Risk

11/9/2010
04:49 PM
50%
50%

Schwartz On Security: Reaching The M&A Tipping Point

The jury is out on whether businesses will benefit from Intel buying McAfee or from Symantec, IBM and Microsoft sucking up everything in sight.

The pace of mergers and acquisitions in the security industry has been breathtaking, but could it be headed for a stop?

Since last year, numerous top-tier smaller outfits have been snapped up by large players. Indeed, more than $10 billion has been spent in just the past six months by Symantec (VeriSign plus PGP and GuardianEdge), IBM (BigFix, OpenPages, PSS Systems), Hewlett-Packard (Fortify and ArcSight) and CA (Arcot).

Furthermore, the technology industry heavyweights -- who by virtue of their size largely innovate via acquisitions -- apparently still have oodles of cash at the ready.

What's behind the breakneck pace of acquisitions? One answer is that it's mirroring a growing awareness of security by senior executives. "Security is starting to get higher on their radar screens now," said Steve Robinson, general manager for IBM security solutions. "Many of our corporate accounts are starting to put in chief security officers, to expand their security teams and see that security has impact on all parts of their business."

This evolution and growing security understanding is -- on the upside -- leading customers to demand more consolidated approaches to mitigating their security challenges. Accordingly, said Robinson, "we need to move beyond the single product to solve a single problem, to more of a comprehensive strategy."

Cue mergers and acquisitions. But where should they end, and are businesses best served by a more all-in-one approach?

Consider Intel's $7.7 billion acquisition of McAfee, which surprised many industry watchers who thought endpoint security should be built into the operating system, rather than the motherboard.

The positive spin is that the deal has the potential to bake-in better security to PCs and mobile devices -- through to virtualized environments and the cloud -- from the get-go. But it also has the potential to be seen, in a few years, as an expensive one-size-fits-all boondoggle of AOL proportions.

Garter Group analyst John Pescatore likens the overall information security M&A equation to cars and boats: Would you buy a car from a boat maker? How about a boat from a carmaker? The short answer is, no. Now extend the paradigm to information security.

"I'm always amazed when network infrastructure vendors like Cisco and Juniper build security solutions that try to get us to put their software on our endpoints, and when software vendors like IBM Tivoli or CA acquire and try to sell network security products," he said. "These strategies always end badly -- it is why the McLobster sandwich and the Nobu Whopper never did well either."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.