M&A

Just in time for irrelevance, I finally have a few minutes of airplane time to assemble my thoughts on the Cisco/IronPort merger. Overall, I think it was a smart move for Cisco, but not a good deal. $830 MILLION dollars borders on ridiculous for IronPort, who maybe booked $100 million in 2006 (which is a very generous estimate). But it won't even make a dent in Cisco's cash balance or profitability.

So what's with the price?

I've come up with three explanations for the price of the deal. First, Cisco has a set multiple on revenues that they typically pay for a security company. Sure IronPort has more top line than their typical deal, but they couldn't figure out how to unlock that cell in the spreadsheet, so they just paid the money.

Second is that IronPort found something in John Chamber's email that was "unflattering." Being the gateway provider for Cisco for years (can't tell you how many times I saw that goddamn customer slide from IronPort), these guys could have found something "nice" (in Borat speak) and used that as leverage. Yes, I'm joking.

Finally, the most likely situation is a bidding war. It seems that neither Cisco nor EMC (they bought RSA for an inflated $2.1 Billion) likes to lose a deal, even if it costs them a couple hundred extra million. What’s a couple hundred extra million between friends? I guess if you’re friends with Bill Gates or Warren Buffet that kind of holds. I suspect there was another party with a big checkbook interested (starts with a "J" and ends with a "uniper") and Cisco decided they just couldn't lose the deal.

Who looks like the smartest guy on the block? That’s easy, it’s John McNulty of Secure Computing. Relative to this price, he got a steal in taking out CipherTrust for less than $300 million. Personally, I thought CT was fairly valued and was not disappointed in the outcome - but Mr. Market says I was wrong.

Some other thoughts:

Better late, then never - Cisco is late to the content security party. Symantec has been in it for years. Secure Computing took out CipherTrust. And spam continues to grow at an astounding rate. You also have web filtering as a robust product category ready for a replacement cycle (exposing Websense to some negative fallout from this deal), so Cisco gets to play in all of these categories now, which they needed to. You have a lot of customers that like to buy everything from Cisco (even if it pisses off Dave Maynor), so now they can get their content stuff from them too.

Your reputation precedes you - A lot of folks have made a big deal of IronPort's SenderBase (and SpamCop) reputation network, which represents an effective way to block spam at the perimeter based on who is sending it. Reputation doesn't just apply to email, so having a big database of the relative "intent" of many of the IP addresses out there is a good thing. Cisco will leverage this heavily over the next few years, unless they are stupid - which they are not.

Encryption: sure we'll take some of that - IronPort had bought PostX in October for a song and a dance so now that goes along with the deal. But I suspect the secure envelope technology will get lost within Cisco, who barely understand that email is an application. The idea of statement delivery and other application level encryption is too much for Cisco to grasp right now. PGP and Voltage rejoice.

Losers

The most visible losers are the former CipherTrust shareholders, who evidently got swindled. Yes, I was one of them. But I don't play the woulda, shoulda, coulda game. Chaudhry got the deal done and in all likelihood walked away with more than Scott Weiss. Good for them, buy an airplane. That's all I have to say about that.

All but one of ProofPoint, Borderware, Tumbleweed, Mirapoint, and Barracuda are exposed. There is only one chair left and the music will probably stop by mid-year. Once Juniper makes its play, the rest of the folks are left holding the bag. If I had to bet, I'd say Juniper will take Proofpoint out. Borderware is a dark horse because the price would be significantly lower and they do have that SIP security box, which may interest Juniper - who knows a thing or two about networks.

Wherefore art thou IPO?

There is also a lot of speculation relative to whether another security IPO (after Guidance Software) will happen. Sourcefire has filed, though there is always the possibility they'll be taken out before they get it done. The UTMers - Fortinet and Crossbeam are the others frequently mentioned as IPO candidates.

I actually think both will file and one will get the deal done in 2007. Most of Big Security with Big Checkbook already has a UTM offering. Check Point could take out Crossbeam, which would make sense - but it's hard to envision who would take out Fortinet at a billion dollar valuation. Maybe when Alcatel-Lucent eats enough of whatever the French equivalent of Tums is, they'd be ready to get back into the enterprise game. Maybe Nortel. But probably not.

