The Unshrinkable Security Industry

3:23 PM -- It starts with an acquisition. A big vendor buys a smaller vendor, then another big vendor buys a smaller vendor that operates in the same space. Pretty soon, there's what appears to be a whole wave of buyouts, and analysts and pundits begin to drag out that infamous phrase: "Market consolidation."

Cue screams, panic, executives jumping out of windows, fire trucks, attack dogs, etc.

Yes, I'm talking about the recent wave of security vendor acquisitions, particularly in the data loss prevention space, over the past month. You should see some of the emails we get from vendors (and even otherwise reasonable industry analysts) when a spate of buyouts like this occurs. "The market is shrinking!" they scream. "Enterprises no longer want point products! They want a single point of contact -- the smaller vendors are dead! AAAAGH!"

(Can you tell I wrote this same story about LAN vendors in 1988? And I've written it about 100 times since then, in reference to every IT market from 10Base-T Ethernet hubs to T1 multiplexers to CRM software.)

Okay, let's all calm down now. There have been a bunch of acquisitions in the past few weeks. Cisco bought Securent. McAfee bought Safeboot. Trend Micro bought Provilla. Symantec bought Vontu. (See Cisco Swallows Securent for $100M, McAfee to Acquire Encryption Vendor Safeboot, Trend Micro to Buy Provilla, and Symantec Seals $350M Acquisition of Vontu.)

As any of these vendors will tell you, these acquisitions represent a recognition of the fact that enterprises are looking for ways to handle the "insider threat" in their organizations, a threat that is not always handled by traditional perimeter security products. Data loss prevention is one approach to doing that.

But to suggest that these acquisitions indicate some sort of industry-wide security market consolidation -- or even the broad absorption of the DLP market by larger vendors -- is pure hype and hysteria.

In the relatively short life of Dark Reading, we've already witnessed several spates of acquisitions in the security industry, including buyouts of smaller vendors in messaging security, end user monitoring, and security information management. We've also seen the acquisition of several major security vendors, including RSA and Internet Security Systems (ISS).

So far, the security market hasn't disappeared, or merged into one big AT&T.

That's because for every security vendor whose name disappears, another one pops up in its place. Just this week, we've seen the emergence of several startups with names like KeyID, Securityworks, and Tutarus. (See Startup Takes Aim at Man-in-the-Middle and New Key Management Technology Could Improve RFID Security.)

That's the nature of security -- it's an arms race. The bad guys develop new methods of attack, the good guys develop better defenses, and the bad guys innovate again. Yesterday's "hot products" are now part of today's most established security suites. You can bet that the innovation process will continue -- and so will the mergers and acquisitions.

If you're worried about "market shakeup," put down that Red Bull and get some sleep. The names might be different, but tomorrow's security market will still be there.

And hey, don't you have enough to worry about already?

— Tim Wilson, Site Editor, Dark Reading