Cyber security – Which vendors will do most to shape this fragmented super-category as it enters the Tornado?

Summary:

• Several weeks ago in a blog titled “Bits & Pieces”, I drew attention to the fact that information security is now a C suite and board-level concern.

• However, information security has long been, and still is, an extremely broad and fragmented super-category with hundreds of different product and service offerings in twenty or more product categories.

• So the two questions I want to attempt to answer in this article are 1) which vendors will take it upon themselves to do more to consolidate distinct but important product and service offerings under one roof or one ecosystem?, and 2) which companies will thrive most as we enter a multiple-year tornado in this business?

I have no illusions that the “C suite” observation I made several weeks ago was particularly perceptive; it was already obvious that boards and CEOs were about to become much more accountable than has been the case till now for safeguarding sensitive data about their customers, partners, and employees, and/or about their industrial installations, trade secrets, and products and services. The sheer number, scale, and aggressiveness of some of the more headline-grabbing incidents are enough to get shareholders, customers, and others into a militant frame of mind in defense of their interests. For sure, regulators everywhere are going to become far more active, lawsuits from aggrieved parties will proliferate, and other factors such as brand or reputational damage will each exert their influence in this direction. And, as everyone assumes today, the sheer relentlessness, creativity and mischief isn’t likely to subside any time soon.

Just a week or so ago, the federal government sheepishly announced that, in addition to hacks into the data of 4 million people, they had uncovered another incident compromising 21 million more people. In total this equates to almost 10% of the U.S. population being impacted in ways that we don’t yet fully understand by penetration of government-run IT and even operational systems. Disturbing indeed. Even more so, when you allow your imagination to roam into other areas, such as possible future hacks into airline flight logistics systems or airplane control systems, into hospitals and the health system, into nuclear and other power plants, or into military defense systems. In short, ensuring cyber security in all its forms is now not only a business problem, but a major governance issue on a global basis. Even worse, the crisis of confidence in security is turning into a highly sensitive and rapidly unfolding geopolitical crisis. Governments are certainly not letting on to their citizens how concerned they are about the ability of foreign nations from China to Russia, or hostile regimes and rogue states like North Korea or Iran, to penetrate the most sensitive information systems and cause catastrophic physical and other damage. Besides government to government actions, authorities and businesses have to deal with small cells of hackers based in a number of different countries around the world.

In light of the critical and urgent nature of what’s happening, the table is now set for security vendors of all types, supported by private and public investors, to bring to bear a more integrated portfolio of solutions. The field of IT/cyber security contains everything from protection for critical infrastructure (sensors, databases, analytics – the world of IoT), firewalls, threat intelligence and threat management, crisis response, incident response and forensics, fraud detection and remediation, disaster preparedness, managing mobility (including BYOD management), cloud, network, and endpoint vulnerabilities, ensuring database security, malware detection, and remediation, user identity management, video surveillance, Ddos protection, and so on. Increasingly, every one of these sub-categories requires advanced analytics, including retrospective, real-time, preventative, and predictive capabilities, in order to provide for adequate anticipation and protection as well as remediation and incident response and/or disaster recovery. In part because this industry depends so much on deep human domain expertise in arcane and granular areas in order for the technology solutions to be deployed and utilized effectively, it has resisted the kind of category consolidation that comes more easily to less complex technology applications and infrastructure such as desktop productivity applications or server virtualization. So achieving some degree of consolidation into major themes is not a trivial task. That said, someone’s got to do the dirty work someday.

Consider the following instructive example reported by UBS, that resulted from an analysis by Cisco as part of its announcement of an expanded and more aggressive IT security strategy. It suggests that the average large enterprise has 54-plus security vendors (no, this is not a misprint), making it extremely difficult for CIOs and Chief Information Security Officers (CISOs) to manage such a complicated landscape and the correspondingly byzantine systems architecture required to manage them. Analyst Amitabh Passi of UBS notes: “We don’t believe Cisco has any delusions of replacing 50-plus vendors with just itself, but (in Cisco’s case) the goal is to simplify the landscape.” Without such a simplification of offerings and a clearly defined roadmap, organizations won’t know how to proceed. This doesn’t mean that they won’t make investments in an attempt to significantly enhance their defenses against hacks and other attacks, but that most likely a lot of money will get thrown at the various problems with little strategy or cohesion, resulting in enormous waste and, perhaps, worse, no effective solutions to some of the more serious challenges. This in turn could create a massive hangover for customers as well as vendors, eventually slowing the pace of innovation and investment in the category.

