IANS Perspective

The other day another article discussing the venture capital industry arrived in my inbox. It was from John Batdorf, a banker with Viant Capital I’ve worked with over the years and someone whose opinion I respect, so I paid attention. However, with the title “Is venture capital failing to keep the security ecosystem afloat?” I didn’t really need much prodding. Overall, the article touches on the topic we’ve been raising for some time now: while the attacks are all the more sophisticated, the investment dollars are in decline. Essentially the supply vs. demand equation for security is completely out of whack. This is not good. The reasons for this are numerous, but rather than turn this blog into an industry report we want to highlight the implications of this scenario as it pertains to the user community.

We strongly urge buyers not fall into the easy trap of ignoring the privates over this one issue. There are plenty of healthy, viable, and valuable private companies offering security protection. There are also plenty of "dogs" on their last breath. Identifying the dogs is key; dumping the entire market segment out the window because investors are less enthusiastic is flat out wrong. How to separate the dogs is the challenge -- and we’re here to help, of course.

Let’s look at the vulnerability management space as a proxy. We chose this space as most every organization knows it well enough. Sure there are the big dogs offering a scanning capability, but is IBM really going to invest in the acquired ISS scanner? My guess is that it’s not likely. So the classic “safe” move is not really a good one.

Instead, look at the private market: there are at least three companies we are very familiar with that have all done well – and from very different approaches. Core Security, Tenable, and Qualys each have a different approach to the market, ranging from comprehensive efficient capability to proven open source adaptation to SaaS (software/security as a service).

They each have different financing and expense structures -- from international development to solid venture backing to no VC needed -- but fundamentally they are each providing real value to their clients. Yes, they all do more than just pen testing and that certainly has helped the companies grow, but the point is simply that private companies are doing well even in these toughest of times.

Yes, it is tough out there and every buyer needs to have a higher level of scrutiny. But that applies to every vendor – from the brand new start up asking you to be a beta customer to the largest of the publicly traded guys, no one is immune from the harsh economic realities. In fact, the risk of working with a larger vendor could be higher than with the startup; in security, if the product doesn’t work, it’s you who may be in economic trouble.

Busy day at IBM today. Entirely by chance, IBM announced both the acquisition of Ounce Labs (undisclosed amount) in the application security space and SPSS ($1.2 billion) in the business intelligence market.

In Ounce Labs, IBM adds static code analysis capabilities to its Rational Software portfolio and helps to round out the AppScan suite. This complements their earlier acquisition of Watchfire which brought them web application vulnerability testing capabilities. The acquisition better positions IBM against competitors, mainly HP, in the software development market by providing a broader framework for building secure code.

A long partnership gave IBM a good view of what was under the hood at Ounce, and despite a rosy announcement by Ounce Labs earlier this year, IANS assumes IBM was able to strike a very favorable price for the company which eased some of the pain early investors must be experiencing.

As we’ve written before, consolidation will continue in the information security software marketplace, as weaker private companies succumb to financial pressure, their investors lose patience, and larger players seek opportunities to grab compelling intellectual property to bolster their growing suites.

The 24-month history of the software security marketplace proves this out. SPI Dynamics and Watchfire were acquired in 2007 by HP and IBM, respectively, Security Innovation recently sold its European operations to Cigital. On the flip side, Veracode recently received $10 million in funding, Fortify continues to flourish while Klocwork and Coverity are still in the mix.

"The security market is continuing down a classic consolidation path" says IANS Faculty member Peter Kuper. "IBM has moved from buying scale (ISS) to incorporating complementary functionality as evidenced by the Ounce Labs announcement."

We expect the overall consolidation trend to further reveal the two or three dominant providers that will either reach sustainable independence or become an integral part of a larger organization. For security professionals, aligning with those few strong players will provide not only best-in-class technology but also a longer more valuable strategic relationship regardless of the acquiring entity.

