Geeks Gone Wild?
Is the IT Security Industry Ready to Implode?
Outlook Ventures has been an active investor in the security space over the last year and believes that the sector is ripe for revolutionary technologies that deterministically limit the impact of security threats. This article has been contributed by John Muir, Managing Partner at Trusted Strategies, a leading IT Security consulting and research firm. It is derived from a keynote given at the 2004 RSA Conference. Trusted Strategies team members work closely with Outlook Ventures as catalysts on IT Security investments, helping identify and research security investments and also assist our portfolio companies post-investment.
It is no secret that the information technology (IT) security is a hot sector; with nearly 700 IT security product companies competing in the North America marketplace. The number of companies continues to mount steadily; in the past quarter alone, 31 companies received venture financing, and that pace shows no signs of abating. So investors and entrepreneurs alike ask the question. ÐIs the IT security industry over-invested and ripe for massive consolidation?¼
There are signs the industry may be in spite of the large number of investments in this space, it is still a young space -- only 25% of the identified firms have revenue over $5 million.. It is, however, apparent that some segments within IT security are over-invested.
An area of IT security that appears to be gaining momentum as a purchasing priority is securing the internal company networks. Companies such as Reconnex are providing solutions that secure enterprise content and companies such as Q1 Labs use heuristics to alert managers about day zero attacks inside a network. Another area that has seen growth in terms or purchasing activity is the management of access rights and privileges in a federated identity environment. Companies such as Bridgestream leverage proprietary technologies to allow/dis-allow access to information in a dynamic environment where roles and responsibility shifts are business norm.
To the contrary, multi-application network security appliance companies are proliferating because of low barriers to market entry, to the extent that the number of competitors in this sector has soared to 50 companies and beyond. Clearly there is no way all these companies can grow, achieve profitability and provide adequate investor returns.
To be able to grow, IT security investment are likely to face daunting challenges in the following areas:
All 700 security products compete for the same 3-5% of the IT budget that companies are willing to earmark for security.
Almost all of these companies resort to the same sales pitch: the sky will fall in if you don”t buy my product!
Managers have a tough time justifying security expenditures because the standard metric of investment ROI is so elusive when it comes to security products.
Relatively few people in the prospect company understand the issues and technology, so the decision often gets deferred.
There are only so many security products that network administrators can implement and maintain.
Large prospective customers, still smarting from the dot com debacle, have decided to not purchase from the small vendors typical of most IT security firms.
While some segments within the IT security industry are seeing exponential growth in terms of new capital invested, other areas are seeing sporadic signs of consolidation. Perhaps the most direct evidence for consolidation should be the number of mergers relative to the size of the industry. There was a dramatic 400% increase from 9 to 36 mergers in 2001 and 2002, but the number of mergers remained relatively constant from 2002 to 2003 and the first half of 2004. Of equal importance, the average value per deal increased substantially so that the value of the mergers was 70% greater in 2003 than 2002 despite a generally weak equity market. In short, the number of mergers per year has remained relatively constant over the past 2.5 years despite a rapidly growing universe of companies, and the average value per transaction has gone up rather than down.
Compared to a population of 700 companies, an annual rate of 36 or 37 mergers is only about 6%; meanwhile 25 to 30 companies are being funded each quarter. So, from a 30,000 foot level, the number of companies continues to grow. As the number of security vendors grow, so do the number of security segments because of a heightened understanding of security flaws and vulnerabilities and an increase in the number of smarter attacks with greater damage potential. Therefore, despite an active market for mergers, there is more evidence to suggest continued expansion rather than imminent implosion.
So let”s examine the counter argument that the trends in the IT security sector indicate a healthy, growing market that merits continued financial support. First, consider the strength of the market drivers. IT Security is the anti-thesis of technology fads. Unlike many of the highly touted technology sectors, demand has, in our opinion, always lagged the real need. Nobody loves purchasing IT security products; they can be a real pain and more attractive investments are ever-present. But the forces that drive the implementation of security products are irreversible and continually mounting:
The risk potential for financial or strategic loss. A variety of surveys agree that losses mount each year, and that almost every company has had a material breach of security. Although we have yet to see a significant company destroyed by remote attacks, we can be quite confident that it will happen as a result of anything from a highly destructive flash virus to specific online terrorist assault.