In light of all these factors, let me attempt to answer the two questions I posed at the beginning of this article. Firstly, as so often is the case with emerging and growing product categories, there are three broad groups of product vendors capable of influencing the growth trajectory of the industry by serving customers with innovative and differentiated solutions to today’s most challenging problems:

1. Major global systems vendors consolidating myriad offerings into a single portfolio of products and services to provide integrated one-throat-to-choke solutions to today’s and tomorrow’s problems;

2. Fast-growing best-of-breed players selling one or more targeted offerings that address specific current security problems;

3. Recently funded startups bringing dramatically new offerings to market to solve (hopefully) tomorrow’s problems as well as some of today’s hairier ones.

I don’t pretend to be sufficiently familiar with the competitive landscape to name all the likely winners in each of these groups. But among the first group of global players, Dell, Cisco, IBM, and HP will undoubtedly be important players. It’s difficult to see at this point which of these four global hardware, software, and services companies will become the more dominant “category consolidator”. They’ve all been doing acquisitions and they all have their own in-house products and domain expertise to offer. Since going private Dell has made major investments in security software and services; IBM has long been a player in this area; and besides Cisco, HP has made moves more recently to expand its presence and focus on security. These systems companies are all providing managed security services – or starting to do so – employing cloud and hosted on-premise solutions. All of these companies will need to make aggressive moves to differentiate themselves against the others by, for example, acquiring one or more of the companies in Group B despite, or even because of, their high valuations. Besides providing technology and products that are gaining broad acceptance, this type of acquisition typically brings with it experienced management talent and domain expertise including former NSA and DoD analysts, security managers, and threat intelligence experts.

In the same note sent out by Seeking Alpha where the UBS analyst provided their observations on Cisco’s strategy, BMO’s analyst Tim Long suggested that more M&A is likely. “Cisco believes that one of the key changes that will occur in the industry over the next few years is that customers will increasingly move from point vendors that provide niche solutions to companies that can provide an architectural approach … This should also drive increased industry consolidation.” Besides the consolidation of product portfolios within an integrated reference architecture, providing deep domain expertise in emerging, esoteric, and critical areas such as IoT sensor security, malware prevention analytics, or cloud or mobility security will be paramount.

The disparate group of companies in Group B includes players such as Fireye, Fortinet, Imperva, Palantir, Palo Alto Networks, Splunk, and a number of others. Due to the growing importance of cyber security as a headline-grabbing concern, the market caps of these fast-growing companies vary between $7bn and $15bn. despite them all being sub $800m. in annual revenue today (Imperva’s market cap is $2bn on 2014 revenues of $164m). In addition to building out their product portfolios organically, we must expect that these companies will (continue to) make aggressive acquisitions in order to expand their footprint and attempt to become significant players on a global basis; otherwise, despite their rapidly increasing market caps, since they are still ‘tweeners, they may become food for one of the hungrier global players in group A.

As for group C, there are hundreds if not thousands of young networking, software and services startups being funded around the world to fight the security war. By this time next year or mid-2017 we’ll all become aware of companies that today are invisible to most of us, but that have developed solutions to ward off the most challenging attacks. Among the young companies gaining attention and even being acquired in their relative infancy are Morta (recently acquired by Palo Alto Networks), Skyfence (acquired by Imperva), Caspida (just acquired by Splunk), and a host of other still-independent companies including Aorato, Bitglass, Bluebox, CloudLock, Confer, Cybereason, Cyphort, Elastica, Forter, Niara, Okta, Skycure, Zimperium, and many others.

In conclusion, inside customer organizations of all types, the share of IT spend on security is growing rapidly today and in some areas is resulting in hyper-growth for some key product and service providers, thanks largely to the accelerating number of high-profile cyber-attacks at Home Depot, JP Morgan Chase, Target, Sony Pictures, Anthem Health Insurance, and now the U.S. government. The next 12-24 months are going to be extremely interesting in terms of the vendors that will be most influential in shaping the cyber security industry going forward. Let’s hope that at least one of the major global players, in addition to a number of the companies in Group B and C, makes the right moves because there is a lot at stake for citizens, customers, businesses and governments everywhere.

Note: For a detailed description of the tornado stage of hyper-growth, see blog published on July 14 2015 by Andrew Salzman and Paul Wiefels of The Chasm Group.