Security Company Acquisitions

With the two most recent security firm acquisitions (IBM acquiring Watchfire and HP acquiring SPI Dynamics), I thought it was time to chime in and give my .02 USD on the matter.

In general, I don't like these types of acquisitions. Not sure why I'm such a softy for small businesses, but I am. I try to eat at local restaurants, like to shop at the local hardware store, and strangely buy my car insurance by visiting a local agent (even if they are providing insurance from one of the big companies). And both of the companies being acquired got their starts with products written by people down in the trenches - these types of acquisitions always make me fear that the parent corporation will stymie the creativity of the smaller.

But in both of these cases, I see two potential benefits that are unusual - the planets happen to be in the right alignment right now:

  • Both security companies, on their own, sell their products "in a box". They tell you it's infinitely configurable, and they can consult to help you suit the tool to fit your needs, but because they're smaller companies and don't have a whole lot of consultants, having an onsite consultant full time is not the norm with them. Certainly, out of the box, both their flagship products are simple enough to get base work going, and they both have excellent support for customizing, but other software products I've worked with in the past had a full-time consultant on-site training the operators, writing customized solutions, and so forth. These two companies moving into more "consulting-focused" parent companies may help companies with the resources to have highly-customized solutions based on their tools. That's not to say that either company couldn't (or didn't) customize well on their own, but it's a much more clear option once the bigger companies are up to speed on the products the companies bring in.
  • With "marquee names" in IT infrastructure, support, development, and consulting buying up security firms, it may have a side-effect of making security more of a front-page thought for development firms. If they already have a relationship with IBM or HP, security may become a natural discussion as part of those relationships. And hopefully the really smart guys at the smaller companies can get some instant development cycles to help them to develop their really bright ideas more.
I don't know that these two things will necessarily come true. They might get bought up and quickly vaporized like most small brands that get bought out by larger firms. But since the larger firms are buying up something they don't ordinarily do, maybe the smaller ones will have an opportunity for growth.

I'm still hopeful that the other really sharp smaller firms out there don't get bought up.