So I haven't given up on a Security IPO in 2007.

 

It didn't take long for Websense to figure out they needed to own a leak prevention technology. Only a few weeks after doing an OEM deal with PortAuthority, they decided to acquire the company for $90 million in cash.

The release is here.

Why do the deal only weeks after the OEM is announced? Clearly there was some type of catalyst and given the multiple (which is probably 12-13x 2006 sales) it looks like there was another suitor involved. That is just speculation on my part, but if you are getting the milk, you don't buy the cow. Unless someone you don't like is about to buy the cow. Then you pay double.

From Websense's perspective, they had to do something. Gene Hodges (Websense's CEO) said they were going to start doing small deals, so this is as good a start as any. Their existing customer base is a good place to start pushing this technology and it's a good fit with a content-centric perimeter security strategy. PortAuthority is also software, so it fits well with Websense's existing products.

PortAuthority's technology was also pretty well regarded, especially their ability to accurately fingerprint documents. We'll see how Websense is able to integrate the product into their channels and whether they can keep up with the pace of innovation, since deals usually adversely impact product delivery by 6 months or so.

So what's in it for PA? Basically they get out, and that's a good thing. The leak prevention market is going to get even bloodier next year as leadership is fought over. Partnering up before it gets messy at a valuation that is a pretty big win for the investors and employees is a good holiday gift to all involved.

So it's not even 2007 and the consolidation in leak/extrusion prevention has begun. There is no doubt we'll be seeing more of the same next year.

 

This morning Check Point announced a deal to acquire Protect Data, better known as Pointsec, for about $586 million in cash (here). At first glance, this is a good deal for Check Point, a better deal for Pointsec, and puts Check Point right in the middle of one of the hottest markets out there - mobile data encryption.

First, Check Point has done SOMETHING, so that is good. Most have just assumed that Check Point would continue milking their installed base and continue going nowhere fast. This at least shows definitive evidence that Gil and Co. are still working for a living. Acquiring Pointsec, which is headquartered in Sweden, was also a good move because it takes US regulators out of the critical path. It's not clear that regulators would continue to be an issue (since Alcatel/Lucent was just approved by the US President himself) for Check Point to buy US companies, but why take the risk?

Second, the deal feels a bit pricey. $586 million on what will likely be around $75M or so in 2006 revenues is a 7-8x multiple on sales. It represented about a 40% premium to where Protect Data's stock was trading in Sweden (UPDATE: the premium is on the average price over the past 90 days - the premium is nil to where the stock trades now). The Pointsec business (which is about 90% of Protect Data's revenues) is growing over 90% year over year. But we all know that the law of large numbers kicks in (Check Point is only expecting $90 million in 2007 revenue impact), so maintaining that type of growth rate will be hard.

Let's look at the market for what Pointsec does. Clearly, given all the laptop and PDA thefts that resulted in private data loss (and the resultant notification efforts) in the news, this is a hyped-up market. Given Pointsec's run rate, they are moving a lot of units to meet demand. This is one of the few security markets where customers are buying first and thinking (and architecting) second, which makes sense given the pain of the notification effort (VA anyone?). Pointsec's technology has always been well regarded and the market will continue to show good growth.

It was mentioned in the press release that Pointsec gives Check Point exposure to the "data security" market, and that's an interesting thought. Protecting data is different than protecting the infrastructure, and it will be interesting to see how Check Point goes after the data security market. Will they look at application security oriented solutions next? Or something in the database security space? To be clear, mobile encryption is not data security, but it's certainly closer than a firewall.

What about leverage with Check Point's existing business? Clearly there is quite a bit, since I've said for a while that mobile encryption is a feature of a broader endpoint security offering. Well, Check Point already has one of the leading products in that space with the Integrity/ZoneAlarm suite. So the Pointsec solution can be bundled pretty quickly and provide a more compelling (and broader) solution for endpoint security.

On the negative side, Check Point hasn't done a good job integrating Integrity/ZoneAlarm into their bigger set of product offerings. So now, Check Point has two distinct businesses, the network stuff (still dominated by FW-1/VPN-1) and now the client side (Integrity and Pointsec). The buyers are different, since it tends to be the desktop manager that has a bigger say in what solutions get rolled out to the endpoints. But Check Point is talking about a "single framework" for network and data security, which I'm not sure is going to be compelling given the organizational dynamics at work.

