, firewalls, intrusion detection
systems, and Web and e-commerce servers. The market
this year for MSSPs is $630 million, according to
The Yankee Group.
Some businesses look to managed security as a cheaper
way to secure their operations, paying a monthly fee
to a provider instead of dishing out hundreds of thousands
of dollars up-front for hardware and software and
hiring their own people to run it.
However, if the provider that's hired suddenly goes
out of business, the company has to pick up the pieces
of the broken security operation and either piece
it back together itself or find someone else to do
it - which could take days, weeks or months, depending
on the complexity the of systems. Experts advise companies
to choose providers carefully.
That doesn't make the customers left behind by converging
forces feel any better. During Pilot's breakdown,
one I-manager found out the real meaning of the phrase
"out of service."
"The senior executives at Pilot had completely disappeared,"
said the vice president of information services of
a West Coast health care provider, speaking on the
condition he and his company not be identified.
When Pilot went out of business, the health care
provider went scrambling for other resources. Employees
using the virtual private network (VPN) system to
connect from outside the company were disconnected
for up to four days. It would have been worse had
the company not already had a backup ISP under contract.
About three weeks elapsed from the time Pilot warned
customers it would go out of business to when it actually
went kaput, the customer said.
There was apparently no such warning from the Salinas
Group, a New York MSSP. According to a former company
engineer, who asked not to be identified, Salinas
had billed several customers for an entire year of
service just a couple of weeks before it went out
of business in April.
E-mails retrieved and displayed at www.salinasgroup.org,
a site run by former employees, show executives were
already planning the Web site for a new company they
were building, Averweb, before they closed Salinas.
Officials from the former Salinas could not be located.
Calls and e-mails to Averweb were not returned.
Whether behind closed doors or out in the open,
executives of MSSPs are searching for dollars that
will keep them in business.
At a CIBC security and privacy conference, Jeff
Payne, president and CEO of venture-backed Cigital,
stood up in front of a packed gathering of peers and
investors and said flat out he was looking hard for
But his hand is only one of many reaching out for
a little cash, and very few are going to get it, according
to experts. "We're tracking maybe 25 or 30 serious
companies in the marketplace, and only four or five
them will be survivors," said Ed McPherson, a director
of Pricewaterhouse Coopers. Other professionals in
the market back up his estimate.
When one considers that Internet Security Systems
and Symantec both run profitable public software companies
that can fund their respective MSSP businesses for
years to come, that leaves maybe three open slots
for private companies to make it through the funding
gauntlet. "Most of the venture-backed companies will
not make it," McPherson said.
The private MSSP companies typically got their start
as security consulting businesses, offering professional
advice until customers began asking for those consultants
to host the operation as well, said Ram Shanmugam,
principal of Greylock, which has funded MSSPs. In
a security industry teeming with venture capital,
those companies jumped at the chance to expand.
That was what Al Decker did as former CEO of Fiderus,
until he realized the money was about to run out.
"Over the course of 14 months, we had acquired about
60 customers," Decker remembered. With cash reserves
drying up and an IPO out of reach, Decker opted to
be absorbed by EDS. "The time was right, the economy
was nipping at our tails," he said.
McPherson said this model seems to be a trend in
the nascent MSSP market. As a company comes out of
the "embryonic" stage, just beginning to become viable,
it either fails or fades. "The question is whether
someone buys you or you just [go out of business],"
McPherson said. "And there's only going to be a very
few that make it out of the pack."
As for private companies that are strong enough
to survive the increasingly poor economic conditions,
frequently mentioned candidates include Counterpane
Internet Security, Guardent and TruSecure. Those companies
that do make it will have nearly $2 billion in revenue
to split among them by 2005, according to The Yankee
"There is still money flowing into this space," CIBC
World Market's Schneller said. "But it won't be indiscriminate.
[Investors] will be very highly critical."
Greylock's Shanmugam has seen several technological
opportunities opening up, especially in VPNs. So far,
companies such as eTunnels, Fiberlink Communications,
Imperito Networks, OpenReach and SmartPipes offer
these kinds of services. Shanmugam also points to
secure data storage and managed extranet services
as underserved markets in managed security.
As for the I-manager of the West Coast health care
provider burned by the Pilot shutdown, he said the
best way to gamble on managed security is to spread
out the bets. "A sole provider at this point, given
that experience, seems to be too risky," he said.