Security-vendor buys see mixed reactions

Major vendors continue buying security companies at a rapid clip, offering hope to corporate security executives that industry consolidation will produce multifaceted security architectures that are easier to configure and manage. Where some experts see opportunity, however, others see a trade-off resulting in fewer choices and a new set of risks.

Last week Secure Computing laid down $274 million for CipherTrust to broaden its product line with e-mail protection. This was just the latest deal in the close to $3 billion spent industrywide this year by vendors seeking to improve their security portfolios. Earlier acquisitions included Cisco’s buying Meetinghouse Data Communications, EMC’s purchase of RSA Security and McAfee’s taking on Preventsys.

These sales could be good news for customers thinking about consolidating products from many vendors under a single umbrella, says Babak Pasdar, CTO and chief information security officer for security services provider IGX Global.

Secure Computing’s purchase of CipherTrust makes sense because it could blend e-mail security into Secure Computing’s access, identity and application-control products, potentially making them all easier to manage, he says.

Such consolidation also could let customers whittle down the number of vendors they have to deal with. “It’s nice to see two security powers merging to provide more of a total security scope,” says Kyle Hussey, network analyst at Grant County Public Utility District, a hydroelectric utility in central Washington state. “We deploy Secure Computing products because of their reliability and security features. We deploy CipherTrust for the same reason,” Hussey says.

Companies with a range of security products could fill a gap not being filled effectively enough by security information management (SIM) vendors, Pasdar says. SIM software makers don’t push enough for standards about information collection and categorization, he says.

“They deal with disparate technologies, disparate vendors with disparate formats, and you cannot get a view centrally of what’s happening in your environment on a reasonable time frame,” he says.

A single vendor offering a number of security technologies could address this issue, albeit in a proprietary fashion, he says. “The product integration efforts of consolidation in that sense [are] a positive thing, but it remains to be seen how well they execute,” he says.

The potential for integrated management is the most exciting thing about consolidation, says Dave Row, security manager for holding company Retail Venture Services in Columbus, Ohio, which oversees chains such as DSW and Value City Department Stores. “Consolidation can’t happen fast enough,” he says.

Faced with increasing regulations such as payment card industry standards about processing, transmitting and storing credit card data, Row finds himself evaluating and buying many products with individual functions and their own unique management platforms.

Retail Venture uses encryption technology from Vormetric to protect credit card data at rest. The technology uses encryption keys and has its own key infrastructure. That’s fine for database encryption; for the separate task of encrypting laptop hard drives, he says another vendor, perhaps PGP, would be a better choice.