Clearly this is a first step. Check Point still needs more pieces to be able to spin a compelling story at the CIO level. The data security angle is an interesting one. But doing security well at both the infrastructure and the data/information level is hard and requires a lot of resources. Ask Symantec about that.

So overall, this is a good move to Check Point, albeit a bit expensive. Given the cash flow machine that is Check Point, if they can drive some better channel efficiencies and bundle Pointsec along with the Integrity endpoint stuff, it could be a bargain in hindsight. But isn't that the case with all deals?

At the risk of offending pretty much everyone, let me tell you a little bit about MiSS Consolidation. She (or could be a he, but the MiSS moniker makes it work) is kind of like some of those ladies from high school that you haven't seen for a long time. Back in the late 90's, she was a babe. The VCs fawned over her and she got invited to all the cool parties and money rained from everywhere. Then she went through her awkward stage. Probably had something to do with a hangover from spending all that money. Some of them moved away, some just disappeared.

But then you decided to go to your high school reunion and you saw her again. She's had a few kids and probably adopted a few. She's large and in charge. She's brutally efficient and given the rate of her eating, there is no telling how big she's going to get. "Built for speed" is how we used to refer to those ladies way back when.

Sufficiently nauseated and offended? Good. I'm in that kind of mood today. But let's get back to the topic at hand. Between the recent IBM/ISS deal and today's SecureWorks/LURHQ deal (info on the deal here), there is no question that MSS providers need to get big or get out. And they need to do it NOW.

The vendor dynamics are pretty straight forward. Stand alone MSS providers are going to get squeezed. The big guys will drive down the costs because they can and there's little outward differentiation. And VARs will increasingly decide to get into the MSS game and cut the lower part of the market out of the mix. So the stand alone guys better get the heft to compete on price and efficiency.

For these reasons, I actually like the SecureWorks/LURHQ deal. First of all, they get to dump probably the worst company name out there (what the hell is a LURHQ?), as the combined entity will be called SecureWorks. But there is also little overlap. SecureWorks plays in the SMB space, mostly financials. LURHQ specializes in larger entities with little verticalization. They've got little overlap on the technical side as well. Each focused on a different aspect of running security networks. SecureWorks on FW and network IPS. LURHQ on SIM and management.

Of course, there is a lot of execution to happen. And we cannot minimize those complexities. They will need to wring some costs out as well. But there is leverage in joining the two models, streamlining operations and moving to a consistent go 2 market model.

And MiSS Consolidation will be back. She's hungry and her appetite cannot be satiated.

SecureWorks is well positioned to be gobbled by someone bigger. They've got enough heft (run rate of about $50 million) and enough customers to make a difference. They will be an attractive target for someone either looking to gain a bigger presence (like VeriSign or Symantec) or get into the MSS business (McAfee or HP). Or maybe even a carrier like AT&T, given SecureWorks already has a relationship with BellSouth and Verizon has the NetSec guys from MCI.

But this won't be the last MSS deal we see. Not by a long shot.

 

As I alluded to in this AM's TDI, EMC has not let the grass grow under their acquisitive feet and acquired Network Intelligence for $175 million this morning (release here). This looks to be about 4-5x sales and it a healthy number given that SIM is clearly just a feature of security management. Stiennon may not want to call it consolidation, but there is no standalone market for SIM. So now we get to watch all the vendors run for the exits.

For EMC, the deal makes sense on a number of levels. First, EMC has spent a while aggregating some management technologies (notably SMARTS) and Network Intelligence fits into that model. They provide intelligence for what is going on from a security standpoint and I think there is leverage in the data and analysis that SMARTS brings to the table for the network folks. It also gives some additional capabilities to the RSA folks, who didn't have a SIM in their bag.

Ultimately, I think the most leveragable part of the deal is something that EMC neglected to spell out in their deal presentation - the role of log management in driving more storage consumption. In fact, I'm not sure EMC realizes they just bought into the log management space. This is a good thing for EMC because logs take up a crapload of space, especially forensically clean ones. Anytime you are storing 100,000 things a second, it's going to demand some space. Ergo more storage.