Regulations have been multiplying at the state, federal and international level as lawmakers try to protect consumers from purposeful or negligent disclosure of private information. For example, the recent Sarbanes Oxley legislation raises this concern to one of corporate governance ˜ management has an affirmative duty to protect the core data of the enterprise. We are not far from the day when a security opinion letter will be as basic as an opinion from auditors.
Finally, liability in the form of litigation is starting to heat up, driven by fears of identity theft and fed by the appetite of attorneys for a new way to dive into deep pockets. Expect this uncapped world of pain to generate some truly monumental class action suits.
Together these three converging factors: risk, regulation and liability form the perfect storm that will feed the need for security for a long time to come. Nobody should doubt that crime, terrorism, and vandalism on networked systems will continue to plague us and will increase in intensity - there are just too many attractive targets out there. Does anyone seriously argue that our commercial and government security problems have been solved?
Accordingly, most industry analysts are convinced that the market drivers are strong and long-lived. We have seen figures from a variety of respected sources indicating overall industry growth of 20% or more for IT Security through 2006, which will double the size of the market from today”s size.
The outlook for a growing market derives in part from the universal recognition that security is both a Ðbroad¼ and Ðdeep¼ need for customers; broad in the sense that the need for security arises in just about every industry and for companies large and small, and deep in the sense that the diversity of security requirements cannot be satisfied by any one product or vendor. Indeed, large end-user companies have discovered a range of needs from anti-virus to authentication, from firewalls to forensics, from policy engines to virtual private networks.
The IT security sector is anything but monolithic. Trusted Strategies expends considerable energy creating a taxonomy of the industry to appropriately categorize the multitude of companies into discrete groups and sub-groups. This is not an exact science, but at present we have defined 50 categories with a few more likely to be added soon. So if we divide 700 companies by 50 or so categories we find that the average is about 14 companies per category, a not unreasonable figure, particularly when we consider that this is worldwide market comprising both very large and very small customers on a wide variety of platforms.
We can also partially explain the growth in security companies by the growth in required technologies. For example, only very recently have people begun to worry about viruses on PDAs, or instant messaging security, or security for VOIP. Finally, we must bear in mind that the security market itself is far from saturated. It is hard to think of any product categories beyond firewalls and anti-virus where even 50% of the potential market has been addressed.
In reality the IT security industry is a fractious collection of sub-industries that are at different stages of the product lifecycle. Each sector has its own dynamics, its dominant players and emerging startups. For example, the firewall sector is obviously much more mature than document tracking. But even that can conclusion is too general, because, there is a new subcategory for firewalls on PDAs that is just starting to get traction.
The overall point is that this industry is mature in some categories and just starting in others. Consequently, we can expect to see consolidation in the more mature categories, while at the same time new companies are creating new categories. Over time these categories will in turn mature and be replaced by something else. Like warring city-states, each company is seeking alliances or mergers to gain competitive advantage. How long can this go on? That”s hard to say, but we don”t see this mechanism falling apart anytime soon.
One further point of interest. Almost 40% of IT security companies are in California, and 80% of those are in the San Francisco Bay area, so it is clear that the epicenter of the IT security industry is geographically concentrated.
In summary,
The technological diversity of the IT security industry has resulted in a complex assortment of sub-sectors that behave somewhat independently. Because these sub-sectors are at different stages of development, some will mature and consolidate while others are just getting started. Consequently an industry-wide collapse is unlikely.
A powerful convergence of risk, regulation and liability will continue to fuel the market for the foreseeable future, making IT security an attractive sector for prudent investment.
The IT security industry is heavily concentrated in northern California, making it particularly accessible to the technology investment community
About the Author:
John R. Muir is a Managing Partner at Trusted Strategies. Trusted Strategies defines the business of IT security for investors and entrepreneurs alike. With nearly 40 years of security company management experience, backed by the most extensive research database of IT security companies available, we provide strategic insight, comprehensive analysis, and seasoned advice to those who demand the best. Trusted Strategies meets the need for in-depth analysis and domain expertise through
Advisory services to investment bankers, venture capitalists and institutional investors
Published research on select industry sectors and companies
