Deals

McAfee is proving itself to be the most astute buyer out there in security land. For less than $500 million, they acquired Secure Computing this morning and are now back in the network security business. Pete Lindstrom goes through the weird chronology and I'm thankful that there are other guys in this space as long as I've been - so I don't have to remember everything.

Secure Computing has been struggling. You only need to look at the stock chart over the past year to see that. They were caught in no-man's land. Not big enough to do real deals (Securify is not a real deal), but too big to be nimble or easily acquired. Not at close to a billion dollar valuation (which is where they were only a few months ago) anyway. But at half a billion, a deal become just a matter of time.

Alan points out that things started to turn to the negative for Secure once they bungled the CyberGuard acquisition. And before that deal was even through the alimentary canal, they totally over-leveraged themselves with the CipherTrust deal. McNulty got tossed and Dan Ryan (the new CEO) was faced with rebuilding. The stock got hammered and basically it was going to be a long steep climb back up.

Then McAfee came a knocking, and getting out is probably exactly what the board and the executive team saw as the only feasible option. It seems Dan Ryan is going to stick around and "run" the network security business, and we'll see how much (and who) else decides to stick around.

What's in it for McAfee? Well besides buying more revenue at a good value, they are also filling out the product line. Beside IntruVert (the enterprise IPS product), McAfee had very little exposure to the network security market, so there is very little overlap. Secure brings a bunch of firewalls/UTM devices and the email security gateway (CipherTrust's IronMail).

But the real gem here is Webwasher. McAfee's product in the web gateway space was poor and Secure's is a market leader, and this market continues to grow at a decent clip. McAfee will also try to make a big deal about TrustedSource (Secure's content reputation service), but it's not that novel anymore. Everyone has a reputation service nowadays.

For a long time, UTM and other network security words were counter to McAfee's positioning. But ultimately how can you say you are a legitimate enterprise security provider without having competitive offerings for securing the network? I could make the same case for Symantec (after they moved their gateway business over to Juniper a few years back). Basically you can't, so the pendulum will keep swinging back and forth, as technologies get spun out and subsumed again.

The channel synergy will be pretty good as well. Secure was having a hard time keeping enterprise-class sales folks, so having a lot more to sell and being more competitive will certainly help both retain and recruit better folks in the field. McAfee may also be able to revive the CyberGuard business, given it's mid-market distribution engine. Existing McAfee reps and channels get access to new product lines that can only broaden the value they offer for customers.

And let's not forget the US Feds. They are spending money like it's going out of style, or had been anyway before the Treasury wrote a trillion dollar check over the weekend. Secure had a good position in the Government market and McAfee is pretty strong there too. Definitely synergies in one of security's growth markets.

Of course, synergy on paper doesn't mean a lot until integration and execution happens. Secure Computing proved that many times, so the jury is really out on this deal, but given the price and lack of product overlap - it looks pretty good at first blush.

Photo: "Fish eat fish" originally uploaded by clara

 

As predicted, the DLP market continues to consolidate on it's way to eventually disappearing. McAfee announced as part of their earnings release that they are acquiring Reconnex for $46 million in cash. This is a good deal for McAfee for lots of reasons. I don't think they are going be "redefining the data protection market" as stated in their press release - but there are positives.

1. All the cool kids have one - McAfee needed to bolster their DLP position because their benchmarks, Symantec, Trend, EMC/RSA, and Websense, already acquired assets in this space. They also realized the endpoint centric product they've brought to market (based on the Onigma acquisition) wasn't going to get them there. Reconnex is one of the last independents standing, so it's not a surprise they got taken out.
   
   
2. DLP is a feature - As I've mentioned, DLP is not a market category that is going to stand alone. These capabilities need to be built into bigger security, and eventually general IT infrastructure. McAfee now has some more technology to foster that kind of integration and value add.

Of course, all that glitters is never gold, so there are some things to watch for, especially around channel mismatch. McAfee doesn't really have a high end services/implementation business to drive big DLP implementations. And their channel tends to focus more on mid-sized companies. Sure they do some big deals (around endpoint security and some IPS), but there could be a bit of an impedance mismatch when the reality of DLP deployment cycles sets in.

How about that price?