EMC painted Network Intelligence as a SIM because that's where they started and that fits better into EMC's stack chart of all the security markets they play in. Too bad it's wrong. If you look at NI's positioning of late and what problems they were trying to solve - it feels a lot more like log management to me. If they were going to go it alone, they'd need to morph their positioning and log management is where they would have ended up. They were already more than halfway there.

I also want to point out that log management, though a distinct market from SIM IS NOT a standalone market over time either. On LogLogic's blog (here) they go through their reasoning about why SIM is crap and log management is a standalone market, based on what SANS says. Besides the fact that SANS just put on a blow-out Log Management Conference, it just doesn't ring true to me. Over time log management is also a subset of a broader security management story. Like SIM, only different.

I'm not disputing that log management is different than SIM. I've written about that a number of times (here, here). It's about high volume log aggregation and forensic cleanliness to help in the event of an issue. Like every other security market, the log management folks have plastered a reporting engine on top of it to appeal to the compliance folks.

But I don't believe it's standalone ad infinitum. So the real question is when does someone like Network Appliance (who is also trying to break into the security market) take out LogLogic or some repositioned SIM-thing like SenSage to gain exposure both to security and to control a storage driver. Or maybe it's Cisco or Juniper, since you can just as easily aggregate network log data. Or even Symantec or McAfee, though neither one particularly understands appliances.

The only thing I do know is that it will be someone, you can take that to the (Log) Bank.

The consolidation frenzy in tech-land continues unabated. Since only one of these deals is security related, I thought I'd do a wrap-up post quickly summarizing each deal and underscoring some of the trends that drive these hook-ups, since none of these would make the TDI cut themselves.

In TDI format, here goes:

Deal: Verano finds the eDMZ
So what? - Verano is a company you've probably never heard of, unless you are in the utilities business. They provide security services for this vertical in the form of understanding SCADA systems. I'm not exactly sure what that means, but evidently they do OK at it. Buy buying the struggling eDMZ's managed services offerings (eDMZ who? - which is exactly right), Verano can now address one of the big blind spots in the land of utilities - protecting the SCADA system. Like smaller financials, many of the utilities don't have the resources to really protect their systems, and if something goes down - it's very inconvenient for the residents. This is a logical move for Verano and we will see more of this niche industry consolidation of players that couldn't make it on their own.
http://www.verano.com/news/pr091206.php

Deal: AT&T pledges allegiance to the USi
So what? - I can honestly say that USi was my worst investment ever. I'm not sure i'll ever make back my capital losses on that one. But it's interesting that AT&T would take them out at this point. Clearly AT&T has to figure out how to climb the stack and outsourcing applications is one way to do it. They still own Sterling Commerce and now with USi are going to be able to have different conversations with customers with this stuff in the bag. From a security viewpoint, it's about application securty and what are they doing to ensure my data (it doesn't get more sensitive than HR and ERP data) is protected? Will AT&T be able to scale the model cost effectively? But given the negative margins in many of their other businesses, this seems to be a logical direction. How long before Verizon copies this strategy too?
http://www.sbc.com/gen/press-room?pid=5097&cdvn=news&newsarticleid=22676

Deal: Apptix says check-Mi8
So what? - Apptix recently acquired my managed Exchange provider, and now they are taking out another player - Mi8. None of these services are big money players (all have been doing about $4-5 million /quarter), but if you put them all together and apply some economies of scale this could be a cash register. And you get a presence in many of these SOHO small business that will increasingly be looking to outsource more of their infrastructure. Again, security is adjacent to this deal, only in trying to figure out how your data is going to be protected - given the sensitivity of stuff that is stored in email. But there is no doubt that managed offerings are gaining traction in the 1-100 employee segment, and Apptix is willing to spend the money to be a player.
http://www.apptix.com/media/pressreleases/091106/

Stay tuned, I suspect the investment bankers will remain busy for quite a while disposing of the too-many VC funded companies that remain in tech-land. If those folks weren't so parasitic, maybe that's something I'd suggest to the kids.

