An 800-pound gorilla threw its weight into the security market today, and analysts say the impact could send the industry reeling in a whole new direction.

IBM earlier today bought Internet Security Systems (ISS), one of the industry's oldest and best-known independent security vendors, for a tidy $1.3 billion in cash. Big Blue, which has made four other acquisitions in the last month, says it will keep ISS intact as an independent unit and will not lay off any of its workers. (See IBM Buys ISS.)

But IBM clearly has new plans for ISS. The security software vendor, which has been a supplier of point products for more than a decade, will be integrated into Big Blue's managed security services business, transforming it from software vendor to service provider in a single move.

"Our managed security services and on-demand capabilities have consistently been one of our strongest growth areas up to now, and that's been almost entirely driven by customers who say they want security as a service," says Tom Noonan, CEO of ISS, who will stay on to head up IBM's security business.

With their joint entry into the managed services arena, IBM and ISS will challenge popular industry notions that such services are only for small businesses that lack security expertise, and that large enterprises would never consider handing over their security functions to an outsourcing vendor.

"We see a $22 billion market opportunity in managed security services, and we intend to offer a single solution for companies that have not felt comfortable outsourcing until now," says Val Rahmani, general manager for IBM's Infrastructure Management Services unit.

"IBM has been showing a tendency to move back, in many ways, to the old mainframe days, where it owned an account top to bottom," says Rob Enderle, president of the Enderle Group, an IT consultancy. "Personally, I'm one of the folks that believe the security of a solution should be the responsibility of the solution owner, and it appears that vendors like Microsoft and IBM agree."

IBM's move also is a watershed in the evolution of the security industry, which has been consolidating and shrinking, experts say. "I think this acquisition is definitely part of an overall trend, where the more mature parts of the security industry -- things like firewalls -- are aggregated into fewer, larger companies," says Robert Richardson, editorial director at the Computer Security Institute. "We'll still see lots of smaller companies and lots of competition in the more cutting-edge areas of security, but companies that offer staples of security have got to get large, in one way or another, if they're going to survive."

Noonan concurs with that assessment. "In our research, we found that large enterprises already have trimmed the number of [security] vendors they support from more than 30 to about 22," he says. The demands of more targeted attacks, combined with the struggle to meet regulatory requirements, have left many IT managers looking for a way to further consolidate their security efforts, he says.

The IBM-ISS merger "indicates a move to integrate security which may, eventually, largely eliminate standalone products if the trend continues," Enderle says. "Buyers should immediately look for trends like this and make their product choices accordingly. The best odds are to go with the [multi-product] solution provider, and that is likely where the long term future for the class will reside."

Officials declined to give details on how the ISS products and strategies will be integrated (or replace) technologies and architectures already offered by IBM's Tivoli unit. They said the Tivoli products are "complementary" to ISS and they will look to work with Tivoli in the future.

The officials also did not give any guidance on how the acquisition will affect IBM's relationships with other security vendors. Big Blue has been carefully vendor-neutral in its approach to managed services in the past, but it seems unlikely that the company will be able to maintain that stance as it integrates the ISS technology into its offerings.

Rahmani did say that the ISS standalone software offerings will continue to be a part of its business, but the thrust of the announcements clearly focused on the ability of ISS to help Big Blue with its managed services offerings.

The acquisition comes less than two months after IBM storage rival EMC picked up RSA Security for $2.1 billion. (See EMC Secures RSA for $2.1B.) Analysts say the acquisitions aren't directly related, but they underscore the importance large systems vendors place on having security products and services.

So is IBM feeling some heat?

"I don't know if I'd call it reactive," says Pund-IT analyst Charles King. "RSA had been shopping itself for some time, and I assume they probably spoke with IBM. But a deal that size [EMC-RSA] probably woke up a lot of larger vendors that this is going to be a major issue going forward, and it's better having the IP and services in house than relying on partners.

"Owning the security piece is pretty critical. If you're partnering for it, and you're fairly far along in development, and your partner is bought out from under you, then what do you do?"

John Oltsik of Enterprise Strategy Group says IBM already had products and services competitive to RSA.

"IBM already plays in the RSA space, and they have products and services that RSA offers where EMC really doesn't have anything that ISS has," Oltsik says. "The only thing that is similar is when EMC wanted to jump into the security space they went for a household brand. ISS is also highly regarded in security space, so it helps them articulate their security strategy when they have a good brand associated with it."

— Tim Wilson, Site Editor, Dark Reading and Dave Raffo, News Editor, Byte and Switch