There would be many more successful security companies if their founders and leaders had a better understanding of the IT security space.
One fallacy that will not die is the idea that, to grow, a vendor must be a full stack solution. There is no question that every organization needs to deploy layered security. Solutions are needed for data security, user identity and access management, end point security, server security, network security, and most recently, cloud and mobile device security. No matter how enthusiastic Wall Street may become there will never be a single vendor that dominates in the complete stack.
Let’s go back to basics. At the simplest level of security commandments are these rules:
1.A secure network assumes the host is hostile.
2.A secure host assumes the network is hostile.
3.A secure application assumes the user is hostile.
These rules are very powerful when applied to product strategies. Any proposed product that binds any two of host, network, and application, will be a market failure. Sadly, the messaging around coupling can be very compelling.
Thus, when FireEye acquired Mandiant, there was wide acceptance of the idea that somehow FireEye needed an end point product to complete its solution; so much so that Pal Alto Networks just burned $200 million in acquiring Israeli endpoint security solution Cyvera.
Symantec is a case in point. Symantec has acquired over 75 security vendors over the years. Many of them network security. Remember the Symantec firewalls acquired with Axent? Today, Symantec has 121 products in its catalog, only web gateway security is a network product. Despite billions spent on trying to get into the network security space Symantec failed. Actually, Symantec succeeded at becoming a dominant end point security vendor with forays into certificates and end point encryption.
McAfee also has attempted to have a firewall solution, first with Gauntlet, which it spun off to Secure Computing, and then re-acquired along with Secure Computing. Most recently, probably thanks to Gartner’s market confusing ramblings about Next Gen Firewalls, McAfee acquired StoneSoft. McAfee’s acquisition of Intruvert and successful market penetration of its IPS solution is the best example of an endpoint security vendor being successful in the network security space. However, when Intel acquired McAfee there was no mention of the large network security business McAfee had built by acquisition. Perhaps Intel did not want to highlight to the broad base of partners that use Intel processors in their network devices that they had entered the space?
Sophos, an anti-virus vendor, has just acquired its second UTM vendor, Cyberoam. What does that say about the success of its first acquisition in the space, Astaro? (See Sophos + Astaro: Good companies, bad deal). Perhaps Sophos is actually attempting to pivot away from endpoint security and become a network security vendor. That would be a good strategy as traditional anti-virus becomes less and less effective at countering the latest malware.
Check Point Software has had its less than stellar attempts to get into endpoint security. First, with the acquisition of consumer desktop firewall vendor, Zone Alarm, and then with the acquisition of PointSec, a full disk encryption vendor. Its market share in endpoint is small and probably does not justify the investment it made in those acquisitions.
None of these companies have experienced any benefit from having end point and network solutions. There is no synergy and the most successful acquisitions come when the acquirer keeps the two businesses separate.
The reason network and endpoint security solutions do not mix are plentiful:
1.Buying centers. End point security is managed by a different team within the enterprise than is security. That means different sales cycles, different sales teams, separate contracts, and most importantly, different skill sets. There is a broad gap between the Microsoft Windows experts responsible for laptop and desktop configuration and the wizards that maintain switches, routers, and firewalls.
2.Brand perception. Let’s face it, anti-virus products are a pain to work with. Every end user has had frustrating slow downs, system crashes, and false positives from their end point AV. Those users include the network administrators. The last thing they want is a product from the same vendor on their network where slowdowns and crashes are much damaging to productivity. Ever wonder why Microsoft never introduced a router and every attempt at introducing a network firewall has failed completely?
3.Best of breed. Every organization needs the best firewall and the best end point protection for their environment. They will always make those decision independently.
A full stack security strategy is one of consolidation. But the security industry does not consolidate. Unlike every other segment of the IT industry, security has an outside driver: threat actors. Cybercriminals and nation states force each security vendor to innovate or die. It is hard enough to stay ahead of the curve in one space. Attempting to do it in two spaces is futile.