 

In today's Daily Incite, I did a retrospective of the news and blog coverage on the IBM/ISS deal. Of course, I like to think provided some context and value-add, but you will be the judge of that. But since it was down towards the bottom of the newsletter, I figured I should call it out here.

So check it out and add some comments (to either this post or today's TDI). Per usual, if any good dust-ups happen in the comments, I'll pull them out, post them separately and get the last word. You can call that the home-field advantage!

http://securityincite.com/blog/mike-rothman/the-daily-incite-august-28-2006#IBM-ISS

 

IBM confirmed the worst kept secret in security-land this AM buy acquiring ISS for $28/share. Only a 6% premium to yesterday's closing price - but about 50% higher than the stock was trading before the rumors started.

Press release is here.

It's an interesting deal since IBM has been dabbling in security but hasn't really been focused on it. It also seems that the products business is going to be hung out to dry. ISS will become a business unit under the Global Services umbrella. The "software" products will be integrated into IBM Tivoli stuff (not sure what that means), but what about the hardware?

Is Proventia dead? If you are a Proventia customer (or looking at the product), then it's in your best interest to defer purchase until the integration plans and product roadmap crystallize. There will be a lot of uncertainty until the deal closes, which is another reason to defer purchases.

Another open question is what will become of ISS' management team. It's not like IBM keeps many of the senior guys in their big acquisitions, so maybe this is Tom Noonan's opportunity to ride off into the sunset.

If they are having a conference call, I'll listen in on that and do a more detailed post later. Just wanted everyone to get the news hot off the presses!

In this week's column, I go into the EMC/RSA deal - but more from the perspective of why all of the detractors have it wrong. I seem to be one of the only folks that is positive about the deal, but I like it that way. If I agree with everyone, I'm not doing my job.

I'll also note that I have to be more careful about using cliches like "game-changing" in my mass market columns. I do use that term here, but then I went on to say about how the term game-changing makes me want to puke. Surprisingly, that part got edited. Arghhh!

But I guess that is part of the game. We'll see how this deal plays out over the next few years.

http://www.networkworld.com/columnists/2006/071706rothman.html

Technorati tags: EMC, RSA, security, M&A, data security, authentication, identity management

Following this M&A stuff is becoming a full time job. This morning, SurfControl acquired Black Spider (link here), which is a content security service provider that does email and web filtering. Postini, MessageLabs, and ScanSafe are their top competitors. I had decided not to do a separate piece, but then I heard from a friend of mine who is over in the UK and he mentioned how everyone over there was fired up about it. Sometimes I need to remember that we all live in a global village.

The specifics of the deal are pretty straight forward. SurfControl pays US$36 million and gains entrance into the managed service business. Black Spider gets an exit, and worldwide distribution given their real strength was in EMEA. As an added bonus, Surf Control can probably sell the blackspider.com domain name to Columbia Pictures for a pretty penny (if you've seen the Spider-Man3 trailer, you know what I'm talking about).

To be clear, Black Spider was small with about 1200 customers and doing less than $5 million in revenues, but that doesn't matter. They'll fit into SurfControl like a glove. If a customer wants a service option, SurfControl doesn't have to walk away from the deal (or the customer). It's a pretty compelling way to play into the inevitable trend that most customers will want to filter email and web traffic in the network (see Incite on Content Security here).

And as opposed to other deals announced this week, $36 million is very affordable for SurfControl.

Yet, there are always challenges every deal, and with this one comes the challenge of channel conflict. It needs to be very clear to the SurfControl field force when they should look to sell a service or an appliance. The worst case scenario is that they try to sell an appliance, and only when the client says a resolute NO do they move towards the service. By then, Postini or MessageLabs is in the house and will win the business.

You also will have a potential area of conflict around their VARs trying to get into the MSS business themselves. When I was in the business, I saw a lot of that and it's only been increasing. You know, a VAR buys 3 Barracuda's and bingo, they are in the email security business.

But for the most part, this deal makes perfect sense and is a precursor to maybe some bigger folks that offer appliances moving to take out the leading service providers. McAfee already sells Postini's stuff and IBM is very close to MessageLabs. So it wouldn't surprise me to see more deals in the space sooner rather than later.