Secure Computing

McAfee is proving itself to be the most astute buyer out there in security land. For less than $500 million, they acquired Secure Computing this morning and are now back in the network security business. Pete Lindstrom goes through the weird chronology and I'm thankful that there are other guys in this space as long as I've been - so I don't have to remember everything.

Secure Computing has been struggling. You only need to look at the stock chart over the past year to see that. They were caught in no-man's land. Not big enough to do real deals (Securify is not a real deal), but too big to be nimble or easily acquired. Not at close to a billion dollar valuation (which is where they were only a few months ago) anyway. But at half a billion, a deal become just a matter of time.

Alan points out that things started to turn to the negative for Secure once they bungled the CyberGuard acquisition. And before that deal was even through the alimentary canal, they totally over-leveraged themselves with the CipherTrust deal. McNulty got tossed and Dan Ryan (the new CEO) was faced with rebuilding. The stock got hammered and basically it was going to be a long steep climb back up.

Then McAfee came a knocking, and getting out is probably exactly what the board and the executive team saw as the only feasible option. It seems Dan Ryan is going to stick around and "run" the network security business, and we'll see how much (and who) else decides to stick around.

What's in it for McAfee? Well besides buying more revenue at a good value, they are also filling out the product line. Beside IntruVert (the enterprise IPS product), McAfee had very little exposure to the network security market, so there is very little overlap. Secure brings a bunch of firewalls/UTM devices and the email security gateway (CipherTrust's IronMail).

But the real gem here is Webwasher. McAfee's product in the web gateway space was poor and Secure's is a market leader, and this market continues to grow at a decent clip. McAfee will also try to make a big deal about TrustedSource (Secure's content reputation service), but it's not that novel anymore. Everyone has a reputation service nowadays.

For a long time, UTM and other network security words were counter to McAfee's positioning. But ultimately how can you say you are a legitimate enterprise security provider without having competitive offerings for securing the network? I could make the same case for Symantec (after they moved their gateway business over to Juniper a few years back). Basically you can't, so the pendulum will keep swinging back and forth, as technologies get spun out and subsumed again.

The channel synergy will be pretty good as well. Secure was having a hard time keeping enterprise-class sales folks, so having a lot more to sell and being more competitive will certainly help both retain and recruit better folks in the field. McAfee may also be able to revive the CyberGuard business, given it's mid-market distribution engine. Existing McAfee reps and channels get access to new product lines that can only broaden the value they offer for customers.

And let's not forget the US Feds. They are spending money like it's going out of style, or had been anyway before the Treasury wrote a trillion dollar check over the weekend. Secure had a good position in the Government market and McAfee is pretty strong there too. Definitely synergies in one of security's growth markets.

Of course, synergy on paper doesn't mean a lot until integration and execution happens. Secure Computing proved that many times, so the jury is really out on this deal, but given the price and lack of product overlap - it looks pretty good at first blush.

Photo: "Fish eat fish" originally uploaded by clara

 

Boy, Secure Computing is taking a pounding today. Stock is way down and a couple of vociferous Wall Street analysts are really beating them up. This story (link here) on SmartMoney really sums it up. Pain, unless you were short the stock.

Richard Stiennon is jumping on as well, both in his Threat Chaos blog (http://blogs.zdnet.com/threatchaos/?p=369) and in the comments section here at Security Incite. Since my RSS reading friends usually don't check out the comments, here's what Richard had to say:

Your insight as an insider is better than mine Mike but I have a few doubts. While Secure is one of the most experienced at integrating acquisitions they may be trying to swallow too large a kangaroo here, especially with the big bulge of CyberGuard still being digested. Financially the company could be getting too deep in debt to recover. As to the talent sticking around I highly doubt anyone would last longer than their vesting period. They have been slugging it out for five years, missed a few market opportunities, and are probably tired. Meanwhile, Atlanta seems to be heating up with new startups, new financings, and other activity in the security space. While I have infinite respect for Jay, I cannot believe he is going to last as a chief anything officer in a publicly traded company. He is too much of an entrepreneur to put up with big company BS. -RS

The risk here is execution risk, not market risk. When you see a lot of deals you get both flavors, which dramatically reduces the likelihood of success. But there is definitely a market for "enterprise gateway security" and Secure has the pieces to play. The real question is do they execute? Of course, the CyberGuard experience does not give me warm and fuzzies that they will.