We stick by our advice to enterprise buyers, however, that a solid group of high-quality, independent, reliable players still remains that do provide superior technology/service. The question at hand is whether or not application/software security will remain a standalone part of the security market or eventually become a feature of two distinct areas: software development and vulnerability management.

In SPSS, IBM is pushing to give clients “not just insight, but foresight.” The acquisition continues what was started with the Cognos acquisition back in late 2007, continuing the battle between Oracle, SAS and IBM for advantage in that marketplace.

“It’s a good fit for IBM,” says Tom Davenport, Lead Faculty Member at the International Institute for Analytics. “SPSS was the only remaining analytical software provider of any size that anyone could buy. It augments IBM’s business intelligence capabilities in Cognos, and its optimization and rule engine capabilities in ILog - not to mention its 4000-strong Business Analytics and Optimization unit in Global Business Services. IBM is clearly making a major play in analytics. It will be very interesting to see how the company combines all these businesses and goes to market with them.”

Where is the tie between the two announcements? The future of information risk management is moving from reactive to predictive. One obvious example: where will the SIEM space go? It has to move toward being able to predict attacks, not just telling when they occurred.

And how big a role will business intelligence and analytics play in making all industries more competitive? Stay tuned for more developments…

Not by chance, however, with a concentrated research focus in both information risk management and business analytics, IANS sees these two spaces being closely aligned going forward.

The latest VC data continues to reveal the pressure on private companies needing capital. The steady decline that began over two years ago is still continuing its downtrend.

Source: Thomson Reuters, National Venture Capital Association

This is definitely not a good thing, as we have consistently looked to the private sector to develop the next-generation solutions needed to keep up defenses against the ever-evolving hacker community. The problems go beyond the money - even if the fortunate few see deposits in their corporate checking accounts the valuations of these investments add to the burn.

Source: Cooley, February 2009

These trends further support our look to the government initiatives such as I4 as the private sector is under stress. The cynic in us can’t help but touch on the topic of bailouts for all the big boys, be they banks or botched auto companies, but what about the smaller players - the ones with the normal assumption of real job growth, let alone the real innovation that produces new products and whole product categories?

 That said, we know of a very large group of private companies that are doing very well, including BigFix, Verdasys, and Qualys. Overall, we still recommend buyers look to the privates, especially given some of the antiquated wares of the public companies. Yes, they may be financially stronger -- but what protection are you getting for your scarcer dollars?

 Our recommendations have centered around:

• Product strength (worth the risk of linking up)
• Management team (ability to execute)
• Investors (history, viability of the backers)

 Overall, we still endorse the private sector but need to caution IANS members to check out the firm before they “leap”. This applies to public companies as well - just because you’re big doesn’t mean you can’t be bought, as we have seen from the original ISS acquisition and more recently the previously-envied Sun Microsystems. We’re watching that deal very closely to see which Identity & Access Management solution service is phased out in favor of the other. Costs still matter, no matter how big or small.

Oracle (NASDAQ: ORCL), one of the world's most dominant proprietary database providers, today announced it has reached a definitive agreement to acquire Sun Microsystems (NASDAQ: JAVA) for approximately $7.4 billion, or $5.6 billion net of cash on Sun's balance sheet. This deal may come as a surprise to many (stock market reaction indicates such with Oracle down, Sun up) and we see a number of issues from the deal.

Just this past Thursday night at an "ideas dinner" hosted by Monness Crespi, a boutique research-focused investment firm, I told the group of my concerns for Oracle's stock price as it looked like they were heading toward more challenging times. The negative read comes from the obvious macro-economic concerns but moreso given Oracle's maintenance pricing and a lack of acquisitions of size to help pump up reported growth.

