Where to buy good IT security
Bob Tarzey, Analyst and Director
Quocirca Comment
Good IT security has been fundamental to the
success of the network computing revolution that
has occurred over the past two decades; poor IT
security has led to some of the most high-profile
data breaches that have occurred during that
time. Much of that security was provided by
specialist suppliers, but today more and more of
it is incorporated in the IT infrastructure. When
should buyers rely on what is provided by
infrastructure suppliers and when should they
turn to IT specialists?
The largest acquisition during 2010 in the IT
industry was that of security giant McAfee by
Intel, at $7.7bn (Figure 1). This deal even
surpassed the amount paid by Oracle for Sun in
2009 ($7.4bn). While the deal took industry
watchers by surprise, it clearly underlines this
trend of IT infrastructure suppliers adding
security to their portfolios.
There has been plenty of debate about what
Intel will do with McAfee. So far it has taken a
fairly hands-off approach; the parent company is
not even mentioned on the opening page of the
McAfee website. It has been stated that Intel
wants to make sure security is more tightly
integrated with silicon by better integrating
security software at the chip level, but this only
makes sense for some McAfee products, such as
anti-virus and end-point security.
Where to buy good IT security http://www.quocirca.com
Quite a few McAfee products are delivered as
appliances, some of which are not currently
based on Intel hardware, so there is a minor
opportunity for migration. Other areas that
McAfee operates in, such as content security and
security management (enhanced in 2010 by two
McAfee acquisitions; Trusted Digital and 10
Cube), would not be implemented purely at the
chip level. So the move by Intel into the IT
security space, its largest ever acquisition, is
probably best seen as recognition of the
continuing importance of IT security and an area
where Intel can grow revenues faster and with
better margins than its core business.
Intel is not alone. HP, which has had its ups and
downs with IT security in the past, has been
marching back into the IT security arena over
the past few years. It made two acquisitions in
2010; privately held Fortify for code testing, and
ArcSight for security and information event
management (SIEM), the latter valued at $1.5bn
(Figure 1). HP also picked up UK-based security
services provider Vistorm when it acquired EDS
in 2008, and TippingPoint for network security
when it acquired 3Com in 2009.
IBM added code testing to its portfolio last year
when it acquired Ounce Labs, which now sits in
its Rational software development division. IBM
already had a broad range of security products,
through it 2006 acquisition of Internet Security
Systems and other existing products in its Tivoli
division for identity and access management and
compliance. That was enhanced by another 2010
acquisition of privately held BigFix for end-point
management. Such tools are required to deliver
end-point security effectively and consistently.
Cisco, the world's leading networking supplier
has also been building on its established firewall
business, with acquisitions such as IronPort for
e-mail security in 2007 and ScanSafe for web
content security in 2009. EMC, the world's
largest storage supplier, acquired the major
player in identity and access management, RSA,
in 2006. Looked at through the lens of the joint
venture - the Virtual Computing Environment
© 2011 Quocirca Ltd
(VCE) coalition - Cisco and EMC (along with
VMware) can boast a broad, all-round security
portfolio.
During 2010, Microsoft launched news versions
across much of its Forefront security range,
which includes Forefront End-point Protection
(FEP), Forefront Server Security (for Windows
Server SharePoint, Exchange, Lync), Forefront
Threat Management Gateway (formerly ISA
Server) and Forefront Unified Access Gateway
(formerly Intelligent Application Gateway). The
Forefront range had been built up over a number
of years through the acquisition of various small
and relatively unknown security suppliers (Figure
2).
The motivation for Microsoft's long journey into
IT security is clear: to make sure its customers
can use its products more safely. Security was
one of the key pillars of Microsoft's Trustworthy
Computing initiative, launched in 2003. Many
gauge that to have been a success, with
Microsoft's products generally considered to be
more secure than they were a decade or so ago.
But Microsoft only protects Microsoft, to the
extent that it often scraps support for third-party
products provided by the suppliers it acquires.
For most organisations, IT security needs to
cover a wider range of heterogeneous platforms.
The situation looks set to get worse as the
diversity of devices and operating systems (OS)
increases, particularly when it comes to user end
points. Whereas Microsoft continues to dominate
the PC OS market for the moment, it is currently
an also-ran when it comes to smartphones and
tablets. It hopes to reverse this through its new
partnership with Nokia, but only time will tell if
these two giants of their respective industries
Where to buy good IT security http://www.quocirca.com
can make a go of it against Apple, HTC, Google,
RIM and others (Figure 3).
That need to secure and manage heterogeneous
IT environments brings us full circle. It is the
reason why security specialists exist in the first
place. Whatever Intel chooses to do with McAfee,
it would be crazy to defocus on its generic
capabilities to look at securing just Intel-based
devices. McAfee once proudly claimed it was "the
world's largest independent security supplier", a
crown it took from Symantec only because the
latter had diversified into storage software
through the 2004 acquisition of Veritas.
Despite its previous bluster, it seems likely that
McAfee will maintain its credentials as a
specialist with the ability to manage security
across much of its customers' infrastructure, just
as Symantec and CA, another broad-based
software supplier with a security portfolio, have
done. And it is for this reason that security
specialists will continue to be the key providers
of security for many organisations rather than
purely relying on what other suppliers have
embedded in their infrastructure offerings.
With that said, there is still plenty of choice.
Following the loss of its independence last year,
McAfee passed its crown to Japan-based Trend
Micro, whose revenues for 2010 approached
$1.1Bn (Figure 4). Trend Micro has a fairly broad
IT security portfolio, but it has started to
diversify, for example into data protection with
the 2010 acquisition of Humyo (rebadged
SafeSync). Israel-based Check Point, the original
firewall supplier, is not far behind with 2010
revenues of $830m.
© 2011 Quocirca Ltd
 Buyers should evaluate what is available from
their chosen infrastructure suppliers in the first
instance, but this will rarely meet all
requirements. More importantly, buyers must
make sure they have in place a coherent IT
security strategy across all their IT assets with
the ability to manage it. Many will find that it will
still be the IT security specialists that will enable
them to best keep ahead of the rapidly changing
threat landscape.

This article first appeared at:

http://www.computerweekly.com/Article
s/2011/04/01/246163/Quocirca-Where-
to-buy-good-IT-security.htm
Behind these two are a host of smaller security
suppliers, including Blue Coat, SafeNet,
Websense, Sophos, Webroot, SonicWALL and
Kaspersky. All have their own focus which
generally needs to be supplemented with
products from elsewhere. All are potential
targets for infrastructure suppliers to plug
further gaps or acquire market share. Who
knows who will be wearing McAfee's former
crown 12 months from now, but overall the
market for IT security looks set to remain
lucrative for infrastructure suppliers and security
specialists alike.

Where to buy good IT security http://www.quocirca.com © 2011 Quocirca Ltd

 About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first-hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Full access to all of Quocirca’s public output (reports, articles, presentations, blogs
and videos) can be made at http://www.quocirca.com

Where to buy good IT security http://www.quocirca.com © 2011 Quocirca Ltd