But CyberGuard was a different animal. There was tremendous product overlap, so then you have to deal with reconciling the technology and figuring out how to migrate customers to a new platform. Maintaining both products over time makes no sense. There were also channel issues and that's always a challenge. They did not execute on integrating CyberGuard. It's a simple as that.

Richard is exactly right in pointing out the personnel risk of the CT folks. Many of my friends over there are tired. 5 years at that pace feels like a lifetime. I wouldn't say the ATL is "thriving" but there is a bit of activity and many of those folks are start-up types. So it's a real risk that the brain trust of CT goes away sooner rather than later. But just as many folks are excited about the idea of playing in a bigger arena.

And of course, it seems that Wall Street's biggest issue is the economics and profitability impact. That's what those folks are paid to worry about. But I look at it a bit differently. Secure MUST pay attention to CT and work hard to unlock the value. It's a bet the company move. They are now highly leveraged and we know how a lot of those LBO's of the late 80's worked out for folks that didn't execute. If they bought something small, they could neglect it and bungle it with no impact. That's not an option here. If he doesn't get this right, McNulty (SCUR CEO) will be out on his ass. That's a fact.

So we'll see. There are lots of reasons not to like this deal. I could definitely be eating my words sooner rather than later. But I'm a bold guy and I like bold moves. This was a bold move - for both companies. 

 

It was an interesting afternoon for Secure Computing. I'm sure great highs and terrible lows. First off, they missed their Q2 by a country mile. This was the second consecutive quarter they missed since they closed the CyberGuard deal. The Street is taking their pound of flesh and then some. The stock is off 40% after hours and on the investor call there was obvious angst.

On the other hand, Secure announced the acquisition of CipherTrust for between $240 and 270 million, depending on whether Secure's stock recovers at all before the deal closes. It's a mixture of cash ($185 million) and stock (10 million shares), which makes CipherTrust CEO Jay Chaudhry as Secure's largest individual shareholder.

Interestingly enough, CipherTrust decided to go through with the deal even with the huge miss and resultant impact to the deal size. That means either they are true believers in the strategy and upside potential or there weren't any others at the dance.

In terms of disclosures, I am a CipherTrust shareholder and expect to liquidate my holdings upon closing. Yes I'll end up making a little money on the deal, so I'm happy. And a number of my good friends that are still over there seem to be excited about the deal, so good for them. But given my "insider" knowledge, I'll restrict my comments to the strategic rationale of the deal and the impact to customers. That's only fair.

The new Secure Computing is positioning as the "enterprise gateway security" company. With UTM, messaging security and web security under one roof, the story actually works. Secure wants to own the DMZ and they've got most of the pieces to do that. They specifically will not play on the desktop or the data center for the time being, and I think that focus is good.

Of course, they need to integrate all of those pieces or else there is no leverage. That is Job #1 and they don't have a lot of time. Secure also will be well suited to start looking at integrated hardware. Maybe blades, maybe virtualized stuff, but something to differentiate from McAfee or Cisco, that don't really have a combined appliance.

They also will not be able to buy anything else for quite some time, so they'll need to run with the horses that are already in the barn. Optimally, you'd like to see them add some more sophisticated outbound content filtering (beyond Webwasher), but besides that they've got the pieces. And over time, the gateway only play is inherently limiting. There is some stuff that will need to be done on the devices and some in the data center. But one step at a time, they've got a lot of integration work prior to this being an issue.

In terms of the strategic rationale, Secure outlined 4 reasons why the deal makes sense, but I was only able to capture 3. Oh well. Let me pick them apart.

