Serious Security Indigestion

Sarah Lacy

I spent some time at the RSA Conference yesterday, mainly covering the keynotes of Microsoft and Symantec. They've certainly been fans of Internet security startups lately. John Thompson, Symantec's CEO, mentioned that between his company and soon-to-be-acquired Veritas they've done no less than 30 acquisitions. And lately Microsoft has been getting into the act with acquisitions of Giant Company Software and Sybari.

But all that buy-it, not build-it goodwill aside, I heard a lot of industry chatter that would worry me, were I an Internet security startup—and we all know there are thousands of them out there.

I have long wondered how 80% of the security startups that pitch stories to me can rise above the noisy, crowded marketplace to build any kind of sustainable company. There are so many companies focused on point products. Yes, many current products on the market are inadequate and I'm sure the technology is impressive, but when you ask them to describe why it matters in the grand scheme of security, you get a very vague and techy answer. Translation: It doesn't really matter.

I was on a media panel a few weeks ago and the first words out of one of the other reporter's mouth was something like: "Don't pitch me any more security startup stories—there are too many of them and I can't tell who's for real and who isn't." Here I thought I was the only one. And no doubt, busy CIOs have less patience than we do.

That hunch was confirmed in hallway conversations I had (and overheard) with security buyers on Tuesday. They are sick of these point products. They are sick of all these small companies they can't get a handle on. They want more convergence. Thompson sees that trend playing out even beyond security to storage, hence the Veritas merger—a deal that Wall Street hates, but many customers I talked to yesterday love. I used to hear from companies and VCs that security was such a problem and so much innovation was needed that they didn't mind buying from startups. Maybe that was true, but it doesn't seem to be the case anymore.

So, the conventional wisdom is: Get ready for some serious shake out and sub-$100 million acquisitions. Yet, VCs I talk to still consider security a hot and growing market….what am I missing? That's not just rhetorical. Send explanations to Deal Flow and we'll post 'em. (And no, fledgling security companies and their PR folks, this is not an invitation to pitch us...again.)

Before it's here, it's on the Bloomberg Terminal.