Securing The Future
4:24 PM EST Fri. Nov. 19, 2004
From the November 22, 2004 issue of CRN
Hirsch knows from experience that partnering with a vendor with strong channel relationships pays dividends if that vendor gets acquired. Solid ties with PestPatrol, coupled with Hirsch's effort to embrace CA as a new partner, gave NH&A an edge when the purchase went through in August. He was alerted by PestPatrol to the acquisition before it was widely announced, and CA offered NH&A a healthy exemption from what Hirsch anticipated would be a post-acquisition price increase on PestPatrol products. Things could have turned out differently.
Industry consolidation can be a recipe for disaster, say Hirsch and other solution providers. Product road maps can be altered, vendor cultures can clash, channel contacts can vanish, service levels can suffer, and an acquired product can literally fall by the wayside and decay. These worst-case scenarios are timely examples of the potential issues security solution providers face as industry consolidation picks up steam—a trend being driven by the consolidation of security threats themselves.
Threats ranging from viruses and worms to keystroke loggers and denial of service attacks are blending with one another to trigger maximum havoc. This ups the need to coordinate intrusion-detection systems, antivirus products, firewalls and the overall security management system. As a result, vendors are rushing to provide integrated security suites that pack multiple tools. And in that rush, acquisition fever has taken hold. The current wave could crest by late 2005 because experts regard recent mergers—such as Symantec's purchase of security solution provider @Stake and antispam vendor Brightmail, CA's pickup of identity management vendor Netegrity and PestPatrol, and Cisco Systems' acquisition of end-point security company Perfigo and anti-denial of service firm Riverhead Networks—as merely the tip of the iceberg.
In addition, security startups no longer necessarily covet the IPO route the way they used to. For many, being acquired has become an exit strategy. For solution providers, this means the scrappy little security company that gives them an advantage with customers may already be looking for a buyer. "We are seeing a lot more security startups that have business plans that basically mean being bought by somebody," said IDC analyst Chris Christiansen.
Whatever the reason, vendor consolidation can create problems for solution providers—sometimes it's simply a matter of two unevenly balanced channels being suddenly connected. For example, when Juniper bought NetScreen, its supply chain simply wasn't prepared for NetScreen's sales volume, said Hirsch. "NetScreen caught them by surprise. Juniper sold to a few huge customers and maybe got a P.O. every other day or so. But when they bought NetScreen, suddenly they're getting dozens of P.O.'s a day, and they didn't ramp up. They didn't know what it meant to be selling something in the quantities of a NetScreen. They didn't know how to ship, they reduced head count, and NetScreen customer support got decimated," said Hirsch. "It hurt us, too. I sent a message to them saying you've gone from a '9' in partner service to a '2' in a couple of months."
Worse is when partners have no say as a merger or acquisition takes place. For this reason, Hirsch had trouble with McAfee, a vendor with an admitted history of weak partnering. Hirsch says McAfee inadequately integrated security tools from its purchase of Brightworks. And he has been left wondering about McAfee's 1997 purchase of Pretty Good Privacy, which the company turned around and tried to sell, only to abandon the search for a buyer five years later. "They never integrated it, the product kind of dissolved, and then it went to heck," he said.
Carlos Paz-Soldan, vice president of technology and services at Tenet Computer Group, Toronto, says consolidation concerns make Tenet cautious about adding security startups to its product roster. "Typically, we no longer jump on vendors when they first come out. We watch them for a while before we take them on," said Paz-Soldan. "A big worry we've experienced is if an acquisition is motivated to get rid of the competitor."
Tenet ran into trouble when Hewlett-Packard bought patch management vendor Novadigm in February. Prior to the acquisition, HP had a close relationship with Novadigm competitor Altiris that included joint marketing and technology development, leading Tenet to steer customers toward Altiris. But the arrival of Novadigm as HP's go-to patch management company tested the trust of Tenet's OpenView customers that were already running Altiris based on its advice.
There are times, however, when solution providers actually cheer competitive consolidation.