1. Differentiated product set - Not so much. That's why the management integration and eventually the hardware integration is going to be critical to making differentiation a reality. Secure definitely has more pieces than a BlueCoat, SurfControl, F5 or Websense now, but that makes them the tallest 3rd grader on the playground. They aren't going to match up well against the 5th graders (Check Point and ISS) with a lot more revenue, or the Big Security 9th graders (McAfee, Symantec, Juniper, Cisco) that have much bigger resources and huge cash cows to milk.
   
   
2. Reputation-based technologies - This is actually the key to unlocking the value of the deal. When IronPort announced their web gateway a while back, it's positioning was based specifically around integrating "reputation" into the web filtering space. Secure can now do that, but it's not going to happen on day 1, let's be clear about that. CipherTrust is an email security company and gathers email security data. Once the deal closes, they'll presumably have access to a much wider mix of data, but then the fun work of gathering, correlating, and integrating it into the products start. Don't expect impact here until late-2007 - best case.
   
   
3. Distribution - Secure acquired a great enterprise customer base and a strong sales force (I should know, I used to work with them). If they can retain the talent, that will help especially with big, competitive enterprise class deals against Big Security. But I'm not so sure Secure's 1600 resellers will know what to do with a complicated, enterprise class email security gateway. That will be one of the biggest initial challenges because CipherTrust always stayed very focused on a select set of resellers. But Secure does have a lot more resources for training, etc. and a much better and broader international platform, which has been problematic for all the email security players.

CipherTrust is also committing some people resources to the deal as well. Specifically mentioned were Jay as Secure's new Chief Strategy guy. Paul Judge as the CTO, and Atri Chaterjee as the lead marketing guy. The ultimate success of this deal depends on at least some of the CipherTrust DNA sticking around. In order to thrive longer term, Secure's culture will need a bit of the CipherTrust aggressiveness. And candidly, CipherTrust's culture needs a bit of big company structure and process. If those guys (and many of the sales folks) are still there in mid-2007 that would bode well.

So, overall I can see the strategic rationale behind the deal. Customers that don't want Big Security in their DMZ now have an alternative, and if the technical integration is pulled off it's potentially a compelling alternative. CipherTrust customers will now have more stuff to think about as they re-architect their DMZ and Secure customers get a leading email security gateway option.

There will inevitably be some integration hiccups, so folks like IronPort and Proofpoint have a small window to throw some FUD (fear, uncertainty, doubt) around to try to get new deals. But neither is a stand-alone opportunity over time, so they should buddy up to Check Point and ISS, as the 4th graders are going to need additional stuff to compete on the playground.

Having to jog my memory to remember the inventor of the firewall got me thinking about the early days of the network security market. As I'm writing this, I'm not exactly sure where it's going to end up. I'm thinking that providing some firewall history will help folks understand today's market dynamics a bit better.

The first thing that is abundantly apparent is that the world is far more complicated today. Way back when, customers had to worry about strong authentication and firewalls. That was about it. I guess you could count mainframe security, but that was more of the data center guys than the network guys that I dealt with daily. Nobody really thought about enterprise security, it was really focused on domains like network and host.

In terms of examining the two spaces, they couldn't be more different. Security Dynamics (now RSA) dominated the authentication space because they had built their agent into every remote access product out there. The other folks (Enigma Logic, LeeMah Datacom) couldn't compete. RSA still enjoys a huge market share position today.

The firewall market was brutal. You had DEC initially, but they couldn't get out of their own way. Then you had Trusted Information Systems, Raptor, Secure Computing, and Check Point trying to get established. So very similar to today, you had a bunch of companies that were chasing the same market, telling roughly the same story and making every deal a blood bath.

So when I say I've seen the movie about today's market dynamics, I'm not kidding. There are more moving pieces and product cycles are a lot faster, but things are roughly the same.

Now TIS was an interesting company. To my knowledge, they were the first company that offered a security product for free over the Internet (the Firewall toolkit) and then sold a more functional and polished commercial version on top of that. I think a couple of company's have made that model work since then, eh?