But any potential issues with the deal are offset by the price. $46 million in cash. Wow! That is really a fire sale price for a company with seemingly a lot of momentum. I guess seemingly is with a capital SEEMINGLY.

Reconnex had raised $37 million in VC funding. So the VCs get their money out, the management team (mostly executives) maybe gets a little carve out, and the rank and file get screwed. Of course, that is speculation on my part, but having seen enough of these deals - I'm probably not too far off.

This is just yet another example of the reality that you cannot believe all your read. Check out the momentum release from TWO WEEKS ago. If you take the words on the surface, things are going great. Lots of growth, named a leader in that quadrant thingy, yada yada. The print isn't even dry on that release and they sell for not much more than DeWalt's expense account.

I'm sure there is some kind of back story here, and I'm sure it's not real pretty. But at the end of the day, they got a deal done. Bully for them. And once again, McAfee shows it's one of the shrewdest buyers in the space. They won't have to turn many Reconnex lemons into lemonade to make the deal pay big time.

Photo credit: "Cheap Store" originally uploaded by ZannaLyon

Yesterday the folks from Barracuda announced an unsolicited takeover attempt of Sourcefire. They are proposing a 13% premium and think they can "fix" some of the execution problems that have plauged FIRE since they went public.

I'm sure the fish aren't laughing, but everyone else in the industry is. This deal isn't going to happen, not in it's current form anyway. Here are a couple of points that create serious headwind for the deal:

1. Crappy premium - Barracuda is bottom fishing here. Yes, FIRE has had issues and there is a ton of uncertainty about their strategy and the CEO transition. But only a 13% premium. For that type of premium, large shareholders are better off just dumping their shares, rather than risk deal closure issues. Of course, I'm not investor, but 13% seems a bit weak.
2. Deal financing - Barracuda is offering a cash deal and says it "doesn't expect any financing contingencies." Really? I guess they could raise some money, but for a private company to raise what would need to be over $200 million isn't something you see everyday and in this kind of debt environment wouldn't seem to be that easy.
3. Distribution mismatch - Sourcefire makes their money from selling network security infrastructure to large enterprise and government institutions. Barracuda sells anti-spam boxes to everyone else. There really isn't a lot of leverage between the two models and if Barracuda wanted to get into the UTM business, there are a lot cheaper ways to go.
4. Trend = Red Herring - Another big reason specified by Barracuda is that they can more effectively fight off litigation from Trend Micro over the AV gateway patent. Has Barracuda won their case yet? Oh yeah, not so much. So this is a Red Herring and just meant to sow more seeds of doubt about FIRE's existing management team.
5. What about the main line of business? - Barracuda also says they can "fix" Sourcefire's issues. Really? How do they plan to do that, especially for only a 13% premium? This is not a credible statement. It would help to understand more about Barracuda's business for them to be able to justify that kind of statement. It's a cash deal - so they don't have to - but they should.
   
   I'm no fan of Sourcefire's strategy (or lack thereof), but unless I see something more compelling than buying a bunch of cheap boxes and putting Snort on them - I don't believe Drako and Co. would be any more successful at "fixing" Sourcefire than anyone else.

So Sourcefire was correct in rejecting the deal and not even sitting down. If Barracuda was serious, they would have proposed a much higher premium and had a more effectively communicated strategy for the combined entity. The could have taken a page from Microsoft (62% permium for Yahoo) and IBM (huge premium for Lotus back in the day) and proposed a number that would be hard to walk away from. They didn't.

But let's be clear - that's not what this deal was about.

This is another example of why Barracuda may be the most effectively marketed security company out there. For the cost of a press release and some legal fees, they are going to be the talk of the town, even if Howie Mandel is just saying "No Deal!" You have to figure that Barracuda is angling for a public offering in the near term (once the markets right themselves) and this is a great way to get some visibility with the investors that are likely to invest in their IPO.

A 13% premium is a joke. But as a PR and investor relations strategy, it's brilliant.

 

At long last, those consolidation watchers can finally exhale, since SYMC has finally gotten the Vontu deal over the finish line. The deal was announced this afternoon as a $350 million dollar cash deal. It's a pretty decent multiple, which I estimate to be about 7-8x trailing twelve month bookings. Not as expensive as Brightmail, nor as cheap as Whole Security.

