Re: Changes in IDS Companies?

["Marcus J. Ranum" <mjr () ranum com>]

Samuel Cure writes:
> Just noticing some changes with some known IDS companies and wanted some 
> feedback [...] Because Marcus Ranum left NFR earlier this year
> and Ron Gula has left Enterasys Networks, I am questioning the future of 
> some early-on IDS companies. I mentioned some time ago that the IDS market 
> will eventually consolidate and it seems like things are moving in that 
> direction.

It's actually been heading that way for some time. But the fact
that guys like Ron and I change interests and move around within the
industry isn't related (I don't think, anyhow...)  that's more a
side-effect of the entrepreneurial mindset. The consolidation is more
of a side-effect of the stock market and how VCs have moved into
the computer security space. This is just my opinion, from watching
how things have gone in the last few years, and how things went
in the early years of the firewall "industry" but I'll give a shot
at explaining some of it...

When a new technology comes on the scene it's usually because of
a few guys who look at what the researchers have been doing for
a long time already and say "hey! I know people who could USE
that!" and start to commercialize it. If it takes off, then
the money guys go "oo!" and start building businesses around it.
With a technical area like computer security (or maybe software
in general?) the ideas that the entrepreneurs have are usually
not "big enough" to become multibillion-dollar industries on their
own - not things like FedEX or General Electric - stuff like
PostScript, Photoshop, etc, etc - neat little solutions of
varying sizes, many of which are big enough to build a solid
business around but not an empire. So the money guys come in and
build an infrastructure around the entrepreneur and build a
company and then they figure it's time to cash out. Now, when
VCs want to cash out they have 2 options: sell the company (to
another company) or sell the company (to the public in the form
of an IPO) - and that's what drives market consolidation. If you
have a strong enough business and can build a huge "industry"
out of it (e.g.: "routers" - Cisco) you can go public and do
well. Otherwise what happens is that established players are
always hunting to expand their market. Look at ISS: they started
with a vulnerability scanner then expanded into services, IDS,
etc, etc. Why? Because Tom and Chris were smart enough to
realize that you can't fuel public-company style revenue growth
by selling just a scanner. You need a "portfolio of products"
in VC terms. Public companies are expected (until recently) to
exhibit constant growth. Acquisition is the best way to do that
fast - on paper. Never mind whether the acquistions make *sense*
or improve the portfolio or technology - it looks like growth
on paper. That's what fuelled Network Associates' amazing
buying spree and collapse: acquiring new companies boosted
their stock price because they looked more and more like a
900-lb gorilla (I recall VCs calling them the "Microsoft of
computer security"...) and as the stock prices got boosted
they could afford to buy more companies, etc, etc, etc. It's a
cool cycle if you can pull it off, but if you buy things
that don't fit together well, or you have a sales-force that
can't learn how to sell the new stuff you acquire, you make
a huge ugly crater. So that's what drives market consolidation:
often it has little or nothing to do with what makes sense and
mostly to do with what makes money. ;) In some rare cases you
get acquisitions that really are strategically very good. Like
ISS' buying Network ICE. They got a good IDS engine to build a
new RealSecure on, and a host agent as well. But generally
it's a mixed bag.

Then you've got the entrepreneurs. They're a mixed bag, too.
I know most of the entrepreneurs in security pretty well, and
most of them are no-bulls*&t kinda guys who think like
engineers and customers simultaneously. Most of them are
smart enough or lucky enough to hook up with businessmen who
can handle the process of growing the business, managing sales,
marketing, etc, etc. If you know Ron, Marty, Chris, myself, etc,
you'll find we tend to be unhappy about sitting in lengthy
meetings when we could be designing cool stuff, or a bit out
of place in a suit and tie talking about quarter-over-quarter
growth projections. So you'll find that as an industry "matures"
the early entrepreneurs either get rich and re-invent themselves,
or stay within the companies they started and re-invent themselves,
or go on to something else. Some of us are more financially savvy
about it than others. ;)  If you think back, I got sick of working at
TIS (too much growth brought too much politics and too many
meetings) and left - about 4 months before an IPO that might have
made me millions of dollars had I been patient and mature enough
to stick it out. I left NFR not because the company was failing
or had bad technology or anything like that, but because if I had
to spend one more hour in a meeting with empty suits and marketing
diots I was going to go postal. ;)  I don't know what Ron's
experience at Enterasys was like but I bet it was similar. Imagine
that you're an IDS guru who gets acquired by a network hub
maker? How many times are you going to be able to explain IDS
to a marketing idiot who only knows hubs/switches before your
brain ruptures? ;)  There are some things that just aren't worth
_any_ amount of money! :)

With respect to NFR - I think it's still a going concern and will
do just fine. I just wasn't enjoying it anymore. I still own a big
chunk of the company and obviously I hope it'll do great and
make me a ton of money. :) The economy right now is terrible for
security companies and the venture guys are running scared because
their financial model has been to assume that everything was
going to always grow - so they've been encouraging companies to
spend money in line with revenues 2 years out - instead of in
line with what they're bringing in. I think every company in the
security space is suffering. That's going to further drive
consolidation as companies look for other places to grow their
businessess by combining operations.

> To further enforce my point, word on the street is TippingPoint is now 
> seeking for someone to buy them out. Does anyone else have anything that 
> could help validate this or these types of trends in IDS companies? 

There are a jillion companies looking to get bought out. Either
because they established their business on a model of constant
growth (and the growth hasn't materialized) or because their
exit strategy was always a sale. If I had a dollar for every
company I've talked to that their PLAN was to get bought by
Cisco and become rich, I'd be able to retire. A down economy just
makes all these things tougher because suddenly customers like you
start to ask "Hey!? are these guys going to be there tomorrow?"
which makes it even HARDER for them to survive - it's a vicious
circle.

So, in short, I don't think that guys like me and Ron moving
around in the industry is worth raising a red flag over. What's
worth raising a red flag over is that the party is over. The
economic downturn is making everyone re-assess how they do
business. It'll sort itself out in a year or two and turn
into something new. Hopefully better, but certainly new. :)

mjr.
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com