Ultimately one company survived the firewall war, and it was Check Point. Why? They had better distribution and marketing. Check Point's approach was different (stateful inspection vs. application proxy) and they played that up. They vilified application proxies as slow and the wrong approach.

At the same time, Check Point nailed down a distribution deal with Sun, so an entry level version of Firewall-1 shipped on every internet server that Sun sold - and that was a lot. Check Point also got very good at getting the Sun direct reps to bundle in the upgraded version as part of the deal. The cost of sales on these deals was minimal, Sun did all the work. That's why Check Point had gross margins like Microsoft and net margins over 50%.

Interestingly enough, Raptor tried a similar deal with Compaq. That went over like a lead balloon. Basically, Compaq didn't sell much of anything - their channel did. Raptor just couldn't get Compaq's channel interested in upgrading the firewall. There were too many other things to do.

Check Point also started OPSEC, their partnership program, positioning their firewall as a platform, not a product. Once they built an ecosystem around their stuff, it was a lot harder for the other guys to compete.

But all of the firewall companies were able to go public and all benefited from the rising tide for a while. Then economic reality set in. Secure Computing used their overvalued currency to acquire a bunch of other companies and then hit the wall big time. They almost went down during the bubble, and ceased to become a firewall player. They are still in the business and even acquired what was left of TIS after the Network Associates deal, but they never regained their luster in the space.

Speaking of TIS, they sold out to Network Associates and then watched as CEO Bill Larsen's dream of a suite of security and management products turned out to be a few years premature. They tried to be big when small was still cool.

Then, of course, a little company called Netscreen started doing a firewall packaged as a secured appliance. I remember meeting with them when they were first launching the company. I couldn't believe what a dumb idea it was. Didn't they realize that Check Point owned the firewall market? Who wants it on a box anyway? Not one of my shining analytical moments.

So what? I ask that question all the time. Who cares about this ancient history? Well, I think every user needs to because history has a way of repeating itself. If you pay attention to the signs and recognize the patterns, you can save yourself a lot of heartburn. Vendors lose their edge, they don't navigate product or market transitions very effectively and many customers are left holding the bag.

Look at your current stable of "key" security vendors. Are you comfortable with their strategy? As big becomes the new small, are they poised to prosper? Are they willing to acquire the right products and partner to build a broader product set? Are they financially stable and have the resources to keep investing ahead of the next threat?

If you are not comfortable with any of the answers to those questions, it's time to start building a contingency plan. You don't need to pull the trigger too early, but you should give some thought to what you'd do if one of your key vendors is acquired or doesn't keep pace with the rate of change.

Secure Computing completes its acquisition of CyberGuard. Read the release.

This is all about consolidation of market share. Secure gains both in the firewall/VPN and web filtering markets. Secure also gets a bit more activity on low end.

It really doesn't make sense to support two lines of either firewalls or web filtering over time. Expect Secure to move to migrate Cyberguard customers to their platforms sooner rather than later. Don't believe the kubaya press release jargon, "we're going to take the best of both product lines and integrate." Blah blah blah. Economically, it doesn't make sense. Why force ALL of the customers to migrate when only half of them would need to? Pick a platform, communicate that to customers with a strong (and economically attractive) migration plan and move on.

For Cyberguard customers, this is a good opportunity to revisit your perimeter strategy since you are likely going to need to move platforms anyway. Call your rep (or VAR) and demand to understand the roadmap and how much investment your product is going to receive moving forward. If they can't give you a definitive answer within 30 days, get very worried. At a minimum, bring a couple of vendors in to see if you can squeeze Secure on the maintenance renewal.

There is also going to be some consolidation of VARs, so Cyberguard VARs will need to figure out if they want to add Secure to the mix or not. 

It also wouldn't be surprising to see some of the companies on the low-end (you listening Sonicwall and Watchguard?) aggressively courting Cyberguard customers, since uncertainty around M&A is the best breeding ground for vendor swap-outs.