You can also read SYMC's "rationale" on how Vontu fits into their Security 2.0 strategy and introduces a new tagline "information-centric security."

The reality is Symantec needed to have some type of presence in the DLP space. Their big competition on the storage side is EMC and they have a widget in Tablus. Their main competition in the security space are also well represented, as McAfee, Websense and Trend have acquired companies in the space as well. I've been saying for a while that DLP is more of a storage and information function, than it is core security - so the fit with Symantec is pretty good. The question is whether this provides the "glue" that finally makes Symantec's security and storage capabilities kind of hold together.

And that brings up the huge blind spot in this deal, which is whether SYMC will be able to maintain Vontu's momentum in the large enterprise. They say Vontu will be run as a stand-alone entity, but I'm not sure if that's a good thing or a bad thing. They also plan to integrate Vontu into all of SYMC's existing offerings, given there is a piece of DLP in every aspect of SYMC's business. But to be skeptical (I know it's shocking for me), it hasn't happened in Big Yellow land with any other deal, so there is nothing that leads me to believe it will happen now.

Of course, there is always risk for existing Vontu customers that the deal won't go well and there will be a huge loss of Vontu brain power. But those are always risks in any deal.

Those most exposed are storage folks like Sun and NetApp, and big tech like Microsoft, Oracle, IBM and HP - who currently have no DLP strategy and may get left with 3rd tier pickings if they wait too long. Since DLP is clearly a feature of a bigger data security strategy, any player who says they manage data needs to have a story around DLP. There are also risks for start-ups who have not been spoken for, like Vericept, Code Green and Reconnex. You know the story of the company that holds on too long, waiting for that bigger, better deal. It usually ends as a fire sale. Though anyone independent now has some running room as the inevitable integration hiccups will provide a small window of opportunity.

So to net it out and not belabor the point, strategically the deal makes sense. Now it's all about executing the integration well and that really hasn't been Symantec's strong suit over the past few years.

 

Yesterday, after markets closed, Websense announced it's intent to acquire SurfControl for about $400 million (Websense press release). On the heels of a decent quarter from Websense, this is a strong move to consolidate the web filtering market and gain exposure to the large (and modestly growing) email security space. As an extra bone, Websense also puts a toe in the water on the content security managed services business (via SurfControl's Black Spider operations).

On the surface, this deal makes sense along a number of strategic fronts:

1. Channels - Websense has traditionally been enterprise focused via a direct model, SurfControl more on the mid-sized business via channels. There is little overlap, though it has been a strategic focus for Websense to go through distribution and more effectively target the mid-market. This obviously accelerates that effort.
   
   
2. Exposure to email security - SurfControl was the first of the web filtering companies to make a significant commitment to email security, and the combined offering (with some innovative packaging) has been modestly successful. The product is not robust enough to compete in the high end enterprise accounts, but for the mid-market it was good enough. This was a big hole in Websense's story that is now patched up.
   
   
3. Exposure to managed services - The trend in the mid-market is more towards managed services for content security. SurfControl bought a UK-based company (Black Spider) last year to go after that market. Their US presence has been minimal, but at least Websense will have an offering.
   
   
4. Geographies - Being a UK company (at least started in the UK), SurfControl has a decent presence in EMEA and that will help Websense further push their international objectives.
   
   
5. They are doing something - Websense was a company going nowhere fast and waiting for ankle biters (like Barracuda) and the high end folks to come and loot their installed base. They definitely had "CheckPoint-itis" for quite a while. So doing something is better than doing nothing, and though this is a big something - the alternative of waiting to become the walking dead didn't look too good either.

So, there is a good strategic rationale for doing this deal, but as always the devil is in the details. Here are some gotchas that jump out at me:

1. Product line overlap - It is not efficient to support to distinct, competitive, overlapping product sets. But to pacify fears on the part of SurfControl's customer base, Websense committed to support the existing product lines for 3 years. That is problematic when one of the key strategies behind the deal were to gain synergies in the market.
   