Tony Pitman, executive vice president at Denver-based South Seas Solutions, was rooting for firewall and VPN vendor CyberGuard, Deerfield Beach, Fla., to be successful when it made a bid in July for rival Secure Computing, San Jose, Calif. Had the $297 million bid been accepted by Secure, a rival product would have been snuffed out, and South Seas Solutions, a CyberGuard reseller, would have seen market opportunity open up. The way Pitman sees it, two channel-friendly, midsize vendors merging is much more beneficial to partners than an industry giant buying up things and possibly weakening the channel's role. "The quicker everyone starts consolidating, the quicker today's smaller guys will be able to compete against the big enterprise vendors. If not, Cisco could buy CyberGuard. You'll have Goliath buying David," said Pitman.
As for where the action is today, it's the messaging and antivirus vendors now doing most of the consolidating. All of the major vendors in the security space have either developed, partnered with, or acquired antispam technology, according to IDC analyst Brian Burke. Spyware vendors will begin experiencing the same merger activity starting in the next 12 to 18 months, said Burke.
Technology specifics aside, the stronger the vendor's channel, the better the merger experience almost always is for solution providers, said Hirsch.
And the luster of strong channel relationships during a period of consolidation is not lost on vendors either. CA took this into account when it bought Netegrity last month, said Gary Quinn, executive vice president of partner advocacy at CA, Islandia, N.Y. "When we are looking at acquisitions, we are looking for strong technology to fill out our portfolio, and we are also looking for strong routes to market. Netegrity had a very solid partner organization, as well as enterprise solution providers. As we look at acquisitions, bonus points for anybody who has a strong partner channel."
However, as with HP's Novadigm purchase, consolidation can create new options for partners that can test even the strongest of channel relationships. After CA bought Netegrity, Sun Microsystems waged a campaign to lure as many Netegrity resellers and customers as possible in the hope they wouldn't want to become CA partners. Only days after the CA/Netegrity deal was announced, Sun unveiled a no-cost license program to migrate Netegrity Site Minder customers to Sun's Java System Access Manager.
Product pricing can be a way for vendors to demonstrate a strong channel commitment and hang on to partners during the often volatile period during an acquisition. Typically, the price of the acquired vendor's security products increases after the purchase. Yet Hirsch cites NH&A's current deal with CA, which gives NH&A a grace period to continue buying PestPatrol products at lower, preacquisition prices. CA's follow-through as a good channel partner, even to its newly acquired partners, motivated Hirsch to more quickly embrace CA's programs. "We will begin buying through CA's distribution because we want to get friendly with the CA guys, and they get compensated. It's to our advantage to build a relationship with CA," said Hirsch.
The consolidation picture could also be impacted if Microsoft uses its leviathan reach to commoditize this market by way of feature upgrades to Windows. The evolving security features in Windows, and improvements slated for the first half of 2006 along with the expected Longhorn debut, will likely reduce the number of security vendors catering to specific markets such as patch management, said IDC's Burke. But Burke makes it clear that "changes from Microsoft will take awhile to propagate."
Business customers may not wait for Microsoft. Customers want simplification in their security technology right now, and if they can get a single suite of products from a single vendor that addresses most, if not all, of their security needs, then bring on consolidation, said Todd Pekats, national director of strategic alliances at CompuCom Systems, Dallas.
Pekats thinks security consolidation will accelerate simply due to its own momentum. "In this industry, one purchase begets another," he said. "If one vendor does it, other vendors see the value and think, 'We need to buy someone.' "
Amid this fervor, innovative startups will keep hitting the market. Hirsch is examining products from Palo Alto, Calif.-based startup Solidcore Systems and asks executives there questions related to partnering, not just products. "Solidcore makes security technology that locks down anything not authorized to run on a server," Hirsch said. "I asked them about their channel plans; they said they were 100 percent channel."
There are always degrees of give and take as markets consolidate, and Hirsch sees advantages at both ends of a vendor's life cycle.
"There are advantages in the beginning when a startup is still small. There aren't a lot of other resellers so you can be one of the few people selling a good product," said Hirsch. "Also, when you have to craft a special deal with a small startup vendor to please a customer, they have the agility to make it happen. But then when they get acquired by CA, the ability to cater to every customers' wishes goes out the window quickly. But the flip side is you know CA will be around next year, or three years down the road."
