Know the companies who sell you security products? Your vendor list might look quite different tomorrow.
Security vendors, dare we say, are a faddish lot. After 9/11, "homeland security solutions" proliferated; today, everything's pitched as a "compliance solution." But there are two megatrends among security providers that CSOs should be keeping an eye on. They're real trends, not marketing spins, and they will potentially have direct impact on your contract writing and other daily activities.
One trend is consolidation. "We're seeing the bigger players buying out many of the smaller companies. And I think the largest of the security firms are looking to provide a full range of enterprise services," says C Warren Axelrod, director of global information security at Pershing, a Bank of New York Securities Group company. "The larger firms, like Internet Security Systems, Symantec and Computer Associates, are buying in many areas to complement what they have. They're basically vying for control of the security space." Axelrod is dead on, and consolidation is just as rampant among physical security vendors as it is in the IT world.
The second trend is convergence - the confluence of IT and physical security systems and vendors - which, in some sense, is another form of consolidation, only it's happening across the line that historically divided those two worlds.
Below, we examine what these vendor trends mean for CSOs.
ConsolidationInformation security provider Symantec has been the poster child for mergers and acquisitions in the security world. In the past year and a half or so, Symantec acquired Brightmail (messaging security), Platform Logic (intrusion prevention), WholeSecurity (antiphishing), Sygate (network access control) and IM Logic (instant messaging security). And, in a blockbuster deal, it completed its $US13.5 billion merger last July with Veritas, a storage software company. John Pescatore, a security analyst at Gartner, says this sort of activity is a sign that the supply of security vendors has exceeded demand. "For the last couple of years, security has been seen as a hot space, with lots of startups. In every area, there's been 12 different products to choose from," he says. Pescatore believes some markets, like those for firewalls and antivirus software, are maturing: "Now you see three vendors splitting 75 to 80 percent of market share and maybe four or five at most splitting the rest."
Physical security vendors are combining too. According to a recent Lehman Brothers report, "Security Industry Annual 2005," consolidation in the security products industry is a key trend for the following reason: "The global security market, as well as each individual subsector, remains relatively fragmented, and inevitably, every time a security company rises to leadership in a given niche, it becomes an attractive acquisition candidate." In the services arena, the report notes particular M&A activity in risk mitigation, manned guarding and security systems integration. Ray O'Hara, senior managing director at Vance, an investigation and consulting firm (which was itself acquired by Canadian company Garda at the end of last year), attributes guard company mergers partly to cost pressures. "If [a customer has] 1,000 guards across the U.S. or the world, there is continued pressure to make that 900 today, not 1,100. Consequently, [guard] companies can only grow by acquisition" rather than by placing more guards within current customers' businesses, O'Hara says.
Jeffrey Kessler, a senior VP and senior business services analyst at Lehman Brothers who follows the security industry, says the physical security vendor consolidation trend will continue as 1. companies at the top of their niche get acquired, and 2. large companies acquire companies that will help them better service their large customers. Plus, vendors are responding to a shift in security decision making. "Rather than having multiple security suppliers in a region or nationally, it's becoming more common for companies to solicit regional bids or national bids; there are even a few global bids," says Don Walker, chairman of Securitas Security Services USA (which made its own major acquisition of Pinkerton in 1999). Walker sees that trend happening in uniformed services, electronic systems and cash handling services.
What It Means to CSOsThere's more good news than bad news. First the good: "When I look at [consolidation], it fits in with some of my new strategies to limit the number of vendors and get to as few consoles as possible," says Jeffrey Bardin, CISO at Hanover Insurance. Bardin wants to move away from multiple databases and consoles, which make it harder to correlate data and manage his security environment.
Cost is a related issue; fewer packages and consoles means lower overall expense for the CSO. "You have to pay for multiple databases, multiple servers. Each will be a separate package [requiring] you to pay maintenance, buy a new database license, maybe acquire another server. It leads to extended management costs by having these multiple toolsets out there that, down the road, you'd hope would be on a large server, where I can feed all these logs into one engine. I want to manage all my stuff from one console, one dashboard," says Bardin. He adds that he thinks it will take vendors a couple more years of maturity before they get there. "The major problem with these vendors is how quickly they can integrate all these toolsets they've acquired into this single console model. Some may not even want to spend the money to get to that single-console model," he says. Consolidation has already led to a downward pressure on pricing. "We're seeing some of that," says James Beeson, CISO of GE Commercial Finance, who is quite content to reinforce that trend by using GE's purchasing power as a rather massive stick. "In many cases, a big [security company] can be doing antivirus, intrusion prevention services, all sorts of products. If they build those up, a company like GE can put a huge amount of leverage on them to drive the price down," he says.
Happily, consolidation hasn't put an end to startup activity and the innovation startups foster. Bardin notes, "We're actually getting bombarded with [phone calls from] many new security technology companies, each with a particular space. Some of it is related to Sarbanes-Oxley and the role of access, monitoring and tracing of data. There's a lot of activity in the encryption space for data, both in storage and transit."
Consolidation's downsides are few, but worth noting. Beeson says he takes a close look at a potential supplier's financial condition - whether it is big or small - as part of his regular selection routine, as he doesn't want any unexpected surprises in terms of vendor crashes or acquisitions. "We definitely scrutinize their stability from a variety of viewpoints, and I typically won't put all my eggs in one basket without a very strong contingency plan in place."
An overall drop in the number of players in a particular market segment can also present drawbacks. Axelrod, for one, says it makes his life more difficult. "In the past, I think most security professionals were looking for best-in-class point solutions. With the larger vendors providing a much larger portfolio of that themselves, if you decide to select one of the major vendors, then basically your choices are limited to what their offerings are in various spaces. It's not really open standards. So once you decide to go with company ABC, you may not be able to plug-and-play components from other vendors," Axelrod says. Locking into one vendor also makes it more difficult to transition to another vendor if you decide that company has a better portfolio of products, he adds.