   
2. On the deal sidelines - Like Secure Computing's acquisition of CipherTrust, this deal is heavily leveraged. By pushing a cash deal, WebSense is killing their cash position (at about $50 million after the deal, it seems a bit low) and taking on debt. The Wall Street guys can comment on the economics, but it clearly will keep Websense out of the acquisition game for 2 years or so. So they are going to play the hand they are dealt and in a business that changes as fast as security - the inability to do deals can be problematic.
   
   
3. Customer retention - There are very low switching costs both on the web filtering and the email security product lines. So SurfControl customers can (and should) look at the market, as opposed to blindly renewing with the new regime. Websense customers should do that too, so there is a lot of risk that the so-called revenue synergies actually mean 1+1 = 1.6.
   
   
4. Channel conflict - Websense has made it a point to buddy up to the channel and those efforts are proceeding, but there is still a lot of acrimony based on past sins. SurfControl plays into a different channel, and reconciling the programs and providing consistency is going to be a challenge.
   
   
5. Lots of balls in the air - Websense has one, very small deal under their belt. Obviously Hodges and Co have done a lot of deals in their past lives, but culturally this is a lot different than PortAuthority. This changes the face of Websense and creates a lot of execution risk.
   
   
6. What about ProofPoint? - When you think about potential partners for Websense, SurfControl wasn't really on the list. For a lot less money (although with IronPort's valuation, all the email security vendors may have an overinflated sense of their own worth), they could have acquired ProofPoint to gain exposure to email security, outbound compliance/encryption, and a largely enterprise oriented customer base. Of course, if the price would have been roughly the same, then they did the right thing - but ProofPoint would have been a cleaner fit.

So you are a Websense and/or SurfControl customer, what do you do? As with anyone that uses web filtering or email security products, you should scan the market every year. This business changes rapidly and you need to make sure your current product reflects your current needs. If anything, this deal creates the impetus to go shopping again.

The channel needs to figure out what the new programs are going to look like, so it's business as usual until the deal closes (probably 4 months at least, since it's an international deal) and then resellers should be pinning down Websense to clearly codify what the new programs are going to look like.

Whether you are a customer or a reseller, understand content security is a VERY VERY VERY competitive business and you have options. If you don't like what you hear from Websense, then go find something else. There is a lot of stuff to pick from.

 

This morning Check Point announced a deal to acquire Protect Data, better known as Pointsec, for about $586 million in cash (here). At first glance, this is a good deal for Check Point, a better deal for Pointsec, and puts Check Point right in the middle of one of the hottest markets out there - mobile data encryption.

First, Check Point has done SOMETHING, so that is good. Most have just assumed that Check Point would continue milking their installed base and continue going nowhere fast. This at least shows definitive evidence that Gil and Co. are still working for a living. Acquiring Pointsec, which is headquartered in Sweden, was also a good move because it takes US regulators out of the critical path. It's not clear that regulators would continue to be an issue (since Alcatel/Lucent was just approved by the US President himself) for Check Point to buy US companies, but why take the risk?

Second, the deal feels a bit pricey. $586 million on what will likely be around $75M or so in 2006 revenues is a 7-8x multiple on sales. It represented about a 40% premium to where Protect Data's stock was trading in Sweden (UPDATE: the premium is on the average price over the past 90 days - the premium is nil to where the stock trades now). The Pointsec business (which is about 90% of Protect Data's revenues) is growing over 90% year over year. But we all know that the law of large numbers kicks in (Check Point is only expecting $90 million in 2007 revenue impact), so maintaining that type of growth rate will be hard.

Let's look at the market for what Pointsec does. Clearly, given all the laptop and PDA thefts that resulted in private data loss (and the resultant notification efforts) in the news, this is a hyped-up market. Given Pointsec's run rate, they are moving a lot of units to meet demand. This is one of the few security markets where customers are buying first and thinking (and architecting) second, which makes sense given the pain of the notification effort (VA anyone?). Pointsec's technology has always been well regarded and the market will continue to show good growth.

It was mentioned in the press release that Pointsec gives Check Point exposure to the "data security" market, and that's an interesting thought. Protecting data is different than protecting the infrastructure, and it will be interesting to see how Check Point goes after the data security market. Will they look at application security oriented solutions next? Or something in the database security space? To be clear, mobile encryption is not data security, but it's certainly closer than a firewall.

