Despite all DAM products being conceived as security tools, compliance has become the primary use case. What's more, they work: They detect threats and can automate controls other platforms simply cannot. Vendors have struggled because customers really didn't get how it helps with compliance. Sarbanes-Oxley, the Gramm-Leach-Bliley Act, PCI, and privacy laws say nothing about DAM. You need to really drill down to understand that your credit card data is stored in a database, or that your financial systems are automated to the extent that you simply cannot enforce many controls without automated assistance.
IBM will be able to leverage the Guardium investment into its existing customer base. IBM is, after all, one of the biggest database vendors in the world -- not just for its considerable mainframe installed base, but the DB2 UDB and Informix platforms both have dedicated followers, too. Incredible revenue opportunities exist within its own customer base, and the heterogeneous database support Guardium provides IBM Global Services is a database-agnostic platform.
Large vendors in multiple verticals have had quiet discussions with DAM vendors regarding partnerships and acquisitions for several years now. While customer adoption of the technology has lagged, providers of operations management, security, governance, and compliance have seen the value. DAM may not get a lot of press, but insiders are well-aware of the technology, and it is surprising to me we have not seen an investment of this size, or larger, during the past year.
Still, IBM's presence in this space likely provides a lift to the entire segment. I estimated the DAM market size at $70 to $80 million in 2008, and estimate $85 million for 2009. I base this on a combination of inside information, communication with customers, very chatty former employees of DAM vendors, and some educated guesses. I am excluding assessment and auditing revenue, the latter of which is extremely difficult to quantify. Regardless, it's tiny.
I'm willing to bet IBM can double the size of the market in less than a year. IBM sales has the ability to educate the market in a way that even Fortinet cannot. Meanwhile, Application Security, Imperva, Netezza, Secerno, Sentrigo, and the handful of other vendors -- all lacking an "evangelical sale" where you have to prove your product and the value it provides -- also benefit in terms of visibility, reduced sales cycles, and more customers. As revenues increase, expect further acquisitions of these remaining providers.
Adrian Lane is an analyst/CTO with Securosis LLC, an independent security consulting practice. Special to Dark Reading.