The Daily Incite - 10/10/08 - Deal: Symantec buys MessageLabs

Submitted by Mike Rothman on Fri, 2008-10-10 08:17.
::
Today's Daily Incite

October 10, 2008 - Volume 3, #81

Good Morning:
The Big Yellow is at it again and this time they better bring a Big Yellow Teapot. On Wednesday, they announced a $695 million deal to acquire MessageLabs and go "all in" on the email and web SaaS space. It's kind of an interesting deal and there are a lot of nuances, but overall it's very reflective of Symantec's acquisition strategy. Here are some initial thoughts on the deal.High tea in Symantec-land

  1. This deal is not a surprise to me (as it was to Adrian). MessageLabs has been shopped around pretty much since the Google/Postini deal hit a while back. It was never a matter of it, it was when and who.
  2. Symantec's M&A strategy seems to be to spend a lot of money and get the perceived "leader" in the space. This deal is EXPENSIVE. Paying 5x revenue for a 20% growth rate company is a big number. I'm sure MessageLabs wasn't about to settle for a smaller number than Postini and there may have been other bidders to raise the stakes. But by any measure (especially in this economy), it's an expensive deal.
  3. Symantec needed a better services strategy, so there are a lot of go 2 market synergies. And MessageLabs used a lot of Brightmail technology under the covers, so there is some technical synergy as well.
  4. If a company wants to be a real, long term player in security, they need to have the ability to offer their stuff as a SaaS offering. McAfee is pretty weak in this respect and the MessageLabs deal makes SYMC rather strong. Of course, whether the field figures out how to position the gateway product vs. the service remains to be seen, but customers are demanding flexibility in how they deploy and Big Security must deliver.
  5. Clearly Symantec didn't think they could build it themselves and grow it fast enough to make a difference, or they would have bought a much smaller player and driven it through the global channels. John Thompson has deep pockets and is going to flex them. Which is good for all those security vendors that have grown too "big" to get a deal done easily.

Overall, I think it's a decent deal, but at that price they need to execute well. Of course, M&A execution isn't exactly Symantec's strong suit. But ultimately, the Big Yellow needed to have a story for SaaS and MessageLabs gives them a lot to build on. And the rest of the independent email security players should be a bit concerned. The number of legitimate exits is decreasing by the day.

The last one standing is not a good place to be. Have a great weekend. 

Photo: "Big Yellow Teapot" originally uploaded by unlovable

Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4U

Please be patient as I evolve the format of TDI to something that will work, given I can spend a lot less time on it during the week. Having a day job kind of puts a crimp on these fun, little hobbies. Today I'm going to try a hybrid format. Let me know if you think it sucks.

  1. Got NoScript? You better, since Jeremiah and RSnake's click-jacking vector is now documented by Big J himself. The reality is, this is just another way to pwn your stuff. It's novel, but we are going to see a lot more novel stuff. The world is going to get a lot harder for a security person before it gets easier, and that puts a premium on making sure you can recover from incidents quickly and effectively.

  2. Enterprises overpay for AV? Say it ain't so, Gartner. Evidently they think so, but the reality is more about bundling than anything else. Today's suites are not your grandfather's AV suite. There is a bunch of crap (that you probably don't need). It's more like an Office suite than anything else. Add more crap to maintain the price points, even if customers don't need the extra crap. So yes, negotiate hard and maybe even move to a real computing platform, but at the end of the day you'll pay with a smile. Because it costs too much to not have it, even though it's not perfect.

  3. Mitnick talks about protecting his own data, just in case someone realizes you are a convict and a hacker and wants to give you a hard time in airport security. These aren't bad tips, especially the idea of having all your relevant data replicated somewhere else (I prefer to replicate to various machines on my own network and a backup service in the cloud), and yes, you should be encrypting your hard drive.

  4. Let's go over this again. COMPLIANCE <> SECURITY. And bogus compliance definitely does not equal security. Forever 21 may have been wrongly granted the PCI rubber stamp, but ultimately it doesn't matter. Even compliance organizations will get nailed. Hopefully they'll be able to figure it out quickly and notify me even faster, so I can contain my own damage. Though I do think this is another data point to how important it is for the PCI poobahs to get that quality program in place and to start holding QSA's accountable when they blatantly screw up.
  5. Pay per use investigations? Hmmm. Verizon is using EnCase on a pay-per-use basis and I guess Guidance is being creative in getting their software sold. You'd think a company as big as VZ would be doing investigations all the time, and they'd be able to use EnCase as a key part of their investigations team, so bounding it's use wouldn't make sense. But I guess Guidance will take what they can get.
  6. Qualys adds web app scanning to their PCI "compliance" offering. It's about time, but the real question is how functional is the app scanner. Is it ScanAlert (meaning a joke) or is it AppScan. And ultimately, a bunch of the apps are compromised using good old human ingenuity, so does this really make a difference? I'd say yes because even low hanging fruit tastes good to hungry attackers.
  7. Websense finally releases an DLP endpoint agent. Right on time. They also integrate the DLP and web security gateway about 2 1/2 years after acquiring Port Authority. At least there is some urgency over there to maintain technical innovation.
  8. This is pretty old post on the VZ Security blog (yes, the former TruSecure/CyberTrust guys), but it's rock solid. It's about how to justify security ROI and acceptance of the reality that is a big cow patty. The point is summarized here: "You need to revalue your environment and show how, without these components, the risk you’re presented with outweighs the cost of bringing it up to snuff." Amen, though you are still making up your numbers to figure out the economic impact of the risk, at least this post positions the right way to think about it.
  9. Stuart King talks about the need to think about security within the context of business. And the reality that not all controls need to be expensive. He's absolutely right and reflects the reality that many folks are still stuck in 1990's thinking (throw a product at it and the problem goes away) and even more recent thinking (check the compliance box and the problem goes away). But the problem is not going away because it's a fundamental business problem.

Reply

The content of this field is kept private and will not be shown publicly.

More information about formatting options