What about leverage with Check Point's existing business? Clearly there is quite a bit, since I've said for a while that mobile encryption is a feature of a broader endpoint security offering. Well, Check Point already has one of the leading products in that space with the Integrity/ZoneAlarm suite. So the Pointsec solution can be bundled pretty quickly and provide a more compelling (and broader) solution for endpoint security.

On the negative side, Check Point hasn't done a good job integrating Integrity/ZoneAlarm into their bigger set of product offerings. So now, Check Point has two distinct businesses, the network stuff (still dominated by FW-1/VPN-1) and now the client side (Integrity and Pointsec). The buyers are different, since it tends to be the desktop manager that has a bigger say in what solutions get rolled out to the endpoints. But Check Point is talking about a "single framework" for network and data security, which I'm not sure is going to be compelling given the organizational dynamics at work.

Clearly this is a first step. Check Point still needs more pieces to be able to spin a compelling story at the CIO level. The data security angle is an interesting one. But doing security well at both the infrastructure and the data/information level is hard and requires a lot of resources. Ask Symantec about that.

So overall, this is a good move to Check Point, albeit a bit expensive. Given the cash flow machine that is Check Point, if they can drive some better channel efficiencies and bundle Pointsec along with the Integrity endpoint stuff, it could be a bargain in hindsight. But isn't that the case with all deals?

VC's are predictable animals. They go to where they think they can make money. Evidently that is not security anymore. Though if you check out Richard Steinnon's map mash-up showing the number of security companies in the Valley - we'll be working through the overhang of when they thought they could make money for years to come. Of course, many folks (myself included) took David Berlind to task last week about his comments regarding Microsoft driving everyone out of the security business.

But let's look at it from the investor's perspective. Lord knows, if there is no investment capital to fund the next wave of innovation for security companies - the bad guys are going to have a field day. VC's are concerned about the liquidity paths for many of these investments and they should be - that's what they get paid for.

In a post yesterday, Sagi Rubin of Gemini Israel Funds - frets about the state of the security market and whether investing further capital in the space makes sense in this post. This is a good quote that sums up some of his concerns:

The underlying statement was - No big exit potential for security startups (in other words - acquisitions will be sub $50m). This is also the sentiment of many VCs (VC investment fell 20% in 2005)

Moreover, some of the reasoning was this:

• A maturing industry (that's consolidating)
• No IPO activity in security (only 3 IPOs in NASDAQ the last 5(!) years)
• The fact that the startups end up as "point" solutions which large companies like to view as "off balance sheet R&D" acquisitions
• And the fact that many segments are considered overfunded...

So what? These VC's think they are going to get another Google in the security space. They aren't. There's never been a Google or eBay in the space. If you look at the public companies that do security, the biggest pure play is now McAfee. Sure they have a nice valuation, but Google they ain't.

It's because security is largely still considered insurance. It's a defensive tactic - not an offensive one. No one (well, almost no one) considers buying a security product to sell new innovative products through totally unforeseen channels. But everyone needs insurance. Unfortunately it's not sexy. So pure play insurance companies have crappy valuations relative to "financial services supermarkets." Similarly we'll see pure play security companies will similarly crappy valuations relative to folks that do everything (or say they do anyway).

Security also touches every aspect of the technology infrastructure. Thus, it's virtually impossible to control the entire security environment. Many are trying and that's why Cisco, Symantec, McAfee, and CA keep buying everything that isn't chained to the radiator. But there is no panacea, no silver bullet, no single vendor that will make all the problems go away. None, nada, zilch. Let's be very clear on that.

Given my current role, I don't much care whether the VC's will get great exits out of the way too many security companies that already exist. They have no one to blame but themselves for pumping too much money into crappy teams that had non-innovative ideas. That's Darwin at work and I love to see it.

Sagi ends with some wisdom, which I believe is the future funding model for security technologies.

Given the low exit valuations, entrepreneurs need to find out ways to create companies that have highly capital efficient models (i.e. will need less than $5m or $10m investment over their lifetime). Such companies could still make great returns for their investors (although they still might not fit into the VC model)

Amen to that. Starting a company is cheap now and with open source distribution and the blogosphere to magnify the impact of new innovative technologies - you just don't need to raise as much money. $5 million in and the potential of $35-50 million out. What's wrong with that?