Storage and security -- do you buy it?

commentary Storage and security vendors used to come from different worlds -- but in the space of 18 months, Symantec merged with Veritas and EMC acquired RSA Security. So how do you feel about trusting the same vendor to store and secure your corporate data?

Known mainly for its antivirus software, Symantec was under pressure to diversify -- partly due to the fact that Microsoft was preparing to enter the desktop antivirus market.

EMC, on the other hand, was a disk storage company that had survived the dot-com bust and was looking to add value by not only storing enterprise data but also managing it.

According to Dennis Hoffman, VP of information security at EMC, the world changed in July 2003 when California introduced a law that required all businesses that have customers in the state to disclose security breaches.

"[It was a] brilliant piece of legislation ... It instantly made security a CEO problem. For too long we have seen information security as something you bolt on," said Hoffman.

Almost exactly three years after that law was introduced, EMC acquired RSA Security. Symantec and Veritas had merged 18 months earlier.

The combining of storage and security vendors was received by a confused marketplace. The stock market reacted by chopping one third off Symantec's market cap within six months of the merger. Interestingly, it has risen sharply since EMC and RSA got together.

Industry partners and analysts are still confused by the combination of security and storage.

"With hindsight, these are either going to be stunningly brilliant or amazingly silly," said Neil Campbell, national security manager of IT services company Dimension Data, which works closely with all four firms.

"I can see some great commercial upsides in combining the companies but I also see some huge distractions for those four companies. I am yet to understand how those mergers and acquisitions are going to translate into tangible products where customers realise the benefits of combining their storage vendor and security vendor," Campbell added.

Analyst group Gartner released a research note shortly after EMC and RSA combined, calling the deal "a strange fit".

Partner, customer or rival?
These types of mega mergers and acquisitions stir the pot when it comes to partnerships and rivalries. Before RSA was acquired, it was getting very cosy with Symantec as the companies had been worked together to ensure that SecurID and PCAnywhere would work in harmony.

Symantec refused to speak to ZDNet Australia about this particular issue and instead issued a statement: "Symantec has worked and will continue to work with a variety of partners who offer identity management solutions. We want to ensure that our Symantec solutions are interoperable with a host of different identity management solutions to meet the demands of our customers".

EMC's Hoffman admitted that the company's various acquisitions had irked some of its partners.

"Our acquisition of VMWare was a bit problematic in our relationship with Microsoft -- for a while. Documentum was a bit of an affront to Oracle. Cisco didn't much like the Smarts acquisition because it was a network management system. Symantec was already a competitor due to the acquisition of Veritas," Hoffman told ZDNet Australia.

Hoffman was keen to stress the differences between EMC/RSA and Symantec/Veritas.

"John Thompson (Symantec's CEO) attempted to tell the world that the acquisition of Veritas was storage and security coming together ... The reality is it was the merger of tape backup and consumer antivirus. That's where Veritas made all of its money.

"EMC and RSA are much more storage and security than Veritas and Symantec ever will be because Veritas fundamentally does not store data -- it is a tape backup company.

"Veritas sells nothing to customers to help them store their data. Symantec sell almost nothing to enterprises to help them secure their information. Out of the US$2 billion revenues they booked in the year they bought Veritas, US$1.4 billion was from antivirus software. It's hard to argue you are not an AV company," said Hoffman.

Driven by the law
At the RSA conference in California earlier this year, Symantec's CEO, John Thompson, was a keynote speaker and he called for a federal US law that would require companies to disclose any breaches of security.

"Instead of a patchwork quilt of state laws, we need one federal law that protects all consumers from data breaches and encourages innovation in data security technologies ... an effective data-breach law would require notification to the affected consumer and would include tough enforcement policies. It might also require enterprises to put in place some type of reasonable security measures," Thompson told delegates.

So although there is more rivalry between the two companies than ever before, it shouldn't be a surprise that both EMC and Symantec agree on one thing -- the California-type legislation is a good thing. After all, that law has driven both companies to where they are today.