Sun is one of the few deals of size left to help augment the growth challenges and the company's PR seems to support this notion as the focus of the transaction: Oracle's official press release is in line with the margin concerns, saying "We expect this acquisition to be accretive to Oracle's earnings". Acquisition accounting helps and existing Sun users will add to top line growth to an extent; but the other issue I raised, operating margin pressure, will likely be exacerbated by the hardware-centric Sun wares. For the IANS client end-users in particular, Oracle will likely welcome the Sun IAM solution to augment its earlier acquisitions including Oblix and Thor. Converting the overall Sun model to Oracle's benefit, however, may prove far more complicated.

Oracle was quoted by the Wall Street Journal as calling Java the "most important software" it has ever acquired. This may be true - Java is a dominant platform by most any measure, and the java.com site suggests 6.5 million developers powering more than 4.5 billion devices. But as for money-earning software, Java and most of Sun’s offerings don’t bring much to the table, at least relative to the overall revenue picture. Maintenance is growing for the key Java and MySQL support lines but we question the rate of growth. And how will Oracle deal with the conflict of support for a free database versus a licensed form?

Sun has given away the bulk of its software offerings in an effort to bolster its hardware pricing. This never made sense to us (please see “The Big Blue Horizon Comes for Sun”). But now Oracle will be in control and this will be interesting to manage from the software buyer's seat. As Oracle has kept to its 28% maintenance charges (on list price!), the margins have risen steadily to the 40%+ levels - ahead of almost any provider and Oracle has said they think 50% is attainable. This doesn't strike us as a company looking to discount.

 On the brighter side for end-users, in prior large deals like Peoplesoft Oracle has not pulled a CA EOL game - end-of-lifing of applications forcing users to upgrade at a higher cost. In fact, Oracle has absorbed acquisitions as well if not better than most of its competitors. The MySQL open source database play presents a very interesting debate - how much will Oracle push an offering that directly undermines its core database business? Oracle has acquired open source DB wares before but of much smaller scale and with little fanfare. We have seen Oracle make some small inroads into accounts with its security suite, but given the company's overall focus the very cautious security buyer has not heavily swum to Redwood Shores for shelter. Sun can help here directly.

So for end-users, Oracle certainly is not any major fear from the technology perspective. It's your CFO who's going to be nervous...

Yesterday, The New York Times reported that IBM has walked from the Sun deal reportedly over a disagreement regarding price. The Wall Street Journal did not go so far as to say the deal was dead but instead was "at risk of unraveling".  Either way, the message to users of Sun products is the same: have a replacement contingency plan. As we wrote last week, Sun had little to no hand to play, but apparently the Board of Directors at Sun didn't read our post in time. There is still the possibility that IBM and Sun will come back to the table, but with IBM's offer reportedly withdrawn the sweet-talking part of the negotiation is clearly behind them. Now, with Sun close to being back on the block, the odds for a DEC-like demise look even more likely and the next owners of certain product lines are therefore all the more uncertain.

No pointing fingers, instead look within.

In this economy, the one group that does have a hand is the buyer. Not IBM-as-acquirer per se but the IT departments of the Fortune 1000-sized organizes that IBM, Sun, or any company is trying to woo to purchase their products in an environment where capital expenditures are tight. License usage, maintenance value, and vendor lock-in should all be under examination.

Identifying partners for the company's IT needs (rather than having a mere business relationship with a vendor) is the ultimate objective, but identifying providers that are financially at risk is yet another criteria for proper evaluation. This is not to say folks should have been already ripping and replacing Sun; had an IBM deal gone through it is likely support for a number of products would have remained. But having at least some thoughts around replacing large installs or key applications makes sense; either from acquisition, financial failure, or vendor lock-in pricing problems, knowing your options is essential business intelligence.

We will update the blog as any other details related to Sun emerge and welcome your comments.

A Reuters report pointed out that a speech given by Sun CEO Jon Schwartz last week at InfoWorld’s Open Source Business Conference ignored the pending IBM acquisition - the big elephant in the room so to speak.  While there are a number of legal issues associated with making any comments related to any pending transaction, we’ve been discussing what it means to IANS community members and how they should prepare for some inevitable market implications regardless of any deal.

