Do dedicated security vendors have a future?

Quocirca's changing channels McAfee proudly proclaims itself "the largest dedicated [IT] security company in the world". Based on revenues this is a fair claim - it is some way ahead of closest rivals Check Point and Trend Micro for that crown. But is a dedicated security company really the best thing to be in 2006 and beyond?

Until late 2004 the "dedicated security" crown was firmly on Symantec’s head – its security revenues are still about double those of McAfee. The change came about because of Symantec's choice to diversify its business through the acquisition of Veritas, at the time the world's largest dedicated storage software vendor. Symantec now talks about "information integrity" solutions as it pulls together storage and security packages for both enterprises and smaller businesses.

If a crown was being awarded for "security revenues" then it might well go to Symantec, but it would be a close run thing with Cisco, currently the world largest networking equipment vendor (it will be demoted to number two if the Lucent/Alcatel merger gets approved). For Cisco, IT security is classed as one of its six advanced technologies, these being areas it believes it needs to be in to maintain business growth and avoid becoming a pure vendor.

In truth, measuring Cisco's security revenues is not easy as it builds security into many of its base products. For example, its Integrated Service Routers (ISRs), products for directing the network traffic of branch offices and SMBs, include a firewall, VPN, intrusion prevention and so on. In other words, Cisco is building security into the fabric of its networking products.

It is in Cisco's interest to do this to make sure its products are used safely by its customers and its good reputation in the market is maintained; which brings us on to two other potential claimants for the "security revenue" crown – Microsoft and IBM.

It is also in Microsoft's interests to build security into the fabric of its operating systems to ensure their safe use and try and rid itself of the reputation it is has gained for being insecure. Tying down Microsoft's security revenue is even harder, but if you allow for the fact that every copy of Windows XP includes a firewall and every Small Business Server shipped includes its Internet Security and Acceleration Server (ISA Server), the revenues are substantial. And Microsoft has more security offerings coming down line in the forthcoming releases of its operating systems, having made a number of acquisitions in the last 12 months (including Giant, Sybari and Frontbridge).

All of IBM's security products are either embedded in its platform software – WebSphere and DB2 – or offered as part of its Tivoli system management suite, mainly pertaining to identity and access. As with Cisco and Microsoft, actually tying down IBM's revenue from IT security is problematic.

With giants like Cisco and Microsoft building security into their infrastructure and Symantec diversifying into storage and building security into its new offerings, will there be any place left for dedicated security vendors in the long term?

There probably will be, providing they stay ahead of the game, i.e. keeping on top of emerging threats and coming up with innovative new products to counter them. Others will disappear as the security solutions they offer become available as part of the IT infrastructure mainstream. The revenue share of the IT security market going to dedicated vendors will decrease more and more with time.

But even for those dedicated security vendors who keep ahead, there is another lurking danger (or opportunity, depending on your view point). There are plenty of infrastructure vendors who do not have that much security embedded in their offerings and may consider that they should do so to protect their good names. They are likely to look at acquiring security specialists rather than building from scratch.

All this should make life simpler for those resellers who focus on general purpose IT delivery. They need to make sure they are delivering secure offerings to their customers and, if security is embedded in the infrastructure, they have fewer vendors to deal with and the total product costs will be lower. Cisco and Microsoft are stalwart supporters of the channel and Symantec has just unveiled its new partner programme, which looks reasonably channel friendly.

Resellers who focus purely on security face some of the same challenges of the dedicated security vendors. But at least they are able to drop one vendor in favour of another as the market moves on. Many will have relationships with Microsoft, Cisco, IBM and Symantec anyway, and be in a good position to advise their customers when the embedded security is good enough and when it makes sense to fork out a bit more for an additional product – something they will often be tempted to do in their own interests, this may offer a further lifeline to the dedicated security vendors.

Copyright © 2006,

Bob Tarzey is a service director at Quocirca focused on the route to market for IT products and services in Europe. Quocirca is a UK based perceptional research and analysis firm with a focus on the European and global IT markets.