Beeson thinks consolidation can also turn what was once a best-of-breed solution into The Artist Formerly Known as Best-of-Breed. He cites as an example Riptech, the managed security services company founded by Amit Yoran, who went on to serve as the cybersecurity czar at the Department of Homeland Security. Riptech was acquired by Symantec in 2002 and, according to Beeson, lost its once-sharp edge. "At the time, Riptech offered the premier service in intrusion protection; they were expensive, no question. Symantec bought them and their service [got bad]. Symantec tried to put its culture on them and drive the cost down, and ended up [hurting] the service," he says. Beeson says he isn't particularly down on Symantec, but he cites this as just one example of how service can suffer when vendors merge. (Symantec did not respond to interview requests for this article.)
Becoming beholden to one vendor has another risk-reward trade-off - it can lower your costs but increase your vulnerabilities in certain technical regards. Bardin's example is using a firewall and intrusion detection system from a single vendor that's coupled on one appliance. "If a hacker knows the anomalies associated with that vendor's infrastructure, it's probably easier to break into it, versus, for example, having a Cisco PIX firewall out front as the perimeter firewall and a Check Point firewall internally," he notes. "Based on that [example], the multivendor model is more costly operationally, but is the cost of going with one vendor lower and the risk higher? Everyone has to ask themselves that question."
Walker says consolidation means companies are dealing with fewer suppliers, getting more consistency from suppliers, acquiring more leverage and gaining better quality control. "They have a right to expect quality control and consistent, reliable service. If their staffs are getting smaller, then the customer doesn't have as much time to devote to such issues," he says. Another plus for CSOs at multinational companies: As vendors get larger and expand their global reach, CSOs can increasingly gain all those advantages all over the world, not just in their home country.
ConvergenceAs time goes on, the worlds of the corporate and IT security professional are, if not colliding, at least beginning to have some fender benders. And that trend is being reflected among systems integrators, particularly the larger players traditionally associated with physical security, such as ADT, Diebold, Honeywell and Stanley Works. Those companies are working with customers on access control systems, biometrics and IP-network video - technologies that require knowledge of both IT and physical security environments. Think of it as consolidation across the physical/IT divide. Some smaller vendors also recognize the writing on the wall and are boning up on their IT skills. But there will be some companies that get lost in the shuffle.
"The challenge for the systems integrators of the world, whether large ones like ADT or Siemens, or small companies trying to group together in networks - Security Net, PSA - to hold onto large customers, is getting up to speed on IT savviness. If they don't, they'll end up being wire hangers and camera hangers at the edge of the network," says Kessler of Lehman Brothers.
Kessler says there are two divergent paths that systems integrators can take. The first is implementing a security system, then handing off the customer to somebody else to monitor and service the system. Vendors who go that route, he says, "end up being a contractor" - that is, a camera hanger, with a gross margin hovering around 25 percent. The second path is to follow your customers as they converge. "If you're involved with integrating the security system with the IT system, and your value proposition is that you'll be the first responder to anything that goes wrong and you'll make sure the system stays integrated with the IT system as that system changes, then you can make a higher gross margin on installation and a monitoring fee in some cases," says Kessler, adding that a 40 percent gross margin can be expected.
Smaller system integrators are banding together so that they don't get left behind. Groups such as Security Net and PSA, cited by Kessler above, are sponsoring IT seminars for their members to better prepare them to keep up with their larger brethren.
What It Means to CSOsMany security execs at large, global companies want to deal with one vendor, not multiple ones, for technologies such as IP-networked video. Vendors that can install an IP surveillance network that monitors customers' offices in Singapore, Spain and Silicon Valley, for example, will earn their business; those that can't, won't.
Corporate security execs recognize that they too must begin to understand IT, and vice versa. O'Hara of Vance agrees that practitioners are getting the drift. He cites an alliance formed last year among ASIS International, the Information Systems Security Association (ISSA) and the Information Systems Audit and Control Association (ISACA). The alliance aims to educate members about the importance of understanding enterprise risk from a cross-functional perspective. (The alliance released the results of a survey conducted by Booz Allen Hamilton, "Convergence of Enterprise Security Organizations," last November, which shows the convergence trend taking off. It can be found at www.asisonline.org/newsroom/alliance.pdf..)
Dennis Moriarty, VP of the global security division at Diebold, likewise sees convergence happening among his customers. "We're seeing traditional security managers who are now interacting much more with the IT folks; IT folks to an even greater extent are becoming part of the decision tree," he says. Moriarty says that in many organizations the two sides have been siloed, and IT played no role in the decision making. But that's changing. "The IT people, when they notice a network access control system being added to their TCP/IP networks, want to make sure the application is not vulnerable to viruses and worms, or open to employees to gain access control," adds B Scott Harroff, Diebold's director of information security architecture.
Convergence is still a destination for most companies. But Kessler says that the old siloed organization needs to change, or else terrible conflicts will be unavoidable. "You will end up with IT people demanding they protect their networks from potential violations [because devices like] cameras and sensors could be polluted with some virus. And security people screaming at IT people for not giving them the access or bandwidth they need," he says.
Moriarty agrees that change needs to happen. "Folks are still very siloed. But to really take advantage of technology, I'm not sure how companies can stay [that way]. It's moving too fast," he says.
Indeed, the rate of change in the vendor and technology space presents both opportunities and challenges for CSOs. Those who stay up to speed can expect lower prices, simpler contracts and suppliers with greater breadth of services. As long as you stay nimble and do your due diligence, change is good.