While Sun’s CEO may try to convince audiences of the company’s strength in an attempt to keep Sun from slipping over the horizon, ultimately absorbed by the big blue sea (IBM), we argue the light is already fading. Trying to avoid too many clichés, Sun’s day has already passed and our advice, whether or not the deal will be consummated, is for the IANS community to pay close attention and start to prepare for potential impacts to current products and support.

It is clear Sun is “on the block” – meaning the company is feeling pressure to do something significant.  If IBM does not complete the transaction, we suspect Sun will eventually start to sell off pieces of its operations in an attempt to remain financially viable. We are reaching out to many of you in the IANS community specifically due to the penetration of Sun Identity & Access (IAM) products in your organizations.

As an end user, you need to seriously consider the implications of such a scenario.  Even if the IBM deal is done, there are still issues as to product continuity and support; IBM will need to rationalize expenses and product lines, meaning the real potential for less R&D and the end-of-life of certain products at IBM as well. As we have advised throughout our buyer strategy sessions, contingency plans are a priority.  If you are a heavy Sun user, creating or updating your Sun contingency plan should be Priority One.

Sun Set?

Of course Sun would argue that they couldn’t possibly comment on any deal due to legal concerns. While technically correct, that is at least a missed opportunity if not a  convenient excuse.  Schwartz could easily have talked about the opportunity for partnerships and leverage across multiple providers in the context of his appearance without specifically mentioning any three-letter companies.

The event was an Open Source conference, after all.  To be sure, the deal may well happen and Sun could become a cornerstone of IBM’s existing open source efforts. We say cornerstone in part from Sun’s overall open source efforts and investments; MySQL’s position within the LAMP stack is a good example. Bringing heft to IBM’s Linux push and Websphere user base would be a solid benefit in our view, as would Sun’s security acquisitions. Combining Sun’s Identity Management products would further fortify IBM’s significant investments in their own Tivoli IAM offerings and bolster their weaker security offerings. At least it brings as much if not far more useful technology than the stagnant ISS closet offered.

But if IBM were to walk, we think Sun stock (JAVA) will resume its unrelenting downtrend.

I used to make bets with folks as to how long it would take for Sun’s stock price to revert back to its pre-reverse split levels given the company’s misguided focus. If one were to pin us down for our basis for this, we could answer the thrust of the question in one sentence: The focus on hardware was a flawed business model.  The simple justification is based on publicly available data. 

The value, at least as far as IT buyer dollars suggest, is in the software rather than the hardware. Sun buying up open source software (including a cool $1 Billion for MySQL) in the hopes of selling premium hardware to make up for the lower software revenues will never work in our view – at least from a financial perspective. Moreover, talking about “cloud computing” as an opportunity further flies in the face of the current revenue model.

Under this approach, folks can get computing power without ever even seeing the name plate on the box. So who cares what it says? So long as the cycles are available, (meaning reliable and responsive), the Sun brand on the box is largely irrelevant and commodity price pressure for hardware remains, if not accelerates.

Buyer Beware

For our IANS community members, we strongly encourage you to examine your Sun deployments and develop a migration plan should IBM not follow through with the acquisition. Even if IBM were to sign a deal, buyers need to consider the ramifications of the new owner – both positive and negative scenarios. For example, IBM may feel pressed to cut expenses in order to save costs on the rumored $6.5 Billion (or higher) deal. IBM has already shown its own need to cut costs via its 5,000 employee layoff plan revealed just a week ago, which includes outsourcing jobs overseas and even patenting a process for the outsourcing itself.

Thorough analysis of your vendors, including an appreciation of potential areas for cost cutting by any vendor – not just IBM or Sun – is essential in this economy. There is absolutely going to be more consolidation in the technology industry and it may persist longer and reach further as the economy wanes. There are already plenty of emergency meetings going on in the executive offices of companies across the globe, and a contingency plan allows IT departments to be proactive and the IT executive more valuable to their organization.