While it has been evident for a couple of years now that McAfee was neglecting the network security space by not having a firewall in their portfolio, acquiring Secure Computing is not the move for McAfee.
A story: I had been at Gartner for a little over two years when I was called to attend a strategy session at Network Associates' HQ in Santa Clare. The other network security analysts and I had discussed beforehand the advice we were going to deliver. When I told the top execs of the company that they should EOL (end of life) their "flag ship" firewall, Gauntlet, I was totally relieved to see the heads nodding around the boardroom table. They had confirmed what I already knew. The proxy firewall product did not hold a candle to the stateful inspection firewalls from Cisco, Checkpoint, and Netscreen.
What ensued was trial by fire as I proceeded to take Gauntlet off the Firewall Magic Quadrant. NAI's marketing team went ballistic; they called upper management at Gartner to get me to leave them in. They scheduled a call with the VP of marketing. He was travelling in Europe at the time. He told me in no uncertain terms that not only was Gauntlet the most "Visionary" firewall but they had the best "ability to execute" of anyone in the industry. Rather than being removed I should put Gauntlet as the "Leading" firewall. All I could do was say "talk to your executive management". Gartner stood firm, Gauntlet was taken off the Magic Quadrant, and NAI proceeded to divest themselves of Gauntlet, CyberCop, PGP, and Network Sniffer, and re-brand themselves as McAfee after their flagship AV product.
The next year I was called to NAI HQ again. In probably the most satisfying moment as an analyst I asked "What am I doing here? You don't have any network security business anymore." Well, they were on the acquisition path. I made my recommendations in a single Power Point slide. It was titled: "If you want to be an enterprise security company". From left to right I recommended they acquire Entercept, Intruvert, and Foundstone.
And now, five years later it becomes obvious they have an incomplete portfolio. They must not be getting great advice (or they are not listening to their advisors) because combining two directionless security companies is not a great idea. Maybe "directionless" is too strong but certainly neither company is known for industry thought leadership. McAfee's flagship EPO for managing desktop AV is well regarded but traction for the other products in their portfolio is slow. Secure is still in the process of acquiring Securify, an identity based IDS solution that they thought would help their firewall offerings but would have been a train wreck if they actually went down that path. According to last week's conference call on the merger Secure intends to complete that acquisition. In the meantime Secure raised $65 million in cash from selling their token business to Alladin.
Let's face it, once upon a time through some brilliant lobbying, Secure Computing convinced various branches of the US Military that statefull firewall technology from an Israeli company (Checkpoint) was not secure. The military mandated the outmoded proxy firewall technology instead, creating an instant niche that only Gauntlet (NAI), Cyberguard, Raptor (Symantec ) and Secure's Sidewinder could address. Note that over the years Secure Computing has acquired all of the competing proxy firewall vendors. This is not because of some brilliant strategy on Secure's part but because those firewalls were doing so poorly that Secure could snap them up at fire-sale prices (Gauntlet: I have reason to believe the price was close to zero to get NAI's 3,000 Gauntlet customers). And yes, secure includes statefull inspection technology in their products now as well. So today 25% of Secure's billings come from the US government. While that is an attractive number that could entice McAFee to buy them it also represents a troublesome customer in terms of reliability. All it takes is a protracted budget process in Congress and you miss your numbers for a quarter.
A word on the Cyberguard acquisition for $295 million in August 2005. The press release about the deal stated:
"By combining the companies, Secure Computing will be the leader in the Unified Threat Management market, the fastest growing segment of the IT security market according to IDC..."
Oh yeah? According to the latest IDC report Secure was at number six in the UTM space and I would challenge the claim that Secure Computing is even in the UTM space.
Hmmm. Secure also purchased CipherTrust in July 2006 for $273.6 million. That is $568 million in expenditures yet McAFee is buying Secure for $465 million.
This deal does not fit my criteria for good business combinations. There are two situations that make sense for an acquisition.
1. Two great companies with complementary products, strong growth rates, and little overlap in channels. I have to admit that the acquisition of Ellacoya by Arbor Networks fits here.
2. A large company with a great brand and a global sales organization acquiring a small company with great technology. Starbucks acquiring Cloverleaf is an example.
Now, there is the more common reason for acquisitions: to pad the top line so that investors can't tell that the company is not growing organically. While that seems to work for far too many companies I don't think it is a good practice in the long run.
The McAfee-Secure deal does not fit my criteria. There are better opportunities for McAfee out there.
Update: My editor has informed me that my affiliation status needs to be clarified. I am not CEO of Seccom Global. I do not have a relationship with Secom Global or Seccom Networks, the Australian MSSP. I recently decided to breath new life into IT-Harvest, my independant research firm. Full disclosure: I do have vendor customers, as do many research firms. Unlike at least one of those research firms who is very positive about this acquisition, McAFee and Secure Computing are not my clients. If they were my clients I would have advised them not to do this deal.
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.